Edit tour

Windows Analysis Report
ql8KpEHT7y.exe

Overview

General Information

Sample name:	ql8KpEHT7y.exe renamed because original name is a hash value
Original sample name:	ff114595667cf12d185e3e147290d41d4f91b8c2a065812741e540e99c2f0db0.exe
Analysis ID:	1587685
MD5:	43743091973b08e4265bb937d78d0522
SHA1:	142851ffb4aa49a41edb2bfb83d8459138582b27
SHA256:	ff114595667cf12d185e3e147290d41d4f91b8c2a065812741e540e99c2f0db0
Tags:	exeuser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ql8KpEHT7y.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\ql8KpEHT7y.exe" MD5: 43743091973B08E4265BB937D78D0522)

RegSvcs.exe (PID: 7704 cmdline: "C:\Users\user\Desktop\ql8KpEHT7y.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 7864 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7924 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8124248958:AAHHSH6MqAJrQq3xcmINDov2O7_xgCmxgPE/sendMessage?chat_id=5808310347", "Token": "8124248958:AAHHSH6MqAJrQq3xcmINDov2O7_xgCmxgPE", "Chat_id": "5808310347", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a3e:$a1: get_encryptedPassword 0x14d2a:$a2: get_encryptedUsername 0x1484a:$a3: get_timePasswordChanged 0x14945:$a4: get_passwordField 0x14a54:$a5: set_encryptedPassword 0x16115:$a7: get_logins 0x16078:$a10: KeyLoggerEventArgs 0x15ce3:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3f6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b628:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba5b:$a4: \Orbitum\User Data\Default\Login Data 0x1ca9a:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1564e:$s1: UnHook 0x15655:$s2: SetHook 0x1565d:$s3: CallNextHook 0x1566a:$s4: _hook
00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a40:$x1: $%SMTPDV$ 0x18424:$x2: $#TheHashHere%& 0x199e8:$x3: %FTPDV$ 0x183c4:$x4: $%TelegramDv$ 0x15ce3:$x5: KeyLoggerEventArgs 0x16078:$x5: KeyLoggerEventArgs 0x19a0c:$m2: Clipboard Logs ID 0x19c4a:$m2: Screenshot Logs ID 0x19d5a:$m2: keystroke Logs ID 0x1a034:$m3: SnakePW 0x19c22:$m4: \SnakeKeylogger\
00000003.00000002.1442240916.00000000026A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1483e:$a1: get_encryptedPassword 0x14b2a:$a2: get_encryptedUsername 0x1464a:$a3: get_timePasswordChanged 0x14745:$a4: get_passwordField 0x14854:$a5: set_encryptedPassword 0x15f15:$a7: get_logins 0x15e78:$a10: KeyLoggerEventArgs 0x15ae3:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19840:$x1: $%SMTPDV$ 0x18224:$x2: $#TheHashHere%& 0x197e8:$x3: %FTPDV$ 0x181c4:$x4: $%TelegramDv$ 0x15ae3:$x5: KeyLoggerEventArgs 0x15e78:$x5: KeyLoggerEventArgs 0x1980c:$m2: Clipboard Logs ID 0x19a4a:$m2: Screenshot Logs ID 0x19b5a:$m2: keystroke Logs ID 0x19e34:$m3: SnakePW 0x19a22:$m4: \SnakeKeylogger\
Process Memory Space: ql8KpEHT7y.exe PID: 7556	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ql8KpEHT7y.exe PID: 7556	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: ql8KpEHT7y.exe PID: 7556	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xce6c37:$a1: get_encryptedPassword 0xce6f19:$a2: get_encryptedUsername 0xce6a4d:$a3: get_timePasswordChanged 0xce6b48:$a4: get_passwordField 0xce6c4d:$a5: set_encryptedPassword 0xce9124:$a7: get_logins 0xce9087:$a10: KeyLoggerEventArgs 0xce8cf2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: ql8KpEHT7y.exe PID: 7556	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xce8cf2:$x5: KeyLoggerEventArgs 0xce9087:$x5: KeyLoggerEventArgs 0xce998e:$x5: KeyLoggerEventArgs 0xce9cef:$x5: KeyLoggerEventArgs 0xceb2b2:$m2: Clipboard Logs ID 0xceb3b8:$m2: Screenshot Logs ID 0xceb40e:$m2: keystroke Logs ID 0xceb543:$m3: SnakePW 0xceb3a4:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 7704	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7704	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7704	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x37e65:$a1: get_encryptedPassword 0x38147:$a2: get_encryptedUsername 0x37c7b:$a3: get_timePasswordChanged 0x37d76:$a4: get_passwordField 0x37e7b:$a5: set_encryptedPassword 0x3a352:$a7: get_logins 0x3a2b5:$a10: KeyLoggerEventArgs 0x39f20:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7704	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x39f20:$x5: KeyLoggerEventArgs 0x3a2b5:$x5: KeyLoggerEventArgs 0x3abbc:$x5: KeyLoggerEventArgs 0x3af1d:$x5: KeyLoggerEventArgs 0x3c4e0:$m2: Clipboard Logs ID 0x3c5e6:$m2: Screenshot Logs ID 0x3c63c:$m2: keystroke Logs ID 0x3c771:$m3: SnakePW 0x3c5d2:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a3e:$a1: get_encryptedPassword 0x14d2a:$a2: get_encryptedUsername 0x1484a:$a3: get_timePasswordChanged 0x14945:$a4: get_passwordField 0x14a54:$a5: set_encryptedPassword 0x16115:$a7: get_logins 0x16078:$a10: KeyLoggerEventArgs 0x15ce3:$a11: KeyLoggerEventArgsEventHandler
0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3f6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b628:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba5b:$a4: \Orbitum\User Data\Default\Login Data 0x1ca9a:$a5: \Kometa\User Data\Default\Login Data
0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1564e:$s1: UnHook 0x15655:$s2: SetHook 0x1565d:$s3: CallNextHook 0x1566a:$s4: _hook
0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a40:$x1: $%SMTPDV$ 0x18424:$x2: $#TheHashHere%& 0x199e8:$x3: %FTPDV$ 0x183c4:$x4: $%TelegramDv$ 0x15ce3:$x5: KeyLoggerEventArgs 0x16078:$x5: KeyLoggerEventArgs 0x19a0c:$m2: Clipboard Logs ID 0x19c4a:$m2: Screenshot Logs ID 0x19d5a:$m2: keystroke Logs ID 0x1a034:$m3: SnakePW 0x19c22:$m4: \SnakeKeylogger\
0.2.ql8KpEHT7y.exe.3d40000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ql8KpEHT7y.exe.3d40000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.ql8KpEHT7y.exe.3d40000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c3e:$a1: get_encryptedPassword 0x12f2a:$a2: get_encryptedUsername 0x12a4a:$a3: get_timePasswordChanged 0x12b45:$a4: get_passwordField 0x12c54:$a5: set_encryptedPassword 0x14315:$a7: get_logins 0x14278:$a10: KeyLoggerEventArgs 0x13ee3:$a11: KeyLoggerEventArgsEventHandler
0.2.ql8KpEHT7y.exe.3d40000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5f6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19828:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c5b:$a4: \Orbitum\User Data\Default\Login Data 0x1ac9a:$a5: \Kometa\User Data\Default\Login Data
0.2.ql8KpEHT7y.exe.3d40000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1384e:$s1: UnHook 0x13855:$s2: SetHook 0x1385d:$s3: CallNextHook 0x1386a:$s4: _hook
0.2.ql8KpEHT7y.exe.3d40000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c40:$x1: $%SMTPDV$ 0x16624:$x2: $#TheHashHere%& 0x17be8:$x3: %FTPDV$ 0x165c4:$x4: $%TelegramDv$ 0x13ee3:$x5: KeyLoggerEventArgs 0x14278:$x5: KeyLoggerEventArgs 0x17c0c:$m2: Clipboard Logs ID 0x17e4a:$m2: Screenshot Logs ID 0x17f5a:$m2: keystroke Logs ID 0x18234:$m3: SnakePW 0x17e22:$m4: \SnakeKeylogger\
3.2.RegSvcs.exe.380000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.380000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.RegSvcs.exe.380000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.RegSvcs.exe.380000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a3e:$a1: get_encryptedPassword 0x14d2a:$a2: get_encryptedUsername 0x1484a:$a3: get_timePasswordChanged 0x14945:$a4: get_passwordField 0x14a54:$a5: set_encryptedPassword 0x16115:$a7: get_logins 0x16078:$a10: KeyLoggerEventArgs 0x15ce3:$a11: KeyLoggerEventArgsEventHandler
3.2.RegSvcs.exe.380000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3f6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b628:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba5b:$a4: \Orbitum\User Data\Default\Login Data 0x1ca9a:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.380000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1564e:$s1: UnHook 0x15655:$s2: SetHook 0x1565d:$s3: CallNextHook 0x1566a:$s4: _hook
3.2.RegSvcs.exe.380000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a40:$x1: $%SMTPDV$ 0x18424:$x2: $#TheHashHere%& 0x199e8:$x3: %FTPDV$ 0x183c4:$x4: $%TelegramDv$ 0x15ce3:$x5: KeyLoggerEventArgs 0x16078:$x5: KeyLoggerEventArgs 0x19a0c:$m2: Clipboard Logs ID 0x19c4a:$m2: Screenshot Logs ID 0x19d5a:$m2: keystroke Logs ID 0x1a034:$m3: SnakePW 0x19c22:$m4: \SnakeKeylogger\
Click to see the 15 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:54:41.572056+0100	2803305	3	Unknown Traffic	192.168.2.7	49707	104.21.96.1	443	TCP
2025-01-10T16:54:42.845450+0100	2803305	3	Unknown Traffic	192.168.2.7	49718	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:54:39.875479+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49699	193.122.6.168	80	TCP
2025-01-10T16:54:40.984881+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49699	193.122.6.168	80	TCP
2025-01-10T16:54:42.282079+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49713	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.1442240916.00000000026A1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8124248958:AAHHSH6MqAJrQq3xcmINDov2O7_xgCmxgPE/sendMessage?chat_id=5808310347", "Token": "8124248958:AAHHSH6MqAJrQq3xcmINDov2O7_xgCmxgPE", "Chat_id": "5808310347", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: ql8KpEHT7y.exe	Virustotal: Detection: 69%			Perma Link
Source: ql8KpEHT7y.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ql8KpEHT7y.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: ql8KpEHT7y.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49701 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: ql8KpEHT7y.exe, 00000000.00000003.1330996815.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, ql8KpEHT7y.exe, 00000000.00000003.1330310187.0000000003F10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ql8KpEHT7y.exe, 00000000.00000003.1330996815.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, ql8KpEHT7y.exe, 00000000.00000003.1330310187.0000000003F10000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0079445A
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079C6D1 FindFirstFileW,FindClose,	0_2_0079C6D1
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0079C75C
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0079EF95
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0079F0F2
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0079F3F3
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007937EF
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00793B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00793B12
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0079BCBC

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.7:61846 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49713 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49707 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49718 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49701 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007A22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_007A22EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000003.00000002.1442240916.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000276D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002800000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002829000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002866000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.1442240916.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000275E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000276D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002800000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002837000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002829000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002866000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.1442240916.00000000026A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: ql8KpEHT7y.exe, 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.1442240916.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002785000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002800000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002829000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002866000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.1442240916.00000000026A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.1442240916.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000276D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002800000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002829000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002866000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: ql8KpEHT7y.exe, 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000276D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000003.00000002.1442240916.0000000002866000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000003.00000002.1442240916.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002800000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002829000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002866000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_007A4164

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_007A4164

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007A3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_007A3F66

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_0079001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0079001C

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007BCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_007BCABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: ql8KpEHT7y.exe PID: 7556, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ql8KpEHT7y.exe PID: 7556, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7704, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00733B3A
Source: ql8KpEHT7y.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: ql8KpEHT7y.exe, 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6e8f7663-3
Source: ql8KpEHT7y.exe, 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_17c69977-2
Source: ql8KpEHT7y.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8dc5017c-9
Source: ql8KpEHT7y.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_00c50f54-5

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_0079A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0079A1EF

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00788310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00788310

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_007951BD

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0073E6A0	0_2_0073E6A0
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0075D975	0_2_0075D975
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0073FCE0	0_2_0073FCE0
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007521C5	0_2_007521C5
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007662D2	0_2_007662D2
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007B03DA	0_2_007B03DA
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0076242E	0_2_0076242E
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007525FA	0_2_007525FA
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0078E616	0_2_0078E616
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007466E1	0_2_007466E1
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0076878F	0_2_0076878F
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007B0857	0_2_007B0857
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00766844	0_2_00766844
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00748808	0_2_00748808
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00798889	0_2_00798889
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0075CB21	0_2_0075CB21
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00766DB6	0_2_00766DB6
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00746F9E	0_2_00746F9E
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00743030	0_2_00743030
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0075F1D9	0_2_0075F1D9
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00753187	0_2_00753187
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00731287	0_2_00731287
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00751484	0_2_00751484
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00745520	0_2_00745520
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00757696	0_2_00757696
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00745760	0_2_00745760
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00751978	0_2_00751978
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00769AB5	0_2_00769AB5
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007B7DDB	0_2_007B7DDB
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0075BDA6	0_2_0075BDA6
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00751D90	0_2_00751D90
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0073DF00	0_2_0073DF00
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00743FE0	0_2_00743FE0
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_01539338	0_2_01539338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0093C192	3_2_0093C192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00936108	3_2_00936108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0093B328	3_2_0093B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0093C470	3_2_0093C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00936730	3_2_00936730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0093C751	3_2_0093C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00939858	3_2_00939858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00934AD9	3_2_00934AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0093CA31	3_2_0093CA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0093BBD2	3_2_0093BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0093BEB2	3_2_0093BEB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0093B4F2	3_2_0093B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00933570	3_2_00933570

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: String function: 00750AE3 appears 70 times
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: String function: 00737DE1 appears 36 times
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: String function: 00758900 appears 42 times

Source: ql8KpEHT7y.exe, 00000000.00000003.1329909695.000000000403D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ql8KpEHT7y.exe
Source: ql8KpEHT7y.exe, 00000000.00000003.1330584786.0000000003EC3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ql8KpEHT7y.exe
Source: ql8KpEHT7y.exe, 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs ql8KpEHT7y.exe

Source: ql8KpEHT7y.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ql8KpEHT7y.exe.3d40000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: ql8KpEHT7y.exe PID: 7556, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ql8KpEHT7y.exe PID: 7556, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7704, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/3@2/2

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_0079A06A GetLastError,FormatMessageW,

0_2_0079A06A

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007881CB AdjustTokenPrivileges,CloseHandle,		0_2_007881CB
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007887E1

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_0079B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0079B333

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007AEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_007AEE0D

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007A83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_007A83BB

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00734E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00734E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut2938.tmp

Jump to behavior

Source: ql8KpEHT7y.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ql8KpEHT7y.exe	Virustotal: Detection: 69%
Source: ql8KpEHT7y.exe	ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\ql8KpEHT7y.exe "C:\Users\user\Desktop\ql8KpEHT7y.exe"
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ql8KpEHT7y.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ql8KpEHT7y.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: ql8KpEHT7y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ql8KpEHT7y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ql8KpEHT7y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ql8KpEHT7y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ql8KpEHT7y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ql8KpEHT7y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ql8KpEHT7y.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: ql8KpEHT7y.exe, 00000000.00000003.1330996815.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, ql8KpEHT7y.exe, 00000000.00000003.1330310187.0000000003F10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ql8KpEHT7y.exe, 00000000.00000003.1330996815.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, ql8KpEHT7y.exe, 00000000.00000003.1330310187.0000000003F10000.00000004.00001000.00020000.00000000.sdmp

Source: ql8KpEHT7y.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ql8KpEHT7y.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ql8KpEHT7y.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ql8KpEHT7y.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ql8KpEHT7y.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00734B37 LoadLibraryA,GetProcAddress,

0_2_00734B37

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0073C4C7 push A30073BAh; retn 0073h		0_2_0073C50D
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00758945 push ecx; ret		0_2_00758958

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_007348D7
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007B5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007B5376

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00753187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00753187

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

API/Special instruction interceptor: Address: 1538F5C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598072	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597638	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597200	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594359	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7858			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1991			Jump to behavior

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-103474

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

API coverage: 4.6 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0079445A
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079C6D1 FindFirstFileW,FindClose,	0_2_0079C6D1
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0079C75C
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0079EF95
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0079F0F2
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0079F3F3
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007937EF
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_00793B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00793B12
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0079BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0079BCBC

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007349A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598072	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597638	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597200	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594359	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.1441810434.0000000000999000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: RegSvcs.exe, 00000003.00000002.1443622746.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegSvcs.exe, 00000003.00000002.1443622746.0000000005C57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

API call chain: ExitProcess graph end node

graph_0-101281

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007A3F09 BlockInput,

0_2_007A3F09

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00733B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00733B3A

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00765A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00765A7C

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00734B37 LoadLibraryA,GetProcAddress,

0_2_00734B37

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_015391C8 mov eax, dword ptr fs:[00000030h]	0_2_015391C8
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_01539228 mov eax, dword ptr fs:[00000030h]	0_2_01539228
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_01537BB8 mov eax, dword ptr fs:[00000030h]	0_2_01537BB8

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_007880A9

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0075A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0075A155
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_0075A124 SetUnhandledExceptionFilter,		0_2_0075A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 596008

Jump to behavior

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007887B1 LogonUserW,

0_2_007887B1

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00733B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00733B3A

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_007348D7

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00794C7F mouse_event,

0_2_00794C7F

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ql8KpEHT7y.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00787CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00787CAF

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_0078874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0078874B

Source: ql8KpEHT7y.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ql8KpEHT7y.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_0075862B cpuid

0_2_0075862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00764E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00764E87

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00771E06 GetUserNameW,

0_2_00771E06

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_00763F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00763F3A

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe

Code function: 0_2_007349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007349A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ql8KpEHT7y.exe.3d40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1442240916.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ql8KpEHT7y.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7704, type: MEMORYSTR

Source: ql8KpEHT7y.exe	Binary or memory string: WIN_81
Source: ql8KpEHT7y.exe	Binary or memory string: WIN_XP
Source: ql8KpEHT7y.exe	Binary or memory string: WIN_XPe
Source: ql8KpEHT7y.exe	Binary or memory string: WIN_VISTA
Source: ql8KpEHT7y.exe	Binary or memory string: WIN_7
Source: ql8KpEHT7y.exe	Binary or memory string: WIN_8
Source: ql8KpEHT7y.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ql8KpEHT7y.exe.3d40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ql8KpEHT7y.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7704, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.ql8KpEHT7y.exe.3d40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ql8KpEHT7y.exe.3d40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1442240916.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ql8KpEHT7y.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7704, type: MEMORYSTR

Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007A6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_007A6283
Source: C:\Users\user\Desktop\ql8KpEHT7y.exe	Code function: 0_2_007A6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_007A6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	126 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ql8KpEHT7y.exe	69%	Virustotal		Browse
ql8KpEHT7y.exe	74%	ReversingLabs	Win32.Ransomware.SnakeKeylogger
ql8KpEHT7y.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.96.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.1442240916.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000276D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002800000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002829000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002866000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.1442240916.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000275E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000276D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002800000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002837000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002829000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002866000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000003.00000002.1442240916.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000276D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002800000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002829000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002866000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.1442240916.00000000026A1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	ql8KpEHT7y.exe, 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000003.00000002.1442240916.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002800000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002829000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002866000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.1442240916.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002785000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000280E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002800000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002829000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.0000000002866000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	ql8KpEHT7y.exe, 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1442240916.000000000276D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
104.21.96.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587685
Start date and time:	2025-01-10 16:53:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ql8KpEHT7y.exe renamed because original name is a hash value
Original Sample Name:	ff114595667cf12d185e3e147290d41d4f91b8c2a065812741e540e99c2f0db0.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/3@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 7704 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:54:40	API Interceptor	80x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
104.21.96.1	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	www.aonline.top/fqlg/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
checkip.dyndns.com	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	https://cjerichmond.jimdosite.com/	Get hash	malicious	Unknown	Browse	162.159.128.70
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	https://zfrmz.com/3GiGYUP4BArW2NBgkPU3	Get hash	malicious	Unknown	Browse	104.18.94.41
	Play_VM-NowTingrammAudiowav011.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://theleadking2435063.emlnk.com/lt.php?x=3DZy~GDHJaLL5a37-gxLhhGf13JRv_MkkPo2jHPMKXOh5XR.-Uy.xuO-2I2imNf	Get hash	malicious	Unknown	Browse	104.17.203.31
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.96.1
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Users\user\AppData\Local\Temp\Clinton

Download File

Process:	C:\Users\user\Desktop\ql8KpEHT7y.exe
File Type:	data
Category:	modified
Size (bytes):	133632
Entropy (8bit):	6.932608312016454
Encrypted:	false
SSDEEP:	3072:edRnGACS/oVNptADg49nXOmvdL5p30DmJIE3+Ss:IJGyQP/xsnXt1Lz30D0IE3+/
MD5:	A615D2B638633BC0225DA1D26A7F424E
SHA1:	7DAE41E6E60A5C0B145286EF2D4D0864114CBEBD
SHA-256:	A4A7EC11F0BA2362E72266A3E701D8BBC55387050BD3F6D40F607106DD162B77
SHA-512:	D2CADDBD6E550475FE7490EB2A171C10F8E38A96094B22B716EFEF94E25DB8A5F4E72C824BB4D1E030989A417DC81A79D58FCD07A1F42704BC81195C5428CF74
Malicious:	false
Reputation:	low
Preview:	...FRLD3<67F..VU.GFFQLD3x67FJSVUXGFFQLD3867FJSVUXGFFQLD3867F.SVUVX.HQ.M...6..r.=14f6###AY[.%+=8:,g$#q>1]._Yf...u5("#.AI9.67FJSVU..FF.MG3... JSVUXGFF.LF237gFJ.WUXSFFQLD3.$5FJsVUXgDFQL.38.7FJQVU\GFFQLD3<67FJSVUX'DFQND3867FHS..XGVFQ\D386'FJCVUXGFFALD3867FJSVU.UDF.LD38.5F.CVUXGFFQLD3867FJSVUX.DF]LD3867FJSVUXGFFQLD3867FJSVUXGFFQLD3867FJSVUXGFFQLD38.7FBSVUXGFFQLD30.7F.SVUXGFFQLD3.BR>>SVU\.GFQlD38.6FJQVUXGFFQLD3867FjSV5v5542LD3.&7FJsTUXUFFQ.E3867FJSVUXGFF.LDs.DR*%0VUTGFFQ.F3847FJ[TUXGFFQLD3867F.SV.XGFFQLD3867FJSVU.UDFQLD3p67FHSSU.fGFa.D3;67F.SVS.gGF.LD3867FJSVUXGFFQLD3867FJSVUXGFFQLD3867FJSVU.:.I...ZK..FJSVUXFDEUJL;867FJSVU&GFF.LD3x67F}SVU}GFF<LD3.67F4SVU&GFF5LD3J67F+SVU.GFF>LD3V67F4SVUFEnfQLN..65nkSV_Xm.5sLD9.77FN uUXM.DQL@@.67L.PVU\4cFQF.78635lSV_.BFFUf.3;.!@JSM:aGFLQO.&>67]`uVWp}FF[Ln.85.SLSVNreFD.ED3<.a5WSVSp.FF[8M384.LJSR.FEn.QLN..H'FJW}Ure8WQL@.8..8XSVQsGld/_D3<.7lh-BUXCmF{RF.,67B`q(@XGBmQffM.67BaS\|w&PFFUgD.&4.QJSR.^m$F#uX3H5X.JSP}.GFLy,D3>6.\|J-vUXCD).LD9..iFH{UTXMFDR1r3825B7dVU\m.FS7}3

C:\Users\user\AppData\Local\Temp\aut2938.tmp

Download File

Process:	C:\Users\user\Desktop\ql8KpEHT7y.exe
File Type:	data
Category:	dropped
Size (bytes):	86370
Entropy (8bit):	7.7919151046487425
Encrypted:	false
SSDEEP:	1536:j+IrG5me35T5cvaAG9S+er3udIPv2EucI4UtY58VSKax2c8GeCpFC1NLuiJIoooO:j+Iq5jFSCAhFudMNuz058VS2c+Cpu4iQ
MD5:	ECC6E205FBAB5071B4B953492B5EDA3B
SHA1:	148221ED6C648D91CAB679620077D240A713A084
SHA-256:	6983644925E866341C4ED520A84B69D4D8F0C5841E6DB40A3E2D6F125C344737
SHA-512:	937ACF682D0A3167B995C8B847C72CB64BFC8FB94BBD6F1C7DB5FB957172575AC70A18A3A0817E3017A932C3647D18323EAA35129DD5737863C844D785DF5A5A
Malicious:	false
Reputation:	low
Preview:	EA06......z.j.2.3.M..m...U.Q..j...x..)U:.V..!..........".....8.+.r.Of3K4.G#..k5...W=.N..y$..>..c.......f.....A..c....@..h.6.3.......li.i..og.R..z.b...4.kF.\...=..@.L..`...V...$3<.......Pb.S.t+.z...\..d.jU.........J4h.A.Mh.Z......Q.. .P....@P..;0.. @...P.S....\.Q...`....h@...T..[..k4....y0..s.Uk.P..uE.p."4.%.-D.J....V....(.9........>.UN....... ...p.0.u^..F..h.9.....y.=.......s..'...V.y.@..(.J-V.L...jL.`E..3}../.....@..f..........V. G......V. ...n.Ti...zm5.Z.uj.b....I..o7.S..Z.b..Ti.....L.T.X....Q.q&..kl.0;.5..f.L.\|....S..4z52.O.I..i.v.u.U...5..L.Eg.^MN.S.S.VZ5..E.`#...\.@.A....4....)U:...@..H1.@..W..nVY.\...N#.Y.b.V.....$....Gf..D..U.P.k.J...M..+..Q@.Q.V...M........&..P.z$fM4..@....IF..k.:D..T......y.Q&s.v.J....$.l..G...5".U.V).j%Jcr..&SZ.....[b.j.... G.....o...4`..?\|.T.....F..........5t.&..N.....".+..P...2.......VQ8..k...q<.I.(..:u$.Ti.&..i;..x.+...).p#..P..6.0/v.$.wK.....jy..0-.8.RkE...(...U.. .....0.....kTI.4.@....P..~.[l... ...J;`*..Q..]...y.U.\|...F.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.908430804014602
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ql8KpEHT7y.exe
File size:	999'424 bytes
MD5:	43743091973b08e4265bb937d78d0522
SHA1:	142851ffb4aa49a41edb2bfb83d8459138582b27
SHA256:	ff114595667cf12d185e3e147290d41d4f91b8c2a065812741e540e99c2f0db0
SHA512:	9745ba5fdf5bb77c8ce1350a8e18e4e6fce73d8084a3b1f1db26cbdbf8b63a6cabe16de80227f93496c4eb13bac6795b2daf9af696f5da3f63983bf3dfb8c275
SSDEEP:	24576:1u6J33O0c+JY5UZ+XC0kGso6FaPX+8n5QU2PvhfWY:Xu0c++OCvkGs9FaPTuTEY
TLSH:	3B25BE2273DDC360CB669173BF6AB7016EBF7C614630B85B2F980D7DA950162162C7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675AC730 [Thu Dec 12 11:21:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FAE3C83D13Ah
jmp 00007FAE3C82FF04h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FAE3C83008Ah
cmp edi, eax
jc 00007FAE3C8303EEh
bt dword ptr [004C31FCh], 01h
jnc 00007FAE3C830089h
rep movsb
jmp 00007FAE3C83039Ch
cmp ecx, 00000080h
jc 00007FAE3C830254h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FAE3C830090h
bt dword ptr [004BE324h], 01h
jc 00007FAE3C830560h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FAE3C83022Dh
test edi, 00000003h
jne 00007FAE3C83023Eh
test esi, 00000003h
jne 00007FAE3C83021Dh
bt edi, 02h
jnc 00007FAE3C83008Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FAE3C830093h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FAE3C8300E5h
bt esi, 03h
jnc 00007FAE3C830138h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x2b7f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf3000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x2b7f0	0x2b800	21ab27ad2b88db00e9a3fbc047624a1d	False	0.8489302711925287	data	7.685139369037866	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf3000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x22ab5	data			1.0003591422837224
RT_GROUP_ICON	0xf2270	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xf22e8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf22fc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf2310	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf2324	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf2400	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T16:54:39.875479+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49699	193.122.6.168	80	TCP
2025-01-10T16:54:40.984881+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49699	193.122.6.168	80	TCP
2025-01-10T16:54:41.572056+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49707	104.21.96.1	443	TCP
2025-01-10T16:54:42.282079+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49713	193.122.6.168	80	TCP
2025-01-10T16:54:42.845450+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49718	104.21.96.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:54:38.968405962 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:38.973287106 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:38.973367929 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:38.973555088 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:38.978328943 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:39.605377913 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:39.645133972 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:39.650083065 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:39.832747936 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:39.875478983 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:40.084707975 CET	49701	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:40.084742069 CET	443	49701	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:40.084796906 CET	49701	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:40.093441963 CET	49701	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:40.093475103 CET	443	49701	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:40.550818920 CET	443	49701	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:40.550894022 CET	49701	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:40.555757046 CET	49701	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:40.555772066 CET	443	49701	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:40.556034088 CET	443	49701	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:40.609581947 CET	49701	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:40.655334949 CET	443	49701	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:40.745663881 CET	443	49701	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:40.745727062 CET	443	49701	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:40.745768070 CET	49701	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:40.752484083 CET	49701	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:40.756073952 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:40.760996103 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:40.941092968 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:40.944344997 CET	49707	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:40.944370985 CET	443	49707	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:40.944437981 CET	49707	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:40.945137978 CET	49707	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:40.945152044 CET	443	49707	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:40.984880924 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:41.409259081 CET	443	49707	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:41.411478043 CET	49707	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:41.411514044 CET	443	49707	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:41.572038889 CET	443	49707	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:41.572108984 CET	443	49707	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:41.572160006 CET	49707	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:41.572683096 CET	49707	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:41.575952053 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:41.577116966 CET	49713	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:41.580998898 CET	80	49699	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:41.581075907 CET	49699	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:41.581922054 CET	80	49713	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:41.582166910 CET	49713	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:41.582261086 CET	49713	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:41.587064981 CET	80	49713	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:42.232321978 CET	80	49713	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:42.233644962 CET	49718	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:42.233699083 CET	443	49718	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:42.233874083 CET	49718	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:42.234307051 CET	49718	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:42.234321117 CET	443	49718	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:42.282078981 CET	49713	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:42.689554930 CET	443	49718	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:42.734885931 CET	49718	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:42.737840891 CET	49718	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:42.737852097 CET	443	49718	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:42.845474005 CET	443	49718	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:42.845529079 CET	443	49718	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:42.845590115 CET	49718	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:42.849787951 CET	49718	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:42.893723965 CET	49723	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:42.898667097 CET	80	49723	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:42.898752928 CET	49723	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:42.898921013 CET	49723	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:42.903697014 CET	80	49723	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:43.543253899 CET	80	49723	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:43.544478893 CET	49726	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:43.544502020 CET	443	49726	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:43.544553995 CET	49726	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:43.544773102 CET	49726	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:43.544784069 CET	443	49726	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:43.594279051 CET	49723	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:44.022464991 CET	443	49726	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:44.024101973 CET	49726	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:44.024121046 CET	443	49726	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:44.177463055 CET	443	49726	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:44.177525043 CET	443	49726	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:44.177594900 CET	49726	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:44.177968025 CET	49726	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:44.181224108 CET	49723	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:44.182029963 CET	49731	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:44.186250925 CET	80	49723	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:44.186304092 CET	49723	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:44.186880112 CET	80	49731	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:44.186965942 CET	49731	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:44.187041998 CET	49731	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:44.191852093 CET	80	49731	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:44.853601933 CET	80	49731	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:44.854788065 CET	49737	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:44.854826927 CET	443	49737	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:44.854909897 CET	49737	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:44.855154037 CET	49737	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:44.855160952 CET	443	49737	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:44.906996012 CET	49731	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:45.376512051 CET	443	49737	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:45.378300905 CET	49737	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:45.378324032 CET	443	49737	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:45.685159922 CET	443	49737	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:45.685311079 CET	443	49737	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:45.685375929 CET	49737	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:45.685729027 CET	49737	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:45.688908100 CET	49731	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:45.689841986 CET	49743	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:45.693943024 CET	80	49731	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:45.694004059 CET	49731	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:45.694642067 CET	80	49743	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:45.694704056 CET	49743	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:45.694782972 CET	49743	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:45.699557066 CET	80	49743	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:46.321038008 CET	80	49743	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:46.322819948 CET	49749	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:46.322854042 CET	443	49749	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:46.322912931 CET	49749	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:46.323189974 CET	49749	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:46.323200941 CET	443	49749	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:46.375505924 CET	49743	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:46.810283899 CET	443	49749	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:46.812155008 CET	49749	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:46.812195063 CET	443	49749	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:46.962443113 CET	443	49749	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:46.962589025 CET	443	49749	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:46.962775946 CET	49749	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:46.962958097 CET	49749	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:46.966228962 CET	49743	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:46.967571020 CET	49755	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:46.971657038 CET	80	49743	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:46.971860886 CET	49743	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:46.972361088 CET	80	49755	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:46.972433090 CET	49755	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:46.972734928 CET	49755	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:46.977514029 CET	80	49755	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:47.598622084 CET	80	49755	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:47.599904060 CET	49761	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:47.599929094 CET	443	49761	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:47.600116014 CET	49761	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:47.600258112 CET	49761	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:47.600277901 CET	443	49761	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:47.641160011 CET	49755	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:48.095913887 CET	443	49761	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:48.097446918 CET	49761	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:48.097487926 CET	443	49761	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:48.273117065 CET	443	49761	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:48.273236036 CET	443	49761	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:48.273332119 CET	49761	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:48.273955107 CET	49761	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:48.277293921 CET	49755	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:48.278152943 CET	49762	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:48.282300949 CET	80	49755	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:48.282346010 CET	49755	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:48.283015966 CET	80	49762	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:48.283077002 CET	49762	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:48.283160925 CET	49762	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:48.287913084 CET	80	49762	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:48.909302950 CET	80	49762	193.122.6.168	192.168.2.7
Jan 10, 2025 16:54:48.910456896 CET	49768	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:48.910502911 CET	443	49768	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:48.910676956 CET	49768	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:48.910797119 CET	49768	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:48.910804987 CET	443	49768	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:48.953803062 CET	49762	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:49.411873102 CET	443	49768	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:49.413873911 CET	49768	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:49.413903952 CET	443	49768	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:49.548676014 CET	443	49768	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:49.548762083 CET	443	49768	104.21.96.1	192.168.2.7
Jan 10, 2025 16:54:49.548801899 CET	49768	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:49.549215078 CET	49768	443	192.168.2.7	104.21.96.1
Jan 10, 2025 16:54:49.710917950 CET	49762	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:54:49.711040974 CET	49713	80	192.168.2.7	193.122.6.168
Jan 10, 2025 16:55:18.030302048 CET	61846	53	192.168.2.7	162.159.36.2
Jan 10, 2025 16:55:18.035152912 CET	53	61846	162.159.36.2	192.168.2.7
Jan 10, 2025 16:55:18.037659883 CET	61846	53	192.168.2.7	162.159.36.2
Jan 10, 2025 16:55:18.042608976 CET	53	61846	162.159.36.2	192.168.2.7
Jan 10, 2025 16:55:18.494337082 CET	61846	53	192.168.2.7	162.159.36.2
Jan 10, 2025 16:55:18.499351025 CET	53	61846	162.159.36.2	192.168.2.7
Jan 10, 2025 16:55:18.499414921 CET	61846	53	192.168.2.7	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:54:38.954471111 CET	51058	53	192.168.2.7	1.1.1.1
Jan 10, 2025 16:54:38.962177992 CET	53	51058	1.1.1.1	192.168.2.7
Jan 10, 2025 16:54:40.076847076 CET	51186	53	192.168.2.7	1.1.1.1
Jan 10, 2025 16:54:40.083899021 CET	53	51186	1.1.1.1	192.168.2.7
Jan 10, 2025 16:55:18.024480104 CET	53	64487	162.159.36.2	192.168.2.7
Jan 10, 2025 16:55:18.524374008 CET	53	59171	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 16:54:38.954471111 CET	192.168.2.7	1.1.1.1	0x51dc	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:40.076847076 CET	192.168.2.7	1.1.1.1	0x4a27	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:54:38.962177992 CET	1.1.1.1	192.168.2.7	0x51dc	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:54:38.962177992 CET	1.1.1.1	192.168.2.7	0x51dc	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:38.962177992 CET	1.1.1.1	192.168.2.7	0x51dc	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:38.962177992 CET	1.1.1.1	192.168.2.7	0x51dc	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:38.962177992 CET	1.1.1.1	192.168.2.7	0x51dc	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:38.962177992 CET	1.1.1.1	192.168.2.7	0x51dc	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:40.083899021 CET	1.1.1.1	192.168.2.7	0x4a27	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:40.083899021 CET	1.1.1.1	192.168.2.7	0x4a27	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:40.083899021 CET	1.1.1.1	192.168.2.7	0x4a27	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:40.083899021 CET	1.1.1.1	192.168.2.7	0x4a27	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:40.083899021 CET	1.1.1.1	192.168.2.7	0x4a27	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:40.083899021 CET	1.1.1.1	192.168.2.7	0x4a27	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:54:40.083899021 CET	1.1.1.1	192.168.2.7	0x4a27	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	193.122.6.168	80	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:54:38.973555088 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:54:39.605377913 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 16:54:39.645133972 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 16:54:39.832747936 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 16:54:40.756073952 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 16:54:40.941092968 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49713	193.122.6.168	80	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:54:41.582261086 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 16:54:42.232321978 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49723	193.122.6.168	80	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:54:42.898921013 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:54:43.543253899 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49731	193.122.6.168	80	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:54:44.187041998 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:54:44.853601933 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49743	193.122.6.168	80	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:54:45.694782972 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:54:46.321038008 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49755	193.122.6.168	80	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:54:46.972734928 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:54:47.598622084 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49762	193.122.6.168	80	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:54:48.283160925 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 16:54:48.909302950 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	104.21.96.1	443	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:40 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:54:40 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839269 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9zC7I8tYDdfBTkOFbY99T789KY7PkStKT6BcGwoXupeVJ0Pt7CBjW%2FYvMFCla8KOQ9%2FqOBue6JcCMEA3u9EvSmNnoZHJei26Po1fgWeCt64s4tUYcbN7va34tivKkcd3xtWv9DAa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdd8d428cb42c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1776&min_rtt=1774&rtt_var=667&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=699&delivery_rate=1645997&cwnd=212&unsent_bytes=0&cid=252a1d9e24f690d0&ts=206&x=0"
2025-01-10 15:54:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49707	104.21.96.1	443	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:41 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 15:54:41 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839270 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wk6EiAaj9nlpOg%2Bh9WeZz6FOirPg6czVk8rI7XsNjTdCC%2BlI090bm9s1tESnUJtSpRwzz%2FEQ1BjRnZgH9d0V%2BCYzHJt6OttYJbs7I4%2Bj7QF4WvodLsWg0nysvP8c1O8f1bt%2FeuTy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdd8d96f6142c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1718&min_rtt=1716&rtt_var=647&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1685912&cwnd=212&unsent_bytes=0&cid=1e48dc6010352bd8&ts=169&x=0"
2025-01-10 15:54:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49718	104.21.96.1	443	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:42 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 15:54:42 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:42 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839271 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A3OVL%2FHVsc2buxZYzbHQ%2BlATVASsUi6a9%2FBVBK2oIUbpiMGIaNKDm1hKvrFie0tRSXa1IE4BJN8YHbsuF3G0NjlBqMaHXGNbKjEfIOMbqzHosq3D%2Fa2QMzszX7l%2Fhl%2BryL8DNNl9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdd8e178f0c32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1790&min_rtt=1669&rtt_var=712&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1749550&cwnd=178&unsent_bytes=0&cid=2ed2a8490ef9f6ca&ts=159&x=0"
2025-01-10 15:54:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49726	104.21.96.1	443	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:44 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:54:44 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839273 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W0AvlItU4JgoXBceRkM8p5cc64Zf52HrSaOLJd%2BBIJs4QdcfU%2F2r%2BNNOdnkKdPlJihhLM2vzPxe1YPMShAq0QAV7O0dqagJ2DQuyO6hx7lonUZQo%2FOn%2FSbbq1OQS%2BcEbsQaipahs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdd8e9ad021a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2015&min_rtt=1995&rtt_var=790&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1350601&cwnd=157&unsent_bytes=0&cid=73f4ba083810b821&ts=162&x=0"
2025-01-10 15:54:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49737	104.21.96.1	443	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:45 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:54:45 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839274 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jaj7gnwSlO6%2B2O6ZWZYuGHdQgD%2BvyjhOhRfxmH9G2OiqGq4qan7ZTtFPgLeg%2BkVSuoLPw1I5I%2Fckm7fffo6Wxkw7OnMWkWFF68Jv59i0y%2F3joP0YPBRa0DwBlAGMeB0aXus3fvmM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdd8f23876de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3218&min_rtt=3218&rtt_var=1609&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=247877&cwnd=209&unsent_bytes=0&cid=19729e99ee33af6f&ts=165&x=0"
2025-01-10 15:54:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49749	104.21.96.1	443	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:46 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:54:46 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839276 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YcA28ZO21p5jRPOIRITPgBnwQcFAg%2FtWGZm3zmmiEXduDmYPIl%2F%2FhKP7rK5GNXsIyGy%2FHK89NmOPNrWJvcKx1banzv%2FaW%2B3mTkdi06VQqSwPSZWWqP181SiN6SKVbphE7efhtzb8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdd8fb2974de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1584&rtt_var=601&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1843434&cwnd=209&unsent_bytes=0&cid=9dfdaf55d9f075c5&ts=159&x=0"
2025-01-10 15:54:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49761	104.21.96.1	443	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:48 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:54:48 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:48 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839277 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HEW%2Fefktys9SgxwsAgQoNQMCQOcMN%2B7IxK5nIW4CdRGedAmvtFfAkB1l5QOv0twYl71necniP06rMz7sPUa%2FwuaTAOeUqt4DnCJ0Y%2BgzJRvRBjWIGtVkdt8Z076jTDueWoTRZXgA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdd90329ee1a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1978&min_rtt=1958&rtt_var=775&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1375412&cwnd=157&unsent_bytes=0&cid=4665c178e2387498&ts=165&x=0"
2025-01-10 15:54:48 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49768	104.21.96.1	443	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:54:49 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 15:54:49 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:54:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839278 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7BXhib2SLrQLPUsrcmLMTJJXOncVbcnzf%2FSVfJmnSfSneBXFUqFewnISW1H%2FD%2FTJnsrgHKZzjUZ6TrJKqf9%2FdKUsXwZD0eQ2UJYLf8T2KYI%2Bvc%2B8qvA4SfeQseYtkIBySvkF95d6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffdd90b5fe8de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1651&min_rtt=1639&rtt_var=638&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1682997&cwnd=209&unsent_bytes=0&cid=631bbb1bd1c86ddd&ts=143&x=0"
2025-01-10 15:54:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	10:54:34
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ql8KpEHT7y.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ql8KpEHT7y.exe"
Imagebase:	0x730000
File size:	999'424 bytes
MD5 hash:	43743091973B08E4265BB937D78D0522
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1334886066.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:54:37
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ql8KpEHT7y.exe"
Imagebase:	0x2b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.1442240916.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.1441052209.0000000000382000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:54:49
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:54:49
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:54:49
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x2c0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	8.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	63

Executed Functions

Function 00733B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00733B68
IsDebuggerPresent.KERNEL32 ref: 00733B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,007F52F8,007F52E0,?,?), ref: 00733BEB

Part of subcall function 00737BCC: _memmove.LIBCMT ref: 00737C06

Part of subcall function 0074092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00733C14,007F52F8,?,?,?), ref: 0074096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00733C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007E7770,00000010), ref: 0076D281
SetCurrentDirectoryW.KERNEL32(?,007F52F8,?,?,?), ref: 0076D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,007E4260,007F52F8,?,?,?), ref: 0076D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0076D346

Part of subcall function 00733A46: GetSysColorBrush.USER32(0000000F), ref: 00733A50
Part of subcall function 00733A46: LoadCursorW.USER32(00000000,00007F00), ref: 00733A5F
Part of subcall function 00733A46: LoadIconW.USER32(00000063), ref: 00733A76
Part of subcall function 00733A46: LoadIconW.USER32(000000A4), ref: 00733A88
Part of subcall function 00733A46: LoadIconW.USER32(000000A2), ref: 00733A9A
Part of subcall function 00733A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00733AC0
Part of subcall function 00733A46: RegisterClassExW.USER32(?), ref: 00733B16

Part of subcall function 007339D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00733A03
Part of subcall function 007339D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00733A24
Part of subcall function 007339D5: ShowWindow.USER32(00000000,?,?), ref: 00733A38
Part of subcall function 007339D5: ShowWindow.USER32(00000000,?,?), ref: 00733A41

Part of subcall function 0073434A: _memset.LIBCMT ref: 00734370
Part of subcall function 0073434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00734415

Strings

runas, xrefs: 0076D33A
This is a third-party compiled AutoIt script., xrefs: 0076D279
%|, xrefs: 00733C44

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%|
API String ID: 529118366-4059233762
Opcode ID: 84780bc5579f330327e21ca1d68ad4816f3dfdfc6947099b0442dce79dd8e024
Instruction ID: 4ee4fcf1469e152b6b83780822831f1cc4c97776ebbbd4c4869449543cded38c
Opcode Fuzzy Hash: 84780bc5579f330327e21ca1d68ad4816f3dfdfc6947099b0442dce79dd8e024
Instruction Fuzzy Hash: D051D6B1E08148EEEB25EBB4DC09EFD7B78BF04700F008165F651A62A3DA7C5645CB25

Function 007349A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007349CD

Part of subcall function 00737BCC: _memmove.LIBCMT ref: 00737C06

GetCurrentProcess.KERNEL32(?,007BFAEC,00000000,00000000,?), ref: 00734A9A
IsWow64Process.KERNEL32(00000000), ref: 00734AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00734AE7
FreeLibrary.KERNEL32(00000000), ref: 00734AF2
GetSystemInfo.KERNEL32(00000000), ref: 00734B23
GetSystemInfo.KERNEL32(00000000), ref: 00734B2F

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 1a369436e848a6ccf17ab6d8f710f81d526d5367b7dc2fcc5897b0f0152dc619
Instruction ID: daa41986e9e997ff34f2491e37883bc0259a331607a4edfb3fa5a0c4812e31e0
Opcode Fuzzy Hash: 1a369436e848a6ccf17ab6d8f710f81d526d5367b7dc2fcc5897b0f0152dc619
Instruction Fuzzy Hash: 6E91D5319897C5DED735CB7888545AAFFF5AF2A300F448A6DD0C793A02D228B908C75E

Function 00734E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00734D8E,?,?,00000000,00000000), ref: 00734E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00734D8E,?,?,00000000,00000000), ref: 00734EB0
LoadResource.KERNEL32(?,00000000,?,?,00734D8E,?,?,00000000,00000000,?,?,?,?,?,?,00734E2F), ref: 0076D937
SizeofResource.KERNEL32(?,00000000,?,?,00734D8E,?,?,00000000,00000000,?,?,?,?,?,?,00734E2F), ref: 0076D94C
LockResource.KERNEL32(00734D8E,?,?,00734D8E,?,?,00000000,00000000,?,?,?,?,?,?,00734E2F,00000000), ref: 0076D95F

Strings

SCRIPT, xrefs: 00734EA6

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 76f2c0ba266d409222d2fde68e72076d2d3bd64928ddc47726a45e6bc5ddf446
Instruction ID: e6cd226906c83dd49a3b76b505fe0eb70ff76f8c75abe106e960c9d183459876
Opcode Fuzzy Hash: 76f2c0ba266d409222d2fde68e72076d2d3bd64928ddc47726a45e6bc5ddf446
Instruction Fuzzy Hash: 04115A75240700BFE7258B65EC48F6B7BBAFBC5B11F208268F446D6250DB65EC008A60

Function 0073FCE0 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON

Download Yara Rule

Strings

%|, xrefs: 0073FCF3

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: BuffCharUpper
String ID: %|
API String ID: 3964851224-1433500012
Opcode ID: b95b9f29338596e6ddf1316f50ef309862d7c81a3ceffb6a5ee535d5697ee3ff
Instruction ID: b5a3855b11b49a50fb4dbef646338667867b080ccd3e60c4d60a36e455faf11a
Opcode Fuzzy Hash: b95b9f29338596e6ddf1316f50ef309862d7c81a3ceffb6a5ee535d5697ee3ff
Instruction Fuzzy Hash: D6928B70608341DFDB20DF24C484B2AB7E1BF85344F15892DE99A9B362D779EC45CB92

Function 0079445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0076E398), ref: 0079446A
FindFirstFileW.KERNELBASE(?,?), ref: 0079447B
FindClose.KERNEL32(00000000), ref: 0079448B

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: fc9edaf2b44ec5e4ab54139f53209fb8a7a34054a3d3e8c450b5dc3401948bda
Instruction ID: 2864c79e184326cf04cce318691af1e78c2b1528eba020070064c3574d34baa5
Opcode Fuzzy Hash: fc9edaf2b44ec5e4ab54139f53209fb8a7a34054a3d3e8c450b5dc3401948bda
Instruction Fuzzy Hash: 58E0D8324105406746146B38FC0DDED779CAE05735F104715F835C21E0E77C59009599

Function 0073E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00773E62

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 1d34956795ed5167a1491f3d352dec15b515401e685df036a19f447e5dfed000
Instruction ID: 61ce73050e7a82a97ca77de7868ebd425e34ea814586d545800a1bac6a4fb96c
Opcode Fuzzy Hash: 1d34956795ed5167a1491f3d352dec15b515401e685df036a19f447e5dfed000
Instruction Fuzzy Hash: 85A27D75A00209CFEB24CF58C484ABEB7B1FF58310F248469E945AB392D779ED42CB91

Function 007409D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00740A5B
timeGetTime.WINMM ref: 00740D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00740E53
Sleep.KERNEL32(0000000A), ref: 00740E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00740EFA
DestroyWindow.USER32 ref: 00740F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00740F20
Sleep.KERNEL32(0000000A,?,?), ref: 00774E83
TranslateMessage.USER32(?), ref: 00775C60
DispatchMessageW.USER32(?), ref: 00775C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00775C82

Strings

@TRAY_ID, xrefs: 0077578F
@COM_EVENTOBJ, xrefs: 007754F0
@GUI_WINHANDLE, xrefs: 00774F8F
@GUI_CTRLID, xrefs: 00774F3A
@GUI_CTRLHANDLE, xrefs: 00774FE4

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 5da7e9e482c888109cd5e90bd44a5e26ce27c570d7220a4dd319aeff6ae165e6
Instruction ID: f360fb86dcf8e6fbe11a38e614185a65bd879b16ca91cb6cfcb9f6c30f65f8a3
Opcode Fuzzy Hash: 5da7e9e482c888109cd5e90bd44a5e26ce27c570d7220a4dd319aeff6ae165e6
Instruction Fuzzy Hash: F3B2C370608741DFDB24DF24C888BAAB7E4BF84344F14891DE699972A1D7BDE844CB92

Function 00799155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00798F5F: __time64.LIBCMT ref: 00798F69

Part of subcall function 00734EE5: _fseek.LIBCMT ref: 00734EFD

__wsplitpath.LIBCMT ref: 00799234

Part of subcall function 007540FB: __wsplitpath_helper.LIBCMT ref: 0075413B

_wcscpy.LIBCMT ref: 00799247
_wcscat.LIBCMT ref: 0079925A
__wsplitpath.LIBCMT ref: 0079927F
_wcscat.LIBCMT ref: 00799295
_wcscat.LIBCMT ref: 007992A8

Part of subcall function 00798FA5: _memmove.LIBCMT ref: 00798FDE
Part of subcall function 00798FA5: _memmove.LIBCMT ref: 00798FED

_wcscmp.LIBCMT ref: 007991EF

Part of subcall function 00799734: _wcscmp.LIBCMT ref: 00799824
Part of subcall function 00799734: _wcscmp.LIBCMT ref: 00799837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00799452
_wcsncpy.LIBCMT ref: 007994C5
DeleteFileW.KERNEL32(?,?), ref: 007994FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00799511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00799522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00799534

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 5c375b77bc38907ee236a8156609a9d330a74a440082aa93b4951e5b88c79f29
Instruction ID: 0c9418dd9c8d4391f2296c10e146bb2966ed02ce8f040d97e43839c9d6eadc96
Opcode Fuzzy Hash: 5c375b77bc38907ee236a8156609a9d330a74a440082aa93b4951e5b88c79f29
Instruction Fuzzy Hash: 4DC15DB1D00219ABEF21DF94DC89EDEB7BDEF45300F0040AAF609E6151EB749A848F65

Function 0073301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00733074
RegisterClassExW.USER32(00000030), ref: 0073309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007330AF
InitCommonControlsEx.COMCTL32(?), ref: 007330CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007330DC
LoadIconW.USER32(000000A9), ref: 007330F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00733101

Strings

AutoIt v3 GUI, xrefs: 00733090
TaskbarCreated, xrefs: 007330A4
+, xrefs: 0073305D
0, xrefs: 00733056

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3a49fdd8c91009eeb27a3baf028b96266578e303df6985a1a20dff3b6d634459
Instruction ID: 2f8480eacb6208317be211d33dfc3d1a1cdf015783a9a179487e3537f77a7bef
Opcode Fuzzy Hash: 3a49fdd8c91009eeb27a3baf028b96266578e303df6985a1a20dff3b6d634459
Instruction Fuzzy Hash: 953129B1901308AFDB10DFA4DC89BEDBBF4FB09710F14826AE650E62A1D7B94541CF95

Function 00733041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00733074
RegisterClassExW.USER32(00000030), ref: 0073309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007330AF
InitCommonControlsEx.COMCTL32(?), ref: 007330CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007330DC
LoadIconW.USER32(000000A9), ref: 007330F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00733101

Strings

AutoIt v3 GUI, xrefs: 00733090
TaskbarCreated, xrefs: 007330A4
+, xrefs: 0073305D
0, xrefs: 00733056

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2acf3671d7f7d23660ab7ba297e48101cbfa73437cbc763b3dcf686aac4155f6
Instruction ID: d69d749a4a4edd458731d491deb017ac037f5e4aa45c50f6bdea9b7b13775d51
Opcode Fuzzy Hash: 2acf3671d7f7d23660ab7ba297e48101cbfa73437cbc763b3dcf686aac4155f6
Instruction Fuzzy Hash: D021C9B1911618AFDB00DF94EC49BDDBBF4FB08B50F10822AF610A62A0D7B94544CF99

Function 0073708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00734706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007F52F8,?,007337AE,?), ref: 00734724

Part of subcall function 0075050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00737165), ref: 0075052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007371A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0076E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0076E909
RegCloseKey.ADVAPI32(?), ref: 0076E947
_wcscat.LIBCMT ref: 0076E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 0073719E
\, xrefs: 0076E9C3
Include, xrefs: 0076E8BF, 0076E900
\Include\, xrefs: 00737165

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: f56760e28046642796120812055a3c81e8a4eb5d00e9c7ada510d8882cd25573
Instruction ID: 5745e9cf9f6d63dd0b5f267f6fc5abdb9953587ab6c9209bd1f76a04b6ea55f6
Opcode Fuzzy Hash: f56760e28046642796120812055a3c81e8a4eb5d00e9c7ada510d8882cd25573
Instruction Fuzzy Hash: 8971AFB1108301DED314EF29EC459ABBBF8FF94310F40852EF445872A1EB79A949CB66

Function 00733633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 007336D2
KillTimer.USER32(?,00000001), ref: 007336FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0073371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0073372A
CreatePopupMenu.USER32 ref: 0073373E
PostQuitMessage.USER32(00000000), ref: 0073374D

Strings

TaskbarCreated, xrefs: 00733725
%|, xrefs: 0076D081, 0076D0CF

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%|
API String ID: 129472671-294584353
Opcode ID: 788e1df648c14f21ff9dbe25d28cc4368202920fc293f1f5f8d896ca95f86883
Instruction ID: 951e36c618eb766b8a16f3bea5b65d762c107707ae8cfe0ddb92f7b6cd8ffd02
Opcode Fuzzy Hash: 788e1df648c14f21ff9dbe25d28cc4368202920fc293f1f5f8d896ca95f86883
Instruction Fuzzy Hash: FE4125B2600509FFFB346F68DC4EB793B55EB00740F504235FA02962A3DA6DAE40D769

Function 00733A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00733A50
LoadCursorW.USER32(00000000,00007F00), ref: 00733A5F
LoadIconW.USER32(00000063), ref: 00733A76
LoadIconW.USER32(000000A4), ref: 00733A88
LoadIconW.USER32(000000A2), ref: 00733A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00733AC0
RegisterClassExW.USER32(?), ref: 00733B16

Part of subcall function 00733041: GetSysColorBrush.USER32(0000000F), ref: 00733074
Part of subcall function 00733041: RegisterClassExW.USER32(00000030), ref: 0073309E
Part of subcall function 00733041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007330AF
Part of subcall function 00733041: InitCommonControlsEx.COMCTL32(?), ref: 007330CC
Part of subcall function 00733041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007330DC
Part of subcall function 00733041: LoadIconW.USER32(000000A9), ref: 007330F2
Part of subcall function 00733041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00733101

Strings

0, xrefs: 00733AF4
#, xrefs: 00733AFB
AutoIt v3, xrefs: 00733B05

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: eefa84feec9aeea464c5241ca8b57bbe48d8c8ebdd5b14d0e970c5550a0bcf38
Instruction ID: cee7380fe8bbf73c6ae710d9c7968228c07b48ccc2b04a8bb30bc6f5b911908e
Opcode Fuzzy Hash: eefa84feec9aeea464c5241ca8b57bbe48d8c8ebdd5b14d0e970c5550a0bcf38
Instruction Fuzzy Hash: 83214DB1D10704AFEB10DFA4EC09BAD7FB1FB08721F108269F604A62A1D7B95640CF88

Function 00733766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 007337AE
/AutoIt3OutputDebug, xrefs: 00733892
/AutoIt3ExecuteLine, xrefs: 007338A7
/AutoIt3ExecuteScript, xrefs: 007338BC
CMDLINERAW, xrefs: 007337FB
/ErrorStdOut, xrefs: 0073387D
CMDLINE, xrefs: 00733822

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 98b30ad1d65104e4b828d52cddc1d85634453d07e3f91d85b70f8d1c958a8a38
Instruction ID: 0237a18ba30cc735b89125b77b3bd694034af072599dc992612d066a9d6b5d4d
Opcode Fuzzy Hash: 98b30ad1d65104e4b828d52cddc1d85634453d07e3f91d85b70f8d1c958a8a38
Instruction Fuzzy Hash: B3A18EB291021DDAEB14EBA0DC99AEEB778BF15300F440129F516B7192DF7C6A08CB61

Function 01538318 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015383E9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0153860F

Memory Dump Source

Source File: 00000000.00000002.1334462787.0000000001535000.00000040.00000020.00020000.00000000.sdmp, Offset: 01535000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1535000_ql8KpEHT7y.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: dd6e0f1e765681bdabfac4169b9ae2a569adea84ce8ef1ef0d45b0699ecf08ac
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: A5A10974E00209EBDB18CFA4C894BEEBBB5BF88304F208659E515BB285D7759A41CF54

Function 007339D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00733A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00733A24
ShowWindow.USER32(00000000,?,?), ref: 00733A38
ShowWindow.USER32(00000000,?,?), ref: 00733A41

Strings

edit, xrefs: 00733A1E
AutoIt v3, xrefs: 007339FB, 00733A00, 00733A01

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2e628192487c3c7d6f6ed3fcfc30e1711d6b5f9e2c13c302230a6e8c5b7c2a91
Instruction ID: 909e2f28a68e0054fcf7565d0fa8ca7cfba62df7b2a89e1879bf737220f7417e
Opcode Fuzzy Hash: 2e628192487c3c7d6f6ed3fcfc30e1711d6b5f9e2c13c302230a6e8c5b7c2a91
Instruction Fuzzy Hash: 98F030B05006907EEA305717AC0CF772F7DE7C7F60B018229FA00A2170C5691800CA78

Function 015380F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01537FE8: Sleep.KERNELBASE(000001F4), ref: 01537FF9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01538207

Strings

XGFFQLD3867FJSVU, xrefs: 0153826A, 0153826D

Memory Dump Source

Source File: 00000000.00000002.1334462787.0000000001535000.00000040.00000020.00020000.00000000.sdmp, Offset: 01535000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1535000_ql8KpEHT7y.jbxd

Similarity

API ID: CreateFileSleep
String ID: XGFFQLD3867FJSVU
API String ID: 2694422964-1738369515
Opcode ID: d5396248304ae33c74726d1bff1476c603060684d06ebcf387fd72ff3a2c52cb
Instruction ID: e62119145ac5ce19204eb99ae5d9b6a147a065e31c6351a04190ce532d2c6052
Opcode Fuzzy Hash: d5396248304ae33c74726d1bff1476c603060684d06ebcf387fd72ff3a2c52cb
Instruction Fuzzy Hash: A4518370D04249EBEF15DBA4C848BEEBBB5AF55300F004699F608BB2C0D7794B45CB65

Function 0073407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0076D3D7

Part of subcall function 00737BCC: _memmove.LIBCMT ref: 00737C06

_memset.LIBCMT ref: 007340FC
_wcscpy.LIBCMT ref: 00734150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00734160

Strings

Line: , xrefs: 0076D400

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 3e416425d47a86f6cbb717cf61dec1640650c05a87e558f7222374ae6bb19c67
Instruction ID: 86561360f8da8476b253cf3722da0ffb51a035ab2566892004c1dc54ac2c3516
Opcode Fuzzy Hash: 3e416425d47a86f6cbb717cf61dec1640650c05a87e558f7222374ae6bb19c67
Instruction Fuzzy Hash: 1631C8B1108705EBE338EB50DC49FEB77D8AF44300F10461AF68592192DB7CA648CB96

Function 0075541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0075547B
_memcpy_s.LIBCMT ref: 007554ED
__read_nolock.LIBCMT ref: 0075554B
__filbuf.LIBCMT ref: 0075556E
_memset.LIBCMT ref: 007555B2

Part of subcall function 00758B28: __getptd_noexit.LIBCMT ref: 00758B28

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: a318876de7c011548fbc557cde9c504a427d2fe6e47c41b6394e910e13c789f9
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: E351D670A00B45DBCB248F69D8545EE77B7AF40323F248729FC25962D0E7F99D688B40

Function 0073686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00734DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00734E0F

_free.LIBCMT ref: 0076E263
_free.LIBCMT ref: 0076E2AA

Part of subcall function 00736A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00736BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0076E039
Bad directive syntax error, xrefs: 0076E292

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 3adf0d571fd691587c5e9a20dd4492267a1a41442311f0353fbb30b75f3ebb76
Instruction ID: dc29025f084de95a7d4622a23b90eed383eb482b0faf35840415b559aed94233
Opcode Fuzzy Hash: 3adf0d571fd691587c5e9a20dd4492267a1a41442311f0353fbb30b75f3ebb76
Instruction Fuzzy Hash: E5919275A10219EFDF08EFA4CC959EDB7B4FF05310F144429F816AB2A2DB79A905CB60

Function 0073F76F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00750162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00750193
Part of subcall function 00750162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0075019B
Part of subcall function 00750162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007501A6
Part of subcall function 00750162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007501B1
Part of subcall function 00750162: MapVirtualKeyW.USER32(00000011,00000000), ref: 007501B9
Part of subcall function 00750162: MapVirtualKeyW.USER32(00000012,00000000), ref: 007501C1

Part of subcall function 007460F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0073F930), ref: 00746154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0073F9CD
OleInitialize.OLE32(00000000), ref: 0073FA4A
CloseHandle.KERNEL32(00000000), ref: 007745C8

Strings

%|, xrefs: 0073F796, 0073F7A8, 0073F96E, 0073FA51

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: %|
API String ID: 1986988660-1433500012
Opcode ID: 3f17bc0a400b932dde0519debd0f06916e1ef3d8b8142d2ac7b23ac2f05886f8
Instruction ID: 0fbe969670b9a3ffc436611f8ead095fcc8b0675795e86e056bcc066368dcdd3
Opcode Fuzzy Hash: 3f17bc0a400b932dde0519debd0f06916e1ef3d8b8142d2ac7b23ac2f05886f8
Instruction Fuzzy Hash: BA819BB0915E84CFC384EF29E845A397BE5AB4830A791C13AD619CB362E77C4484CF29

Function 007335B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007335A1,SwapMouseButtons,00000004,?), ref: 007335D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007335A1,SwapMouseButtons,00000004,?,?,?,?,00732754), ref: 007335F5
RegCloseKey.KERNELBASE(00000000,?,?,007335A1,SwapMouseButtons,00000004,?,?,?,?,00732754), ref: 00733617

Strings

Control Panel\Mouse, xrefs: 007335D2

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 05e6251a586c14b09c5f235020eafd7f466abfb63131be83b5b47f3a795d92d3
Instruction ID: a3985f676528810f9861c7a59d4efa6509986989c0c33b9b7bb9745496ab2acf
Opcode Fuzzy Hash: 05e6251a586c14b09c5f235020eafd7f466abfb63131be83b5b47f3a795d92d3
Instruction Fuzzy Hash: 7C115771A10208FFEB209F64DC81EAEBBBCEF04740F008669F805D7221E2759F409BA4

Function 01536FE8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01537815
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01537839
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0153785B

Memory Dump Source

Source File: 00000000.00000002.1334462787.0000000001535000.00000040.00000020.00020000.00000000.sdmp, Offset: 01535000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1535000_ql8KpEHT7y.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction ID: 0d6318cf84aca90e07ce78036d088cfc26e4d3d54ca3c9f15f82d20cc0a4ec5e
Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction Fuzzy Hash: 2462FA70E142589BEB24CFA4C850BDEB772FF98300F1095A9D20DEB290E7759E81CB59

Function 0079955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00734EE5: _fseek.LIBCMT ref: 00734EFD

Part of subcall function 00799734: _wcscmp.LIBCMT ref: 00799824
Part of subcall function 00799734: _wcscmp.LIBCMT ref: 00799837

_free.LIBCMT ref: 007996A2
_free.LIBCMT ref: 007996A9
_free.LIBCMT ref: 00799714

Part of subcall function 00752D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00759A24), ref: 00752D69
Part of subcall function 00752D55: GetLastError.KERNEL32(00000000,?,00759A24), ref: 00752D7B

_free.LIBCMT ref: 0079971C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
Instruction ID: 4dc0692f9e1242ca9d0aaa62499deb6ca15ef73016feeba491d81b5b656d644b
Opcode Fuzzy Hash: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
Instruction Fuzzy Hash: A1515FB1E04218EFEF249FA4DC85A9EBB79EF48300F14049EF609A3241DB755A81CF59

Function 0075470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007547A0
__flush.LIBCMT ref: 007547C0
__write.LIBCMT ref: 007547F3
__flsbuf.LIBCMT ref: 00754821

Part of subcall function 00758B28: __getptd_noexit.LIBCMT ref: 00758B28

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 0af55ec90a8728e6c917e43a03c35434df9ffc16254d883af7776a65aa77085f
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 4E41E634A00745ABDB188F69C8849EE77A5EF4536AB24857DEC1587640E7F8EDC88B40

Function 007344A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007344CF

Part of subcall function 0073407C: _memset.LIBCMT ref: 007340FC
Part of subcall function 0073407C: _wcscpy.LIBCMT ref: 00734150
Part of subcall function 0073407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00734160

KillTimer.USER32(?,00000001,?,?), ref: 00734524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00734533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0076D4B9

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: b6e6077cdbebfe4c04b196f4a9cef674027f7e09962b1fbe3a1c4b806ad40cfc
Instruction ID: fd28014858da87e45b48057056c9bffa418b16a38f14a40b579b99d4e5c689f3
Opcode Fuzzy Hash: b6e6077cdbebfe4c04b196f4a9cef674027f7e09962b1fbe3a1c4b806ad40cfc
Instruction Fuzzy Hash: D621C8709047949FF7328B24CC55BE6BFECAF05315F04409EEB9A96142C7786D84CB55

Function 00734C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00734CBA

Strings

AU3!P/|, xrefs: 00734CB4
EA06, xrefs: 0076D8CC

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/|$EA06
API String ID: 4104443479-648605970
Opcode ID: 378c77459991dedceea1418cf8368fbd5a8dadd78bd897143b7b6f49b466ef29
Instruction ID: 0eea257e7319e8e69e70134efe4a9b76b0f8b994c542a9a4bd921b78c54013b5
Opcode Fuzzy Hash: 378c77459991dedceea1418cf8368fbd5a8dadd78bd897143b7b6f49b466ef29
Instruction Fuzzy Hash: FB418B22B1415CABFF299B648C557BE7FB2DB45300F684075EE829B283D62CBD4483A1

Function 00737285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0076EA39
GetOpenFileNameW.COMDLG32(?), ref: 0076EA83

Part of subcall function 00734750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00734743,?,?,007337AE,?), ref: 00734770

Part of subcall function 00750791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007507B0

Strings

X, xrefs: 0076EA51

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: db920ed172235915b1e53eeda5074f31f195c7713dd6b21e89275c5848c84fff
Instruction ID: f0c76c34501d5618abf6ccf342934ebc26e50587f4d5efa68d65236443c751d2
Opcode Fuzzy Hash: db920ed172235915b1e53eeda5074f31f195c7713dd6b21e89275c5848c84fff
Instruction Fuzzy Hash: C321D471A102889BDB559F94CC49BEE7BF8AF08710F048019E908B7242DBBC5949CFA1

Function 00798D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00798DAC
__fread_nolock.LIBCMT ref: 00798DC1

Strings

EA06, xrefs: 00798DF3

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 4d2106bb227df6715ba18c082a33093bbdd990b21d0ed12f687082eefe6db9c4
Instruction ID: 275f6a80bb87dad074220a965a4b6724e9250142242f0fb0fe4b94be2ebf2469
Opcode Fuzzy Hash: 4d2106bb227df6715ba18c082a33093bbdd990b21d0ed12f687082eefe6db9c4
Instruction Fuzzy Hash: 2401F971D04258BEDF58CAA8C81AEEE7BF8DB15301F00419EF552D2181E8B8E60887A0

Function 007998E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 007998F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0079990F

Strings

aut, xrefs: 00799909

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: f50c60c6aa8a8a612e8c57782b258d8bc74710a326cdbd59dfe4941489898573
Instruction ID: 4e7a648b4b2de8b954e38f5ce8d0a41c4b28eb3ad062fd29d6147d2aa7368a91
Opcode Fuzzy Hash: f50c60c6aa8a8a612e8c57782b258d8bc74710a326cdbd59dfe4941489898573
Instruction Fuzzy Hash: ACD05E7954030DABDB50ABA4DC0EFDA773CEB04B00F0043B1FF54D11A1EAB595988B95

Function 007ACADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b33169b887f2d6c94988654582cc4944353b29625adfe0bdb76488a992f90fb
Instruction ID: 0b2be41dd47ea9b718df9f378556f3a6bffe1a08a674d14efef74ae0a90e78fa
Opcode Fuzzy Hash: 5b33169b887f2d6c94988654582cc4944353b29625adfe0bdb76488a992f90fb
Instruction Fuzzy Hash: 0CF11771608301EFC715DF28C484A6ABBE5BFC9314F14892EF8999B251D774E945CF82

Function 0073434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00734370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00734415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00734432

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 4e28471b91f25d694d84c0a91de0bb1b5d8f5efba2a3476c6cc0803c49e4b949
Instruction ID: c46655f402d32250eae4d1483512582470dae2f1c9d55935d1efc092435f036d
Opcode Fuzzy Hash: 4e28471b91f25d694d84c0a91de0bb1b5d8f5efba2a3476c6cc0803c49e4b949
Instruction Fuzzy Hash: E33184B0505701DFD724DF24D8846ABBBF8FB48309F004A2EF69A93252D7796944CB56

Function 0075571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00755733

Part of subcall function 0075A16B: __NMSG_WRITE.LIBCMT ref: 0075A192
Part of subcall function 0075A16B: __NMSG_WRITE.LIBCMT ref: 0075A19C

__NMSG_WRITE.LIBCMT ref: 0075573A

Part of subcall function 0075A1C8: GetModuleFileNameW.KERNEL32(00000000,007F33BA,00000104,?,00000001,00000000), ref: 0075A25A
Part of subcall function 0075A1C8: ___crtMessageBoxW.LIBCMT ref: 0075A308

Part of subcall function 0075309F: ___crtCorExitProcess.LIBCMT ref: 007530A5
Part of subcall function 0075309F: ExitProcess.KERNEL32 ref: 007530AE

Part of subcall function 00758B28: __getptd_noexit.LIBCMT ref: 00758B28

RtlAllocateHeap.NTDLL(013E0000,00000000,00000001,00000000,?,?,?,00750DD3,?), ref: 0075575F

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: c54ab0b06ef43182e7d39d0ea313bb0da2227d23e8a539eef3d53fb40bb161dc
Instruction ID: 33d469520091da521757a886471928bb6fc4b60fb4744fc3b3e7c8d402fe98cd
Opcode Fuzzy Hash: c54ab0b06ef43182e7d39d0ea313bb0da2227d23e8a539eef3d53fb40bb161dc
Instruction Fuzzy Hash: 3801F571200B05DBE6102738EC6AAEE775C9B46763F100935FC05AB1D1DEFC9C088665

Function 007998A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00799548,?,?,?,?,?,00000004), ref: 007998BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00799548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007998D1
CloseHandle.KERNEL32(00000000,?,00799548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007998D8

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 86cbcc497fc3662fa005bc09da8b67915182bb4a6198412a9de12136dbbb21eb
Instruction ID: 9078a6e41166507debc6c51121ee4e2d63373497ef95866636e6fde8873ce0da
Opcode Fuzzy Hash: 86cbcc497fc3662fa005bc09da8b67915182bb4a6198412a9de12136dbbb21eb
Instruction Fuzzy Hash: 2DE0863214021CB7EB211B58EC09FCA7F59AB06B60F148220FB14790E087B51511979C

Function 00798D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00798D1B

Part of subcall function 00752D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00759A24), ref: 00752D69
Part of subcall function 00752D55: GetLastError.KERNEL32(00000000,?,00759A24), ref: 00752D7B

_free.LIBCMT ref: 00798D2C
_free.LIBCMT ref: 00798D3E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction ID: e7b9d2f4a5abf7a7d509edee1ffb1dd91fd556f4605fbf508437552c38cf3668
Opcode Fuzzy Hash: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction Fuzzy Hash: 33E012A170170186CF64A578B944AD313EC4F5E393B14091EB80DD71C7CEACF8478124

Function 0073A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0076FC01

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 09f8ffbec22c8ea09c50aaaf30a7078cffc2014bb285895d2be840858cb5005f
Instruction ID: 4194a0165b7e25e887bab9cc12e0ecfa8ce0c47943578d443d8bc989abb617df
Opcode Fuzzy Hash: 09f8ffbec22c8ea09c50aaaf30a7078cffc2014bb285895d2be840858cb5005f
Instruction Fuzzy Hash: 10227B70608301DFEB24DF24C495B6AB7E1BF84300F15896DE98A8B362D779EC45CB82

Function 007977B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007978DB

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 059574cf47bda8725b60555c6bc87727ac0702e8c5106250e102d0fb1eb030cd
Instruction ID: b88caa2464b2ee18e0631ae6532baeb316dfa8014e87ef79b7a6d42078b288aa
Opcode Fuzzy Hash: 059574cf47bda8725b60555c6bc87727ac0702e8c5106250e102d0fb1eb030cd
Instruction Fuzzy Hash: 0041F571918305DBDF04EFA8E889DBAB7B8EF49300F244459E58597342DB7D9C05CBA0

Function 00737A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00737AAB
_memmove.LIBCMT ref: 00737B16

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: aa52f996f6a1e8cebf2e93e85435818c4b1739226e09e342898e130c21d93d86
Instruction ID: fbba5ce7faf0d68249344bed4da5f5755bf3ec3b664024d2e7e39a89e2656359
Opcode Fuzzy Hash: aa52f996f6a1e8cebf2e93e85435818c4b1739226e09e342898e130c21d93d86
Instruction Fuzzy Hash: 073184F1604606AFD718DF68C8D1D69F3A5FF48310B15C629E919CB392EB74E910CB90

Function 007347D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00734834

Part of subcall function 0075336C: __lock.LIBCMT ref: 00753372
Part of subcall function 0075336C: DecodePointer.KERNEL32(00000001,?,00734849,00787C74), ref: 0075337E
Part of subcall function 0075336C: EncodePointer.KERNEL32(?,?,00734849,00787C74), ref: 00753389

Part of subcall function 007348FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00734915
Part of subcall function 007348FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0073492A

Part of subcall function 00733B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00733B68
Part of subcall function 00733B3A: IsDebuggerPresent.KERNEL32 ref: 00733B7A
Part of subcall function 00733B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,007F52F8,007F52E0,?,?), ref: 00733BEB
Part of subcall function 00733B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00733C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00734874

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 586b49ef8d1e42b9c84abe6c0bdad5256e1b9f7304476d24af3590faa18269a5
Instruction ID: a841c8b4612c7f55a9fca1f143f259c11c83f6ea4873deab1bce302f9c23db3b
Opcode Fuzzy Hash: 586b49ef8d1e42b9c84abe6c0bdad5256e1b9f7304476d24af3590faa18269a5
Instruction Fuzzy Hash: C6118EB19143419BD700EF28EC0996AFFE8FB85750F10861AF54087272DBB89648CB95

Function 00750DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0075571C: __FF_MSGBANNER.LIBCMT ref: 00755733
Part of subcall function 0075571C: __NMSG_WRITE.LIBCMT ref: 0075573A
Part of subcall function 0075571C: RtlAllocateHeap.NTDLL(013E0000,00000000,00000001,00000000,?,?,?,00750DD3,?), ref: 0075575F

std::exception::exception.LIBCMT ref: 00750DEC
__CxxThrowException@8.LIBCMT ref: 00750E01

Part of subcall function 0075859B: RaiseException.KERNEL32(?,?,?,007E9E78,00000000,?,?,?,?,00750E06,?,007E9E78,?,00000001), ref: 007585F0

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 915744403485590d1841cdacd4b8a560bdb07e6b45687461e22d40173235481a
Instruction ID: e928f498cb364b8aee9aea06eeefb75f26e8677f78b13bda3bb71e2148ec6064
Opcode Fuzzy Hash: 915744403485590d1841cdacd4b8a560bdb07e6b45687461e22d40173235481a
Instruction Fuzzy Hash: DBF0A93260031EA6DB10BAA4DC05ADE77AC9F15352F10042DFD04A6151DFF99A59C5D1

Function 007555FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0075562C
__lock_file.LIBCMT ref: 0075564D

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: fb5d91a592b2d00a27ece324fe065bce8e0aa5238931bff695eac6c27b9b645c
Instruction ID: 7337b716dc849e75f715cb44dc2177696cc9496c1900865576d2aa31ead02d34
Opcode Fuzzy Hash: fb5d91a592b2d00a27ece324fe065bce8e0aa5238931bff695eac6c27b9b645c
Instruction Fuzzy Hash: 3D01D471C00A48EBCF12AF648C0A4DE7B61EF51723F544115FC242B191EBB98A19DF92

Function 007553A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00758B28: __getptd_noexit.LIBCMT ref: 00758B28

__lock_file.LIBCMT ref: 007553EB

Part of subcall function 00756C11: __lock.LIBCMT ref: 00756C34

__fclose_nolock.LIBCMT ref: 007553F6

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 525e83df65a2d2b9e007b6719c3d74ca7d119817de9755fb88c4ca76f6d9af43
Instruction ID: 5e4d23572956bdf7caacc780a14394d1f724377762d084297196a2466c9d2d9a
Opcode Fuzzy Hash: 525e83df65a2d2b9e007b6719c3d74ca7d119817de9755fb88c4ca76f6d9af43
Instruction Fuzzy Hash: 5FF0F671800A04DBD750AB65880A7ED77E06F0137BF208108AC28BB1C1DBFC59099B52

Function 01536FE5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01537815
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01537839
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0153785B

Memory Dump Source

Source File: 00000000.00000002.1334462787.0000000001535000.00000040.00000020.00020000.00000000.sdmp, Offset: 01535000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1535000_ql8KpEHT7y.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: 780dbe3e9742bcf13eb2fa3a724ffcd18ac2d0ec6f245c33064155ac211b67d5
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: 9112CC24E24658C6EB24DF64D8507DEB332FF68300F1094E9910DEB7A5E77A4E81CB5A

Function 00750C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00750CB7

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 27affe0e5970bdb97655de1882fe829816a08dfb1deff79a4cb008ec3f5cf47b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6131D470A001059BC718DF58C4849E9F7A6FB5A302B6887A5E80ACF351D7B5EDC5DBE0

Function 0076FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0076FCB7

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1deec32989db87ab94523a8051f32e091d67ffd716426d4eea1d4b084cea5539
Instruction ID: 9b9aa0b027401d0f9217bfbc69f2ba760acb90053103a75aa75548aa0e4052da
Opcode Fuzzy Hash: 1deec32989db87ab94523a8051f32e091d67ffd716426d4eea1d4b084cea5539
Instruction Fuzzy Hash: B0412774604341DFEB14DF24C448B1ABBE0BF45318F1988ACE9998B362C37AE845CF92

Function 00737B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00737BB3

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5705deba3f61ee9e21b86f78b9917aaa66316ff56d314e732433376a0aabc38e
Instruction ID: ed3c387b0be8ea2e81c5fb1a4ce607aef8b5b148d3784e966804958f52b9bb3c
Opcode Fuzzy Hash: 5705deba3f61ee9e21b86f78b9917aaa66316ff56d314e732433376a0aabc38e
Instruction Fuzzy Hash: FF214BB2604A49EBDB244F25E8817A9BBB4FF14350F20C42DED86C9191EB3880D0D765

Function 00734DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00734BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00734BEF

Part of subcall function 0075525B: __wfsopen.LIBCMT ref: 00755266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00734E0F

Part of subcall function 00734B6A: FreeLibrary.KERNEL32(00000000), ref: 00734BA4

Part of subcall function 00734C70: _memmove.LIBCMT ref: 00734CBA

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: fc4bcb29687c607ad0c0c7879601e081512a50c1f8cedbf863db62c5ccee82b6
Instruction ID: 1656d2d93e6f12eeeda67b1801785e332f7233468fa04733c0cbc1dbc2723b46
Opcode Fuzzy Hash: fc4bcb29687c607ad0c0c7879601e081512a50c1f8cedbf863db62c5ccee82b6
Instruction Fuzzy Hash: B511E731640206EBEF28AF70CC1AFAD77A4EF44710F108429F942A7182DA7DAD009751

Function 0076FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0076FD91

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: dbc07f02255c6862fc9fe31bcf539a753dab73970d9e2320f64f8ec79c270c52
Instruction ID: 6876e2bc2aa11bc02448a5306c78545dbdefee19c671c5a5b1a2dcf562e643b8
Opcode Fuzzy Hash: dbc07f02255c6862fc9fe31bcf539a753dab73970d9e2320f64f8ec79c270c52
Instruction Fuzzy Hash: 9B2124B4608341DFDB14DF64C445B5ABBE0BF88315F05896CF98A57722D739E809CBA2

Function 0075072A Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f885bf3ff7540f0353aeec10980ece588b8686fe2755ff5c12391e4638d39f9
Instruction ID: 8e8fab61316d5629795f1ed936f513083e726b9919eb47b991bb65e6bb4ce943
Opcode Fuzzy Hash: 1f885bf3ff7540f0353aeec10980ece588b8686fe2755ff5c12391e4638d39f9
Instruction Fuzzy Hash: E70149724051245FEF314A24AC42AEAB7D8EF88333F10896FFC0896810D6E87C4C8EE0

Function 00754863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 007548A6

Part of subcall function 00758B28: __getptd_noexit.LIBCMT ref: 00758B28

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: d867cfd4c3dd5225be65a08f278051ef9419bb9d41ccc175879e037ef8c75525
Instruction ID: 3f681ffc1d35e56a6db371be6db54ed430aaa41d7392ab296110bf518ddb7dd0
Opcode Fuzzy Hash: d867cfd4c3dd5225be65a08f278051ef9419bb9d41ccc175879e037ef8c75525
Instruction Fuzzy Hash: 6DF0C871901645EBDF51AF748C0A7EE36A0AF0032BF154414FC24A6191DBFCA999DF52

Function 00734E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00734E7E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f19675f23d36996fa5747c916e68426c6b04d45c9af0e5bc80921a66573f4afd
Instruction ID: 5a186b1c5c0b2c31ba60893919b85f6f21fc684fadb528e4677e2614daf86262
Opcode Fuzzy Hash: f19675f23d36996fa5747c916e68426c6b04d45c9af0e5bc80921a66573f4afd
Instruction Fuzzy Hash: 82F06D71541711DFEB389F64E894812BBF1FF1432A7208A7EE1DB82622C77AA844DF40

Function 00750791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007507B0

Part of subcall function 00737BCC: _memmove.LIBCMT ref: 00737C06

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 10e5cebc954a87b6eaa36b04703d8e422fbe8ee81643c24d13674c6ba5a0a7d9
Instruction ID: 739da40a0c30952a9a585af1d3ad0355396a1a940d76587a5f2b48aa5729db89
Opcode Fuzzy Hash: 10e5cebc954a87b6eaa36b04703d8e422fbe8ee81643c24d13674c6ba5a0a7d9
Instruction Fuzzy Hash: 7EE0CD7690422857C720D6689C09FEAB7EDDF887A0F0441B6FC0CD7305D964AC8086D0

Function 00798E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00798EC1

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: e57e266172cbeab3a41b32f03ed1b4e811104b262a8f1716f2f7e69ec018b090
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: D2E092B0104B009BDB388A24D810BE373E1AB06305F04095DF6AAC3241EBA67845C759

Function 0075525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00755266

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 39242536a454a70c0947ec4f3782b4e3e086a8c595f4292ac212938f150a919e
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 34B092B644020CB7CE012A82EC02A893B19AB41764F408020FF0C18162A6B7A6689A8A

Function 01537FE4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01537FF9

Memory Dump Source

Source File: 00000000.00000002.1334462787.0000000001535000.00000040.00000020.00020000.00000000.sdmp, Offset: 01535000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1535000_ql8KpEHT7y.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 7baaea33893649e0ee1d15f64d24361c45ce9cb1d698c5a4bb5a946b189f5694
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 55E0BF7494010DEFDB10DFA4D5496DD7BB4FF04311F1006A1FD05D7691DB309E549A62

Function 01537FE8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01537FF9

Memory Dump Source

Source File: 00000000.00000002.1334462787.0000000001535000.00000040.00000020.00020000.00000000.sdmp, Offset: 01535000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1535000_ql8KpEHT7y.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: e9e3d65abe510b9af99e835f1cdf18a13a4b8267675fca8cb80eeb73b188454c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: E8E0E67494010DDFDB00DFB4D54969D7BB4FF04301F100261FD01D2281D6309E509A72

Non-executed Functions

Function 007BCABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007BCB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007BCB95
GetWindowLongW.USER32(?,000000F0), ref: 007BCBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007BCC00
SendMessageW.USER32 ref: 007BCC29
_wcsncpy.LIBCMT ref: 007BCC95
GetKeyState.USER32(00000011), ref: 007BCCB6
GetKeyState.USER32(00000009), ref: 007BCCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007BCCD9
GetKeyState.USER32(00000010), ref: 007BCCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007BCD0C
SendMessageW.USER32 ref: 007BCD33
SendMessageW.USER32(?,00001030,?,007BB348), ref: 007BCE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007BCE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007BCE60
SetCapture.USER32(?), ref: 007BCE69
ClientToScreen.USER32(?,?), ref: 007BCECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007BCEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007BCEF5
ReleaseCapture.USER32 ref: 007BCF00
GetCursorPos.USER32(?), ref: 007BCF3A
ScreenToClient.USER32(?,?), ref: 007BCF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 007BCFA3
SendMessageW.USER32 ref: 007BCFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 007BD00E
SendMessageW.USER32 ref: 007BD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007BD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007BD06D
GetCursorPos.USER32(?), ref: 007BD08D
ScreenToClient.USER32(?,?), ref: 007BD09A
GetParent.USER32(?), ref: 007BD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 007BD123
SendMessageW.USER32 ref: 007BD154
ClientToScreen.USER32(?,?), ref: 007BD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007BD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 007BD20C
SendMessageW.USER32 ref: 007BD22F
ClientToScreen.USER32(?,?), ref: 007BD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007BD2B5

Part of subcall function 007325DB: GetWindowLongW.USER32(?,000000EB), ref: 007325EC

GetWindowLongW.USER32(?,000000F0), ref: 007BD351

Strings

@GUI_DRAGID, xrefs: 007BCE9C
F, xrefs: 007BD235

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: a66f730f99a1778731220442ea848e23ea56cc64a79c6e04c08e3a4fd181d57a
Instruction ID: a876f9703e95ca014ced21ee2e0c49c52451578e1096cd15a90415aba6bd25db
Opcode Fuzzy Hash: a66f730f99a1778731220442ea848e23ea56cc64a79c6e04c08e3a4fd181d57a
Instruction Fuzzy Hash: 3542AB74204681EFD721CF28C848FAABFE5FF48710F148629F6558B2A1D739D850DB56

Function 00746F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007471C3
_memset.LIBCMT ref: 00747539
_memmove.LIBCMT ref: 007476AC

Strings

[:>:]], xrefs: 00747492
]~, xrefs: 00781A22
3ct, xrefs: 007823A0
DEFINE, xrefs: 00782103
\b(?=\w), xrefs: 00783769
_t, xrefs: 007823CB
\b(?<=\w), xrefs: 00783773
[:<:]], xrefs: 00747479
Q\E, xrefs: 00747FCB
P\~, xrefs: 00781AB8

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]~$3ct$DEFINE$P\~$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_t
API String ID: 1357608183-102268661
Opcode ID: cd60f42cd002709cd244167a335d2c91fa9d39b38ccc90483d493b57bdec8e34
Instruction ID: 720b60511503ebe1574ca25d20be84b3926f0ac4746d903c84cf2bc6235ea4df
Opcode Fuzzy Hash: cd60f42cd002709cd244167a335d2c91fa9d39b38ccc90483d493b57bdec8e34
Instruction Fuzzy Hash: CB93B371E40219DFDB28DF58C885BADB7B1FF48710F24816AE945EB281E7789D82CB50

Function 007348D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 007348DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0076D665
IsIconic.USER32(?), ref: 0076D66E
ShowWindow.USER32(?,00000009), ref: 0076D67B
SetForegroundWindow.USER32(?), ref: 0076D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0076D69B
GetCurrentThreadId.KERNEL32 ref: 0076D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0076D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0076D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0076D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0076D6CF
SetForegroundWindow.USER32(?), ref: 0076D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076D6E7
keybd_event.USER32(00000012,00000000), ref: 0076D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076D6FC
keybd_event.USER32(00000012,00000000), ref: 0076D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076D70A
keybd_event.USER32(00000012,00000000), ref: 0076D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076D719
keybd_event.USER32(00000012,00000000), ref: 0076D71E
SetForegroundWindow.USER32(?), ref: 0076D721
AttachThreadInput.USER32(?,?,00000000), ref: 0076D748

Strings

Shell_TrayWnd, xrefs: 0076D660

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6d63d9e7d9f416f0682318729a5719bc329777bb300b0f0f52768eb703e579bc
Instruction ID: effc9667f7da3fadd078131c7ba06e52129b28ae26a166147756a3fbfad40ba6
Opcode Fuzzy Hash: 6d63d9e7d9f416f0682318729a5719bc329777bb300b0f0f52768eb703e579bc
Instruction Fuzzy Hash: E8319271A40318BAEB302F659C49FBF3F6CEB44F50F108125FE05EA1D1CAB85D11AAA5

Function 00788310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 007887E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0078882B
Part of subcall function 007887E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00788858
Part of subcall function 007887E1: GetLastError.KERNEL32 ref: 00788865

_memset.LIBCMT ref: 00788353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007883A5
CloseHandle.KERNEL32(?), ref: 007883B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007883CD
GetProcessWindowStation.USER32 ref: 007883E6
SetProcessWindowStation.USER32(00000000), ref: 007883F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0078840A

Part of subcall function 007881CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00788309), ref: 007881E0
Part of subcall function 007881CB: CloseHandle.KERNEL32(?,?,00788309), ref: 007881F2

Strings

winsta0, xrefs: 007883C8
, xrefs: 00788362
default, xrefs: 00788405

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 09a47aba32d7dffc3439be216388a3aad3dc97d93edd32011151e684b91c5145
Instruction ID: bd0f450dc709b8098fafdcbc58d6e3912279f849dc79846f04d4c168655b6f6b
Opcode Fuzzy Hash: 09a47aba32d7dffc3439be216388a3aad3dc97d93edd32011151e684b91c5145
Instruction Fuzzy Hash: BE817DB1940209AFDF51EFA4CC49EEE7BB9FF04704F648169F810A6161DB398E25DB21

Function 0079C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0079C78D
FindClose.KERNEL32(00000000), ref: 0079C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0079C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0079C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0079C844
__swprintf.LIBCMT ref: 0079C890
__swprintf.LIBCMT ref: 0079C8D3

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

__swprintf.LIBCMT ref: 0079C927

Part of subcall function 00753698: __woutput_l.LIBCMT ref: 007536F1

__swprintf.LIBCMT ref: 0079C975

Part of subcall function 00753698: __flsbuf.LIBCMT ref: 00753713
Part of subcall function 00753698: __flsbuf.LIBCMT ref: 0075372B

__swprintf.LIBCMT ref: 0079C9C4
__swprintf.LIBCMT ref: 0079CA13
__swprintf.LIBCMT ref: 0079CA62

Strings

%4d, xrefs: 0079C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 0079C88A
%02d, xrefs: 0079C91B, 0079C925, 0079C973, 0079C9C2, 0079CA11, 0079CA60

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: a58699bf71fa258149d33e61f4d21c268c9030e90a213e38757bf6fc1336f801
Instruction ID: a7b51382396677ba540ca9b2079f408c11d88b0a14bde7b69bd60d35de982ecd
Opcode Fuzzy Hash: a58699bf71fa258149d33e61f4d21c268c9030e90a213e38757bf6fc1336f801
Instruction Fuzzy Hash: C4A13EB1508304EBD755EFA4C889DAFB7ECFF94700F404919F585C6192EA78EA08CB62

Function 0079EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0079EFB6
_wcscmp.LIBCMT ref: 0079EFCB
_wcscmp.LIBCMT ref: 0079EFE2
GetFileAttributesW.KERNEL32(?), ref: 0079EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0079F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0079F026
FindClose.KERNEL32(00000000), ref: 0079F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0079F04D
_wcscmp.LIBCMT ref: 0079F074
_wcscmp.LIBCMT ref: 0079F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0079F09D
SetCurrentDirectoryW.KERNEL32(007E8920), ref: 0079F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0079F0C5
FindClose.KERNEL32(00000000), ref: 0079F0D2
FindClose.KERNEL32(00000000), ref: 0079F0E4

Strings

*.*, xrefs: 0079F048

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 71a614ed263ee15bed54fb3ffdc934e2ac12922979e5834860b68efed3ec8866
Instruction ID: 3b62a6b63d3c4c8bc520ff2e650deb69c1a01cf5e5f29bdbb6bc82785954833c
Opcode Fuzzy Hash: 71a614ed263ee15bed54fb3ffdc934e2ac12922979e5834860b68efed3ec8866
Instruction Fuzzy Hash: 2731C5329012186ADF14DBB8EC49FEE77ACAF48761F144176E804D30A1EB78DA44CB65

Function 007B0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007B0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,007BF910,00000000,?,00000000,?,?), ref: 007B09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007B0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007B0A92
RegCloseKey.ADVAPI32(?), ref: 007B0DB2
RegCloseKey.ADVAPI32(00000000), ref: 007B0DBF

Strings

REG_EXPAND_SZ, xrefs: 007B0A2F
REG_SZ, xrefs: 007B0AD0
REG_BINARY, xrefs: 007B0D4D
REG_MULTI_SZ, xrefs: 007B0B7A
REG_DWORD, xrefs: 007B0C83
REG_QWORD, xrefs: 007B0D00

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 9f0b669197bf3ccacc9a5c23e32389b2947153bbf56608c7753a99a30663a6aa
Instruction ID: e014a48ce59b164332241c186fbc018a22ba166cecec39c660a39bb6a458f5b5
Opcode Fuzzy Hash: 9f0b669197bf3ccacc9a5c23e32389b2947153bbf56608c7753a99a30663a6aa
Instruction Fuzzy Hash: 63024875600601DFDB14EF18C899EAAB7E5EF89710F04855CF9899B3A2DB78ED01CB81

Function 007466E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 0078114F
LIMIT_RECURSION=, xrefs: 007811FC
CR), xrefs: 00781287
3ct, xrefs: 007468FF
BSR_ANYCRLF), xrefs: 0078131E
_t, xrefs: 00781465, 0078150C, 007815B4
ANY), xrefs: 007812DE
ANYCRLF), xrefs: 007812FB
pG}, xrefs: 00746751
0F}, xrefs: 00746747
0D}, xrefs: 00746733
UCP), xrefs: 0078110D
CRLF), xrefs: 007812C1
LF), xrefs: 007812A4
BSR_UNICODE), xrefs: 00781338
LIMIT_MATCH=, xrefs: 00781170
0E}, xrefs: 0074673D
UTF16), xrefs: 007810CF
NO_AUTO_POSSESS), xrefs: 0078112E
UTF), xrefs: 007810FA

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID: 0D}$0E}$0F}$3ct$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG}$_t
API String ID: 0-2392564138
Opcode ID: 7031770e69356b912e1c5587ee896d51a89800b512ef8d123bab18a8a95a40f3
Instruction ID: a69f5dbc4fc47603cd3ebb106f8d37bef1dea652c752343ee1d9ca85fa60fdb0
Opcode Fuzzy Hash: 7031770e69356b912e1c5587ee896d51a89800b512ef8d123bab18a8a95a40f3
Instruction Fuzzy Hash: 0E7283B5E00219DBDB14DF59C8807EEB7B5FF49310F64816AE909EB290E7389D81CB91

Function 0079F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0079F113
_wcscmp.LIBCMT ref: 0079F128
_wcscmp.LIBCMT ref: 0079F13F

Part of subcall function 00794385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007943A0

FindNextFileW.KERNEL32(00000000,?), ref: 0079F16E
FindClose.KERNEL32(00000000), ref: 0079F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0079F195
_wcscmp.LIBCMT ref: 0079F1BC
_wcscmp.LIBCMT ref: 0079F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0079F1E5
SetCurrentDirectoryW.KERNEL32(007E8920), ref: 0079F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0079F20D
FindClose.KERNEL32(00000000), ref: 0079F21A
FindClose.KERNEL32(00000000), ref: 0079F22C

Strings

*.*, xrefs: 0079F190

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 25d81f61b8d698ae35271d402891780054606a50de13f6f73277d98325f0e081
Instruction ID: 07333d0e6fe631dfb1206323b65292f3af25064e47497f8a729cdef1bc841ce2
Opcode Fuzzy Hash: 25d81f61b8d698ae35271d402891780054606a50de13f6f73277d98325f0e081
Instruction Fuzzy Hash: F831F336901619AADF149FB4FC49FEE77ACAF49360F144275E804E20A0DB38DE45CA68

Function 0079A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0079A20F
__swprintf.LIBCMT ref: 0079A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0079A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0079A293
_memset.LIBCMT ref: 0079A2B2
_wcsncpy.LIBCMT ref: 0079A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0079A323
CloseHandle.KERNEL32(00000000), ref: 0079A32E
RemoveDirectoryW.KERNEL32(?), ref: 0079A337
CloseHandle.KERNEL32(00000000), ref: 0079A341

Strings

\??\%s, xrefs: 0079A22B
:, xrefs: 0079A252
\, xrefs: 0079A247

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 5a3a1e6af4602321e0857a2e5abd5ac664f506deca148b0c8528e91feca57b54
Instruction ID: 632abf09cf773bda0b1e0d82cbc632073100b97da24f0e40aacb85fa6327e1dd
Opcode Fuzzy Hash: 5a3a1e6af4602321e0857a2e5abd5ac664f506deca148b0c8528e91feca57b54
Instruction Fuzzy Hash: B93190B2904209BBDB219FA0DC49FEB37BCEF89741F1041B6F909D2160EB7896458B65

Function 0079001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00790097
SetKeyboardState.USER32(?), ref: 00790102
GetAsyncKeyState.USER32(000000A0), ref: 00790122
GetKeyState.USER32(000000A0), ref: 00790139
GetAsyncKeyState.USER32(000000A1), ref: 00790168
GetKeyState.USER32(000000A1), ref: 00790179
GetAsyncKeyState.USER32(00000011), ref: 007901A5
GetKeyState.USER32(00000011), ref: 007901B3
GetAsyncKeyState.USER32(00000012), ref: 007901DC
GetKeyState.USER32(00000012), ref: 007901EA
GetAsyncKeyState.USER32(0000005B), ref: 00790213
GetKeyState.USER32(0000005B), ref: 00790221

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 103e8c7efab31782658a43db80fe724d7b1b40e8f7a76c5b6aa30b12199b1d66
Instruction ID: 89719e3d76f692d17b6a08fc12e44d9a6926fc5596ef9c2633f2d2834e3cc6a4
Opcode Fuzzy Hash: 103e8c7efab31782658a43db80fe724d7b1b40e8f7a76c5b6aa30b12199b1d66
Instruction Fuzzy Hash: 7351E8209147886DFF35DBA4A8547FABFB49F01380F08459AD9C2565C2DAAC9B8CC7E1

Function 007B03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007B0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AFDAD,?,?), ref: 007B0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007B04AC

Part of subcall function 00739837: __itow.LIBCMT ref: 00739862
Part of subcall function 00739837: __swprintf.LIBCMT ref: 007398AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007B054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007B05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007B0822
RegCloseKey.ADVAPI32(00000000), ref: 007B082F

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: bbc548700455997b5721965fad1148fcc007d462321880f1e68cc41281beb4b3
Instruction ID: 7a15b26813cd4a570337959c96bbcaa5393a47393147c3ad5974592568d63070
Opcode Fuzzy Hash: bbc548700455997b5721965fad1148fcc007d462321880f1e68cc41281beb4b3
Instruction Fuzzy Hash: 92E14B71604200EFCB14DF28C895E6BBBE4FF89714F04896DF94ADB262DA35E901CB91

Function 007A83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00739837: __itow.LIBCMT ref: 00739862
Part of subcall function 00739837: __swprintf.LIBCMT ref: 007398AC

CoInitialize.OLE32 ref: 007A8403
CoUninitialize.OLE32 ref: 007A840E
CoCreateInstance.OLE32(?,00000000,00000017,007C2BEC,?), ref: 007A846E
IIDFromString.OLE32(?,?), ref: 007A84E1
VariantInit.OLEAUT32(?), ref: 007A857B
VariantClear.OLEAUT32(?), ref: 007A85DC

Strings

Failed to create object, xrefs: 007A8479, 007A852F
NULL Pointer assignment, xrefs: 007A84B3
Invalid parameter, xrefs: 007A84FA

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 9d3c60258b5bcc98da1f89019c03ed17cc1b902e3692d3e1f4df038d94d02e05
Instruction ID: 222075a1d59858cbf4f2f9363835ddacfe3fed15375fbe5124f6f42dbe2691ff
Opcode Fuzzy Hash: 9d3c60258b5bcc98da1f89019c03ed17cc1b902e3692d3e1f4df038d94d02e05
Instruction Fuzzy Hash: 3F61EF70608312EFD750DF14C848F5ABBE8AF8A714F044A19F9859B291CB78ED44CB93

Function 007A4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007A418B
EmptyClipboard.USER32 ref: 007A4191
GlobalAlloc.KERNEL32(00000002,?), ref: 007A41A6
CloseClipboard.USER32 ref: 007A4245

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ffd3fb47b438a9818a14f6a2e20b82b8661f2b4bf92545fd7d28b982703580fa
Instruction ID: e7803d2286cef01636f4b4be83aa1430a68e5cd559c94d9ada1e0472e539f65f
Opcode Fuzzy Hash: ffd3fb47b438a9818a14f6a2e20b82b8661f2b4bf92545fd7d28b982703580fa
Instruction Fuzzy Hash: 0B216035200214DFDB10AF64DC49F6D7BA8FF85715F108126F945DB2A1DBB9AC01CB58

Function 007937EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00734750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00734743,?,?,007337AE,?), ref: 00734770

Part of subcall function 00794A31: GetFileAttributesW.KERNEL32(?,0079370B), ref: 00794A32

FindFirstFileW.KERNEL32(?,?), ref: 007938A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0079394B
MoveFileW.KERNEL32(?,?), ref: 0079395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0079397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0079399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 007939B9

Strings

\*.*, xrefs: 0079384E, 00793857, 0079386C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 9c15f7373b7ca19e5e2c4554c34bad7c02a83fa03c5a6dfa2f83a417893da35c
Instruction ID: 10a6142c66490f1f34ec0b58a3ea87d2a0b0cdcded7a7fdc802f660dc290c87a
Opcode Fuzzy Hash: 9c15f7373b7ca19e5e2c4554c34bad7c02a83fa03c5a6dfa2f83a417893da35c
Instruction Fuzzy Hash: 4251AB7180014CEADF15EBA0EA96EFDB778AF10314F604169E406B7192EF386F09CB61

Function 0079F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0079F440
Sleep.KERNEL32(0000000A), ref: 0079F470
_wcscmp.LIBCMT ref: 0079F484
_wcscmp.LIBCMT ref: 0079F49F
FindNextFileW.KERNEL32(?,?), ref: 0079F53D
FindClose.KERNEL32(00000000), ref: 0079F553

Strings

*.*, xrefs: 0079F425

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 66bd1320a90b19ee5ad85be1925e94b3d74f960e09247a6e2b80517fd75b6e6f
Instruction ID: b9c0ed551b4450819c03dcc6885a162b0aa064d52f6d9d186ba540e074afa53a
Opcode Fuzzy Hash: 66bd1320a90b19ee5ad85be1925e94b3d74f960e09247a6e2b80517fd75b6e6f
Instruction Fuzzy Hash: 34417C7190021AEFDF14EF64DC49AEEBBB8FF05310F144566E815A31A1EB38AA54CF61

Function 00743030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3ct, xrefs: 00743225
_t, xrefs: 00743322

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3ct$_t
API String ID: 674341424-1670605766
Opcode ID: afb5b73058b863b3ef1fb43067667b9c03f39a7f0f3999871a17d4f9d32febf4
Instruction ID: 7231af76fb75c6ca739ac6cfefccff75cbfcae0a00337cb7304a95a1bc01e13e
Opcode Fuzzy Hash: afb5b73058b863b3ef1fb43067667b9c03f39a7f0f3999871a17d4f9d32febf4
Instruction Fuzzy Hash: 9922BE71608740DFDB24DF14C885BAEB7E4BF84710F10892DF99A97292DB79E904CB92

Function 00745760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007458A5
_memmove.LIBCMT ref: 007458F5
_memmove.LIBCMT ref: 0074595B

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 223ca53b60c8b55b2f8132be7a5d5c2f2534fcc58858a066dd85a5c60da72826
Instruction ID: d63c3f37626aabeea488798ce9b4f00be0e5a3075f96fcf8a174457688eb78e8
Opcode Fuzzy Hash: 223ca53b60c8b55b2f8132be7a5d5c2f2534fcc58858a066dd85a5c60da72826
Instruction Fuzzy Hash: F1129C70A00609DFDF04DFA5D985AEEB7F5FF48310F104529E846A7292EB3AAD14CB91

Function 00793B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00734750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00734743,?,?,007337AE,?), ref: 00734770

Part of subcall function 00794A31: GetFileAttributesW.KERNEL32(?,0079370B), ref: 00794A32

FindFirstFileW.KERNEL32(?,?), ref: 00793B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00793BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00793BEA
FindClose.KERNEL32(00000000), ref: 00793C01
FindClose.KERNEL32(00000000), ref: 00793C0A

Strings

\*.*, xrefs: 00793B5B

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c8db73b1265a2bdfbe39ed026cb033625ef390d2fd1777c075ad2573b24e5029
Instruction ID: 42c9163276a593256e3894048b386a0076ad637c6ca49b5d11c2a1c24f18f6c3
Opcode Fuzzy Hash: c8db73b1265a2bdfbe39ed026cb033625ef390d2fd1777c075ad2573b24e5029
Instruction Fuzzy Hash: 5A319E71008384DBD704EF24D895DAFB7E8BE95304F444E2DF4D593192EB289A08CB67

Function 007951BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007887E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0078882B
Part of subcall function 007887E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00788858
Part of subcall function 007887E1: GetLastError.KERNEL32 ref: 00788865

ExitWindowsEx.USER32(?,00000000), ref: 007951F9

Strings

SeShutdownPrivilege, xrefs: 007951C9
@, xrefs: 007951EC
, xrefs: 007951E7

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: e119566831419139dfa79ef5397ab04e5ebed3be4a30007e9fde636b0043e21f
Instruction ID: 3926f58d10215689d10878c502230accf2e86630e835450a2020044fd96b3cbe
Opcode Fuzzy Hash: e119566831419139dfa79ef5397ab04e5ebed3be4a30007e9fde636b0043e21f
Instruction Fuzzy Hash: 6F01F7B17956256BEF296378BC8EFBA7258FB05B40F200525F913E20D2D96D1C008794

Function 007A6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 007A62DC
WSAGetLastError.WSOCK32(00000000), ref: 007A62EB
bind.WSOCK32(00000000,?,00000010), ref: 007A6307
listen.WSOCK32(00000000,00000005), ref: 007A6316
WSAGetLastError.WSOCK32(00000000), ref: 007A6330
closesocket.WSOCK32(00000000), ref: 007A6344

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 7f6f4db5656628607b697b7a94347c7a98a0753b191b6559a6410b8c7e741530
Instruction ID: 783d942eb17490ebeae4e264c0394adabf43323dfd95171776baddc9644ca60d
Opcode Fuzzy Hash: 7f6f4db5656628607b697b7a94347c7a98a0753b191b6559a6410b8c7e741530
Instruction Fuzzy Hash: 4221D230600200DFDB00EF64CC89F6EB7E9EF85720F148258E956A7392CB78AC01CB51

Function 00745520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00750DB6: std::exception::exception.LIBCMT ref: 00750DEC
Part of subcall function 00750DB6: __CxxThrowException@8.LIBCMT ref: 00750E01

_memmove.LIBCMT ref: 00780258
_memmove.LIBCMT ref: 0078036D
_memmove.LIBCMT ref: 00780414

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 87c5cc021a4789c98113af9b32252428d5648633223d0a33f840778d56366fe5
Instruction ID: 94d1c0db24df33b05b37b5c2de103931d645a911e4d2fc13c6c624df19cbfbe3
Opcode Fuzzy Hash: 87c5cc021a4789c98113af9b32252428d5648633223d0a33f840778d56366fe5
Instruction Fuzzy Hash: 0E02E3B0A00209DFDF04EF64D985AAEBBB5FF44310F148069E80ADB252EB79DD54CB91

Function 00731287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623

DefDlgProcW.USER32(?,?,?,?,?), ref: 007319FA
GetSysColor.USER32(0000000F), ref: 00731A4E
SetBkColor.GDI32(?,00000000), ref: 00731A61

Part of subcall function 00731290: DefDlgProcW.USER32(?,00000020,?), ref: 007312D8

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 00601867e1f29fe8bf762125750687ca25dfb8b3ac0ea590c43374df07801e23
Instruction ID: 3149659e3feee202d39dc9dbae2b47ada66f7f7a1bd95b27d91b039f23afaa14
Opcode Fuzzy Hash: 00601867e1f29fe8bf762125750687ca25dfb8b3ac0ea590c43374df07801e23
Instruction Fuzzy Hash: A4A12971106584FAF628AB388C49EBF375CDF42342F94821AF903D6193DB2DAD41D6B6

Function 007A6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007A7D8B: inet_addr.WSOCK32(00000000), ref: 007A7DB6

socket.WSOCK32(00000002,00000002,00000011), ref: 007A679E
WSAGetLastError.WSOCK32(00000000), ref: 007A67C7
bind.WSOCK32(00000000,?,00000010), ref: 007A6800
WSAGetLastError.WSOCK32(00000000), ref: 007A680D
closesocket.WSOCK32(00000000), ref: 007A6821

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 2aec502f36a7c7086972b42914b2e26dc7e3941f0a2f95107a48279a03be9e0d
Instruction ID: 2f8ec65a2195d628b2db0559e2c5663934dd19f96a10c28f2b125afd3d7d8b65
Opcode Fuzzy Hash: 2aec502f36a7c7086972b42914b2e26dc7e3941f0a2f95107a48279a03be9e0d
Instruction Fuzzy Hash: 7F41C375B00210AFEB50BF248C8AF6E77E8DB49714F048558FA55AB3C3CAB89D008B91

Function 007B5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007B53C5
IsWindowEnabled.USER32 ref: 007B53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 007B53E0
IsIconic.USER32 ref: 007B53EE
IsZoomed.USER32 ref: 007B53FC

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: da1fcf9b43105c191429f79d9cb722f907a9f10876e58c228ca49fd214febeb5
Instruction ID: f3aae2c7d214a484b51158871cb1a336c1e6d66c2f41dcb269d3554ea8cf8fe4
Opcode Fuzzy Hash: da1fcf9b43105c191429f79d9cb722f907a9f10876e58c228ca49fd214febeb5
Instruction Fuzzy Hash: 2411C831700511AFEB216F26DC48F9EBBD9EF447A5B548029F945D3341DBBCDC018AA4

Function 007880A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007880C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007880CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007880D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007880E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007880F6

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9f3022fad60866f5459e2363d0935be75f25ac91c6ea98e9051c1dc4907cee98
Instruction ID: 1004b00ae8defe0b1a8ba2ea7d50ed4ff0dc7920ecb91c575c200190569ec617
Opcode Fuzzy Hash: 9f3022fad60866f5459e2363d0935be75f25ac91c6ea98e9051c1dc4907cee98
Instruction Fuzzy Hash: E0F0C270240209BFEB102FA9EC8CF673BACEF49B54B504129F905C2160CF689C01DB61

Function 00734B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00734AD0), ref: 00734B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00734B57

Strings

kernel32.dll, xrefs: 00734B40
GetNativeSystemInfo, xrefs: 00734B51

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: b0d2f0b2831a4593b4d1d8faa5dc6b2b14552a57bc3a5abc0bb166ac7a829cd7
Instruction ID: 10f40af41d10a7a8fe5da2a10e99a5f75f0e775bb98c6935785973c495937b03
Opcode Fuzzy Hash: b0d2f0b2831a4593b4d1d8faa5dc6b2b14552a57bc3a5abc0bb166ac7a829cd7
Instruction Fuzzy Hash: B1D08CB0A1071ADFD7208B39DC28B42B2D4AF00B40B10C839D481C2150D77CE480C618

Function 007AEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007AEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 007AEE4B

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

Process32NextW.KERNEL32(00000000,?), ref: 007AEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 007AEF1A

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: ef1791ad477893948d6f7279ea4d2213c92b0137e92069a602423bbfd7bb306b
Instruction ID: 55ad41128bdfa8762ee6e69292cc9f47a7223efdc827c83e894785edc3adc573
Opcode Fuzzy Hash: ef1791ad477893948d6f7279ea4d2213c92b0137e92069a602423bbfd7bb306b
Instruction Fuzzy Hash: E251A171508314EFE320EF24DC85E6BB7E8EF89710F00492DF595972A2EB74A904CB92

Function 0078E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0078E628

Strings

|, xrefs: 0078E658
(, xrefs: 0078E66E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 2a14ce0c474bb8d5ff91996132e502872468de83005b12c9f3a65bf86293ed81
Instruction ID: a148265e8b3811faa3cb98f2d068a9bf6ac7fdece5c279df54cba16004ea3a07
Opcode Fuzzy Hash: 2a14ce0c474bb8d5ff91996132e502872468de83005b12c9f3a65bf86293ed81
Instruction Fuzzy Hash: 95321375A407059FDB28DF19C481AAAB7F0FF48320B15C56EE89ADB3A1E774E941CB40

Function 007A22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007A180A,00000000), ref: 007A23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007A2418

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: aff0c6108e932dd12433c618950e46ad33d76ad15653bc9d1003acee998e2c6f
Instruction ID: 837c3e720b39d5074ea4333a70ee20e5b7c5695f9416ef14eecf203aa2497a08
Opcode Fuzzy Hash: aff0c6108e932dd12433c618950e46ad33d76ad15653bc9d1003acee998e2c6f
Instruction Fuzzy Hash: 25412871504209FFEF10DE99DC85FBB77BCEB86314F10416EFA01A6142DA7D9E429650

Function 0079B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0079B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0079B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0079B3EA

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a7442b24b454e0056c7745f7bc33e79b570dde52befb90fc7b0e53fba2310127
Instruction ID: 41b3675f39e969bd41d7d40a0cef27f0c6ba1edf5a0166d01b4f31e12e2d86bb
Opcode Fuzzy Hash: a7442b24b454e0056c7745f7bc33e79b570dde52befb90fc7b0e53fba2310127
Instruction Fuzzy Hash: AA215E35A00108EFDB00EFA5E885EEDBBB8FF49310F1480A9E905AB351CB35A915CB55

Function 007887E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00750DB6: std::exception::exception.LIBCMT ref: 00750DEC
Part of subcall function 00750DB6: __CxxThrowException@8.LIBCMT ref: 00750E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0078882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00788858
GetLastError.KERNEL32 ref: 00788865

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 96cdcd5e80f002f1c1a155091f33030ee0d48352f3450e11db68f33a77324d1b
Instruction ID: cbfca0b8a947ade2b2a64299f7b6d83b0f7a9fa93f1f0d2c70622c22edcd70cf
Opcode Fuzzy Hash: 96cdcd5e80f002f1c1a155091f33030ee0d48352f3450e11db68f33a77324d1b
Instruction Fuzzy Hash: 1E11BFB2514305AFE718EFA4DC85D6BB7F8EB04711B60862EF45593211EB74BC008B60

Function 0078874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00788774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0078878B
FreeSid.ADVAPI32(?), ref: 0078879B

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5ff3722d45f094f2b74436ab960ff82df198831647c8c78a931af2829d5ff410
Instruction ID: b788b78f6bd5a1ff81445e25c26c76b085d4bc6e68778acb0aea473c0d1c5492
Opcode Fuzzy Hash: 5ff3722d45f094f2b74436ab960ff82df198831647c8c78a931af2829d5ff410
Instruction Fuzzy Hash: 90F04975A5130CBFDF00EFF4DC89EAEBBBCEF08601F5085A9E901E2191E6756A048B54

Function 00794C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00794CB3

Strings

DOWN, xrefs: 00794C98

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 76e51fd45270f5ef5ad030bd6af25ae9a0986b5543ad51ac3658379cf16cc577
Instruction ID: 8a455139d15bc493042cbd227f7cfc396504cec45ed85ef412b6cb471e2c24ba
Opcode Fuzzy Hash: 76e51fd45270f5ef5ad030bd6af25ae9a0986b5543ad51ac3658379cf16cc577
Instruction Fuzzy Hash: F3E08C7219E7213CBD042919BC0BEF7038C8B17732B500206FC10E50C2ED8C2C8764B8

Function 0079C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0079C6FB
FindClose.KERNEL32(00000000), ref: 0079C72B

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a0722f80d8043763773c0f82edf13d904e2942529467786f95939c2a3b6b5e74
Instruction ID: cc4011fe42fde1306c72aedbd8c95e1b75b70aa55676c3a5077ad5eb43e3e751
Opcode Fuzzy Hash: a0722f80d8043763773c0f82edf13d904e2942529467786f95939c2a3b6b5e74
Instruction Fuzzy Hash: 6411A1726002009FDB10EF29D889A6AF7E9FF85320F00861DF9A9C7291DB74AC01CF81

Function 0079A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,007A9468,?,007BFB84,?), ref: 0079A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,007A9468,?,007BFB84,?), ref: 0079A0A9

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: effc9300582ddb4ecd670fc48ca3847c08e444c92bcb464ede337510ed2075e6
Instruction ID: 0fade32a1c2722dac27d4cb4d68489008869c276f908ccd9687527339e62020b
Opcode Fuzzy Hash: effc9300582ddb4ecd670fc48ca3847c08e444c92bcb464ede337510ed2075e6
Instruction Fuzzy Hash: A2F0823510522DBBDB21AFA8DC4CFEA776CBF08761F008265F909D7181D6349944CBE1

Function 007881CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00788309), ref: 007881E0
CloseHandle.KERNEL32(?,?,00788309), ref: 007881F2

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 9a5a3da1064ff08a1fef9e3383f97e49ac8841a65f2820b8969309135e60da8c
Instruction ID: 85a5da2e23c94b2a1c41a96c573ca20bab099324349c59c282979dc70b1de24e
Opcode Fuzzy Hash: 9a5a3da1064ff08a1fef9e3383f97e49ac8841a65f2820b8969309135e60da8c
Instruction Fuzzy Hash: 6CE0EC72010611EFE7253B74EC09EB77BEAEF04311724C92DF8A684470DB66AC91DB54

Function 0075A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00758D57,?,?,?,00000001), ref: 0075A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0075A163

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eda1d0809941c7a52235831e9a209927083fb1ce432bcf344ade53782394d206
Instruction ID: c79a09ea4873e3d384f3035ce4eb85ea600843cbebf55fd9bea24fb691b523eb
Opcode Fuzzy Hash: eda1d0809941c7a52235831e9a209927083fb1ce432bcf344ade53782394d206
Instruction Fuzzy Hash: 24B09231054208ABCA002B91EC09F883FA8EB44EA2F40C120F60E86060CB6654508A99

Function 0075F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d838e02ae2c1b421526942a75e9a8bdf703a6af4e896f9fd2e2627cc66560ff
Instruction ID: c3cf2bfbfc6995c05de46902f919100520e3490413310a694c869a7bb718fc3a
Opcode Fuzzy Hash: 9d838e02ae2c1b421526942a75e9a8bdf703a6af4e896f9fd2e2627cc66560ff
Instruction Fuzzy Hash: BE32F061D29F414DD7279A34C832326A349AFB73C5F15D73BEC1AB59A6EF2C98838104

Function 0076242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35315e05ed32673dabd4031bca82af3e9fd4d280a511298af042ecac552b3334
Instruction ID: 8b501f4f82efa0d4231cfa73963f7ab3e761ff4c07ac52592fe171f65d9dfb86
Opcode Fuzzy Hash: 35315e05ed32673dabd4031bca82af3e9fd4d280a511298af042ecac552b3334
Instruction Fuzzy Hash: BDB1F120D2AF854DD32396398835336BB5CAFBB2CAF51D71BFC2670D22EB2985834145

Function 00798889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0079889B

Part of subcall function 0075520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00798F6E,00000000,?,?,?,?,0079911F,00000000,?), ref: 00755213
Part of subcall function 0075520A: __aulldiv.LIBCMT ref: 00755233

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 9d794261135c17e5d72c008cf909c06f5fb28c608b8e0e7ec411563a08b07f05
Instruction ID: d06449c92d12783cc69b21b7b357154d8f7e157135947fdb62032e886e6c5cf4
Opcode Fuzzy Hash: 9d794261135c17e5d72c008cf909c06f5fb28c608b8e0e7ec411563a08b07f05
Instruction Fuzzy Hash: 6B21B472635510CBC729CF25D841A62B3E1EFA5311B688E6CD1F5CF2D0CA78B905CB54

Function 007887B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00788389), ref: 007887D1

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 272fcdbcb9f44b570fbaf3e6310251950ce9b5895d34a0aba746a4db042fb093
Instruction ID: b96c463106a268822caf3d28d23ad4e6c9a69a122c92d166ee039201768ef986
Opcode Fuzzy Hash: 272fcdbcb9f44b570fbaf3e6310251950ce9b5895d34a0aba746a4db042fb093
Instruction Fuzzy Hash: C1D05E3226050EABEF019EA4DC02EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 0075A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0075A12A

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fc83450ad8e4b9ad6e8f8c2c539a091694dcd79032cfed2ec480597bf7ff47e0
Instruction ID: 77eb02f5768379fd3b641c61d9c8ac366e738e6eb60ff829c90bbfe50c446bc3
Opcode Fuzzy Hash: fc83450ad8e4b9ad6e8f8c2c539a091694dcd79032cfed2ec480597bf7ff47e0
Instruction Fuzzy Hash: 5FA0113000020CAB8A002B82EC08888BFACEA00AA0B00C020F80E820228B32A8208A88

Function 00748808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb383fae0df335f7f113c2508b543408ae9f6c9f3a322935bc3fce7e4050bea4
Instruction ID: 4b113dd6449ef9956be9d86c99567850c2febfc610cd0e539264b83b254b9ee2
Opcode Fuzzy Hash: eb383fae0df335f7f113c2508b543408ae9f6c9f3a322935bc3fce7e4050bea4
Instruction Fuzzy Hash: 2B223530A0494ECBDF789A24C89477D77A1FF02344F28856BD9528B592EBBCAD91C743

Function 007521C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 411935b401c489fa27d053f8b60e053b7080a24d185eef5df3b248a6ff2b269a
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 14C1A5322051930AEF2D463984341BEBAA15EA37B375A075DDCB3CB4D5FE58C92ED620

Function 007525FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 52805f53d9fcf556706d94e1eba2546e59bd8258c84cddb46b4acabc357376fd
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: E4C1E63220519309EF2D4639C4341BEBAA15EA37B331A076DDCB2DB5C5EE58D92DD620

Function 00751978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: c6051f23a7851f7c86e8bde8751141637ae8447236834a312f5a74845d5c1a35
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 9FC1853230519309EF2D463984742BEBBA15EA27B335A075DDCB3CB5C4EE58C96DD620

Function 01539338 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1334462787.0000000001535000.00000040.00000020.00020000.00000000.sdmp, Offset: 01535000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1535000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 6d5955a263932406c96ecbcbfe7b74a13cc313b940347a5e6b691fc1ce1729a0
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8041D5B1D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB40

Function 015391C8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1334462787.0000000001535000.00000040.00000020.00020000.00000000.sdmp, Offset: 01535000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1535000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: fdd1e9a1966b4e44708b24ff3b9abf6567acd6a21c6638eee1aee9a2186f1892
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 7D019278A00109EFCB44DF98C5909AEF7F5FB88314F208599E819AB305D730AE41DB80

Function 01539228 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1334462787.0000000001535000.00000040.00000020.00020000.00000000.sdmp, Offset: 01535000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1535000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 336ea922623dd1dd0d2a81be692770aa2ddccc0155c5042fbd7082c35331f439
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 9601D2B8A05209EFCB44DF98C5809AEF7F5FB88310F208599E809AB705D730AE41CB80

Function 01537BB8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1334462787.0000000001535000.00000040.00000020.00020000.00000000.sdmp, Offset: 01535000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1535000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 007A7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007A785B
DeleteObject.GDI32(00000000), ref: 007A786D
DestroyWindow.USER32 ref: 007A787B
GetDesktopWindow.USER32 ref: 007A7895
GetWindowRect.USER32(00000000), ref: 007A789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007A79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007A79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7A35
GetClientRect.USER32(00000000,?), ref: 007A7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007A7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7ABB
GlobalLock.KERNEL32(00000000), ref: 007A7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7AD3
GlobalUnlock.KERNEL32(00000000), ref: 007A7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7AE3
GlobalFree.KERNEL32(00000000), ref: 007A7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,007C2CAC,00000000), ref: 007A7B16
GlobalFree.KERNEL32(00000000), ref: 007A7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 007A7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 007A7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A7D7A

Strings

static, xrefs: 007A7A75, 007A7BCC
AutoIt v3, xrefs: 007A7A2D
DISPLAY, xrefs: 007A7BDD
, xrefs: 007A7D00

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 178e87ebbf7d531c3ead5e653ecb53a3ff3aa6bd4199d88a8ce7f5e29df058ba
Instruction ID: 3b69c0124a42c8dbbb7ee150c1163557a499c2e971f725a8d8915db9b6af80b6
Opcode Fuzzy Hash: 178e87ebbf7d531c3ead5e653ecb53a3ff3aa6bd4199d88a8ce7f5e29df058ba
Instruction Fuzzy Hash: 0F028371A00115EFDB14DFA8DC89EAE7BB9FF49710F108259F905AB2A1C778AD01CB64

Function 007B356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,007BF910), ref: 007B3627
IsWindowVisible.USER32(?), ref: 007B364B

Strings

ISENABLED, xrefs: 007B366B
CHECK, xrefs: 007B386D
FINDSTRING, xrefs: 007B3776
ISCHECKED, xrefs: 007B3839
GETLINE, xrefs: 007B399B
SENDCOMMANDID, xrefs: 007B39DA
HIDEDROPDOWN, xrefs: 007B3700
UNCHECK, xrefs: 007B3883
SHOWDROPDOWN, xrefs: 007B36E0
GETCURRENTCOL, xrefs: 007B3928
ADDSTRING, xrefs: 007B3716
SETCURRENTSELECTION, xrefs: 007B37B6
SELECTSTRING, xrefs: 007B3806
EDITPASTE, xrefs: 007B395F
GETCURRENTLINE, xrefs: 007B38ED
GETLINECOUNT, xrefs: 007B38C6
DELSTRING, xrefs: 007B3749
TABLEFT, xrefs: 007B3687
ISVISIBLE, xrefs: 007B3637
GETCURRENTSELECTION, xrefs: 007B37E3
CURRENTTAB, xrefs: 007B36BD
GETSELECTED, xrefs: 007B38A3
TABRIGHT, xrefs: 007B369D

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 9cd1e83bc7a72e34246c239e70dab553b8802b4c86b1192e7e64c043abaa2a87
Instruction ID: c305e6746f94890ec0b51337e21c6b4b3e330e5fbfe09f228f645649191320ed
Opcode Fuzzy Hash: 9cd1e83bc7a72e34246c239e70dab553b8802b4c86b1192e7e64c043abaa2a87
Instruction Fuzzy Hash: B7D19371204301DBCB14EF10C459BAEB7A1AF95344F148468FD855B3A3DB79EE4ACB91

Function 007BA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007BA630
GetSysColorBrush.USER32(0000000F), ref: 007BA661
GetSysColor.USER32(0000000F), ref: 007BA66D
SetBkColor.GDI32(?,000000FF), ref: 007BA687
SelectObject.GDI32(?,00000000), ref: 007BA696
InflateRect.USER32(?,000000FF,000000FF), ref: 007BA6C1
GetSysColor.USER32(00000010), ref: 007BA6C9
CreateSolidBrush.GDI32(00000000), ref: 007BA6D0
FrameRect.USER32(?,?,00000000), ref: 007BA6DF
DeleteObject.GDI32(00000000), ref: 007BA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 007BA731
FillRect.USER32(?,?,00000000), ref: 007BA763
GetWindowLongW.USER32(?,000000F0), ref: 007BA78E

Part of subcall function 007BA8CA: GetSysColor.USER32(00000012), ref: 007BA903
Part of subcall function 007BA8CA: SetTextColor.GDI32(?,?), ref: 007BA907
Part of subcall function 007BA8CA: GetSysColorBrush.USER32(0000000F), ref: 007BA91D
Part of subcall function 007BA8CA: GetSysColor.USER32(0000000F), ref: 007BA928
Part of subcall function 007BA8CA: GetSysColor.USER32(00000011), ref: 007BA945
Part of subcall function 007BA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007BA953
Part of subcall function 007BA8CA: SelectObject.GDI32(?,00000000), ref: 007BA964
Part of subcall function 007BA8CA: SetBkColor.GDI32(?,00000000), ref: 007BA96D
Part of subcall function 007BA8CA: SelectObject.GDI32(?,?), ref: 007BA97A
Part of subcall function 007BA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 007BA999
Part of subcall function 007BA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007BA9B0
Part of subcall function 007BA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 007BA9C5
Part of subcall function 007BA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007BA9ED

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: f40b98435b53740e4a87785b1a8d9ec08355193cab8c3cf1574c39ca0f15654a
Instruction ID: d3f31198478e4f5f8f5105062ba43e3e92b502460951de084ec2e07c2d43721c
Opcode Fuzzy Hash: f40b98435b53740e4a87785b1a8d9ec08355193cab8c3cf1574c39ca0f15654a
Instruction Fuzzy Hash: 62915972408305FFC711AF64DC08F9A7BA9FF88721F108B29F962961A0DB79D9448B56

Function 00732C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00732CA2
DeleteObject.GDI32(00000000), ref: 00732CE8
DeleteObject.GDI32(00000000), ref: 00732CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00732CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00732D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0076C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0076C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0076C89D

Part of subcall function 00731B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00732036,?,00000000,?,?,?,?,007316CB,00000000,?), ref: 00731B9A

SendMessageW.USER32(?,00001053), ref: 0076C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0076C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0076C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0076C912

Strings

0, xrefs: 0076C731

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: d2a0d00db23a34bfc52b5f4fad333dc5fd571676f5917e9f6eb87789c0755f45
Instruction ID: ba0060c6ca58629247eed290b82dd12354f160cfd88a423792e215c37a7d7ea2
Opcode Fuzzy Hash: d2a0d00db23a34bfc52b5f4fad333dc5fd571676f5917e9f6eb87789c0755f45
Instruction Fuzzy Hash: 69127030604201EFDB26CF24C888BB9B7E5BF45310F548569E996DB663C739EC52CBA1

Function 007A74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007A74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007A759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007A75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007A75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007A7633
GetClientRect.USER32(00000000,?), ref: 007A763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007A7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007A7692
GetStockObject.GDI32(00000011), ref: 007A76A2
SelectObject.GDI32(00000000,00000000), ref: 007A76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007A76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007A76BF
DeleteDC.GDI32(00000000), ref: 007A76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007A76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 007A770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007A7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007A775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 007A776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007A779B
GetStockObject.GDI32(00000011), ref: 007A77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007A77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007A77BB

Strings

static, xrefs: 007A767D, 007A7795
msctls_progress32, xrefs: 007A773C
AutoIt v3, xrefs: 007A762B
DISPLAY, xrefs: 007A7688

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a63300465e235c4751fc20e280504fc617bb186c9acaf79905bb6ce8c2a8f09b
Instruction ID: 136239ce0b304dfea54c11c2a672c094c9105553adf61f79f3e3b50cbb505f81
Opcode Fuzzy Hash: a63300465e235c4751fc20e280504fc617bb186c9acaf79905bb6ce8c2a8f09b
Instruction Fuzzy Hash: D6A166B1A40615BFEB14DF68DC4AFAE7B79EB45710F008214FA15A72E1D778AD00CB64

Function 0079AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0079AD1E
GetDriveTypeW.KERNEL32(?,007BFAC0,?,\\.\,007BF910), ref: 0079ADFB
SetErrorMode.KERNEL32(00000000,007BFAC0,?,\\.\,007BF910), ref: 0079AF59

Strings

Fixed, xrefs: 0079AE43
ATA, xrefs: 0079AED4
Unknown, xrefs: 0079AE1B, 0079AEBF
SSA, xrefs: 0079AEE2
SCSI, xrefs: 0079AEC6
CDROM, xrefs: 0079AE2F
Virtual, xrefs: 0079AF21
Network, xrefs: 0079AE39
Fibre, xrefs: 0079AEE9
PhysicalDrive, xrefs: 0079ADA7
ATAPI, xrefs: 0079AECD
SSD, xrefs: 0079AE86
RAMDisk, xrefs: 0079AE25
RAID, xrefs: 0079AEF7
MMC, xrefs: 0079AF1A
Removable, xrefs: 0079AE4D
1394, xrefs: 0079AEDB
FileBackedVirtual, xrefs: 0079AF28
\\.\, xrefs: 0079AD70
SATA, xrefs: 0079AF0C
SAS, xrefs: 0079AF05
USB, xrefs: 0079AEF0
iSCSI, xrefs: 0079AEFE

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 9022fae61b7ea719e7de6c1860b25e8d649663da67adf69929dc909c729821b8
Instruction ID: 30cfdce953f09387c9904297c74d9f08c4ded57536a49fae3cbd99d71736b39c
Opcode Fuzzy Hash: 9022fae61b7ea719e7de6c1860b25e8d649663da67adf69929dc909c729821b8
Instruction Fuzzy Hash: AC51A2F0646249FBCF54DB15E986CBD73A2EB4C700B208066E80BA7691DA7DDD41DB83

Function 007368DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00736931
__wcsnicmp.LIBCMT ref: 00736949
__wcsnicmp.LIBCMT ref: 00736961
__wcsnicmp.LIBCMT ref: 00736979
__wcsnicmp.LIBCMT ref: 00736991
__wcsnicmp.LIBCMT ref: 007369A9
__wcsnicmp.LIBCMT ref: 007369C1
__wcsnicmp.LIBCMT ref: 007369D5
__wcsnicmp.LIBCMT ref: 00736A16
__wcsnicmp.LIBCMT ref: 00736A2A
__wcsnicmp.LIBCMT ref: 00736A3E
__wcsnicmp.LIBCMT ref: 00736A52

Strings

#requireadmin, xrefs: 0073695B
#pragma compile, xrefs: 0073692B
#include-once, xrefs: 0073698B
#notrayicon, xrefs: 00736943
#include, xrefs: 007369A3
#comments-start, xrefs: 007369BB, 00736A10
#ce, xrefs: 00736A4C
Unterminated group of comments, xrefs: 0076E403
#OnAutoItStartRegister, xrefs: 00736973
Bad directive syntax error, xrefs: 0076E31A
Cannot parse #include, xrefs: 0076E3F0
#comments-end, xrefs: 00736A38
#cs, xrefs: 007369CF, 00736A24

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: a5298590ae7cd10187bac1c84ef24bae6af68f6671defa7e408542fec3658859
Instruction ID: d7eb3c350c9aadfa087d43b2646035193f901693ab36674d055935a5490e1af1
Opcode Fuzzy Hash: a5298590ae7cd10187bac1c84ef24bae6af68f6671defa7e408542fec3658859
Instruction Fuzzy Hash: 8A81E8F0640205FAEB21AA61DC86FEF3768AF05750F048029FD056B197EBADDE45C6A1

Function 007B9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 007B9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 007B9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 007B9BA7

Strings

0, xrefs: 007B9BE4

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: ef668a74e59adc9bd82df6fecfec980ab6807139d9d7c53747951d90be5d28c4
Instruction ID: 8c2f9b4f29c11545fc68879086a8d0fe7ad7ae0c0c17bded484a69f41b3052d9
Opcode Fuzzy Hash: ef668a74e59adc9bd82df6fecfec980ab6807139d9d7c53747951d90be5d28c4
Instruction Fuzzy Hash: FD02AC31108201AFD725CF24C849FEABBE5FF49714F04862DFBA5962A1D778D944CB52

Function 007BA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007BA903
SetTextColor.GDI32(?,?), ref: 007BA907
GetSysColorBrush.USER32(0000000F), ref: 007BA91D
GetSysColor.USER32(0000000F), ref: 007BA928
CreateSolidBrush.GDI32(?), ref: 007BA92D
GetSysColor.USER32(00000011), ref: 007BA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007BA953
SelectObject.GDI32(?,00000000), ref: 007BA964
SetBkColor.GDI32(?,00000000), ref: 007BA96D
SelectObject.GDI32(?,?), ref: 007BA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 007BA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007BA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 007BA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007BA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007BAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 007BAA32
DrawFocusRect.USER32(?,?), ref: 007BAA3D
GetSysColor.USER32(00000011), ref: 007BAA4B
SetTextColor.GDI32(?,00000000), ref: 007BAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007BAA67
SelectObject.GDI32(?,007BA5FA), ref: 007BAA7E
DeleteObject.GDI32(?), ref: 007BAA89
SelectObject.GDI32(?,?), ref: 007BAA8F
DeleteObject.GDI32(?), ref: 007BAA94
SetTextColor.GDI32(?,?), ref: 007BAA9A
SetBkColor.GDI32(?,?), ref: 007BAAA4

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0ed2b89f27714ac4afcc2f06a75565d1c112812832d0cd6ec2fae54df6d9e047
Instruction ID: 265e12ba4c391a931a5e06c15cf4688513a7d5b40a5bdf5be3ae626648b056d1
Opcode Fuzzy Hash: 0ed2b89f27714ac4afcc2f06a75565d1c112812832d0cd6ec2fae54df6d9e047
Instruction Fuzzy Hash: D1510C71900208FFDB11AFA8DC48FEE7B79EF48720F118625F911AB2A1D6799940DF94

Function 007B89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007B8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007B8AD2
CharNextW.USER32(0000014E), ref: 007B8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007B8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007B8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007B8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007B8B86
SetWindowTextW.USER32(?,0000014E), ref: 007B8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007B8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 007B8C1F
_memset.LIBCMT ref: 007B8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007B8C8D
_memset.LIBCMT ref: 007B8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 007B8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 007B8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 007B8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 007B8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007B8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007B8EB4
DrawMenuBar.USER32(?), ref: 007B8EC3
SetWindowTextW.USER32(?,0000014E), ref: 007B8EEB

Strings

0, xrefs: 007B8E55

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 9076a60c9a256f2fab79ae3cfabdf269bf37fc4741f344492b3fd65f50df3414
Instruction ID: 3a23cd276b796268b7d4e11e54cf02a9a05561787a8aba5e894421d3fc7687fc
Opcode Fuzzy Hash: 9076a60c9a256f2fab79ae3cfabdf269bf37fc4741f344492b3fd65f50df3414
Instruction Fuzzy Hash: 12E17F70900208EFDB609F64CC88FEE7B7DEF09710F14815AF925AA291DB788985DF61

Function 007B488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007B49CA
GetDesktopWindow.USER32 ref: 007B49DF
GetWindowRect.USER32(00000000), ref: 007B49E6
GetWindowLongW.USER32(?,000000F0), ref: 007B4A48
DestroyWindow.USER32(?), ref: 007B4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007B4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007B4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007B4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 007B4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007B4B09
IsWindowVisible.USER32(?), ref: 007B4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007B4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007B4B58
GetWindowRect.USER32(?,?), ref: 007B4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 007B4B96
GetMonitorInfoW.USER32(00000000,?), ref: 007B4BB0
CopyRect.USER32(?,?), ref: 007B4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 007B4C32

Strings

(, xrefs: 007B4BA3
0, xrefs: 007B4975
tooltips_class32, xrefs: 007B4A96

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c836350f304ad7b428d8f5ce88572c8e1abc92c02f8c84909a8585e8643dd860
Instruction ID: 4e3fb791aecd1b3aa549d0eeac36456a7440df2ee0de87c1adacdc9bdd12f8ec
Opcode Fuzzy Hash: c836350f304ad7b428d8f5ce88572c8e1abc92c02f8c84909a8585e8643dd860
Instruction Fuzzy Hash: D0B16C71604340AFDB04DF64C888BAABBE4BF88714F008A1DF9999B292D779EC05CB55

Function 0079449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 007944AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007944D2
_wcscpy.LIBCMT ref: 00794500
_wcscmp.LIBCMT ref: 0079450B
_wcscat.LIBCMT ref: 00794521
_wcsstr.LIBCMT ref: 0079452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00794548
_wcscat.LIBCMT ref: 00794591
_wcscat.LIBCMT ref: 00794598
_wcsncpy.LIBCMT ref: 007945C3

Strings

%u.%u.%u.%u, xrefs: 00794626
\VarFileInfo\Translation, xrefs: 00794540
StringFileInfo\, xrefs: 0079451B
DefaultLangCodepage, xrefs: 007945AB
04090000, xrefs: 0079457E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 229f5fd34e188ee65ba79b0f2c5330b31e9448ada74fdcdf1da4dac8203de139
Instruction ID: d7c8e708865088b60f3b3f1cbba851187741347433fecf5e2b8d403ba840779d
Opcode Fuzzy Hash: 229f5fd34e188ee65ba79b0f2c5330b31e9448ada74fdcdf1da4dac8203de139
Instruction Fuzzy Hash: B741E572A00201BBEB14AB749C0BEFF777CDF46711F104069FD04A6182EE7D9A1696A9

Function 007327D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007328BC
GetSystemMetrics.USER32(00000007), ref: 007328C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007328EF
GetSystemMetrics.USER32(00000008), ref: 007328F7
GetSystemMetrics.USER32(00000004), ref: 0073291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00732939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00732949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0073297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00732990
GetClientRect.USER32(00000000,000000FF), ref: 007329AE
GetStockObject.GDI32(00000011), ref: 007329CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 007329D5

Part of subcall function 00732344: GetCursorPos.USER32(?), ref: 00732357
Part of subcall function 00732344: ScreenToClient.USER32(007F57B0,?), ref: 00732374
Part of subcall function 00732344: GetAsyncKeyState.USER32(00000001), ref: 00732399
Part of subcall function 00732344: GetAsyncKeyState.USER32(00000002), ref: 007323A7

SetTimer.USER32(00000000,00000000,00000028,00731256), ref: 007329FC

Strings

AutoIt v3 GUI, xrefs: 00732974

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 24df496561ad4771606ad38713a3d9f9103aad443357db0b3b2258c23428ec85
Instruction ID: 5d4aaa84ee58a1efe30f692630645795e19faed292fa1149d97e2548378d45dc
Opcode Fuzzy Hash: 24df496561ad4771606ad38713a3d9f9103aad443357db0b3b2258c23428ec85
Instruction Fuzzy Hash: 69B15F7160020AEFEB15DFA8DC45BED7BB4FB08710F108229FA15A7291DB78A851CB54

Function 0078A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0078A47A
__swprintf.LIBCMT ref: 0078A51B
_wcscmp.LIBCMT ref: 0078A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0078A583
_wcscmp.LIBCMT ref: 0078A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0078A5F6
GetDlgCtrlID.USER32(?), ref: 0078A648
GetWindowRect.USER32(?,?), ref: 0078A67E
GetParent.USER32(?), ref: 0078A69C
ScreenToClient.USER32(00000000), ref: 0078A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0078A71D
_wcscmp.LIBCMT ref: 0078A731
GetWindowTextW.USER32(?,?,00000400), ref: 0078A757
_wcscmp.LIBCMT ref: 0078A76B

Part of subcall function 0075362C: _iswctype.LIBCMT ref: 00753634

Strings

%s%u, xrefs: 0078A515

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 81f39d9108e7f4f3185da9cb2e7f088ee30803a28657a1eec95b374688b10dee
Instruction ID: 60591a8fec6c06175e701249c13f7ef58d2b622f494209e3bc475f055fbb396c
Opcode Fuzzy Hash: 81f39d9108e7f4f3185da9cb2e7f088ee30803a28657a1eec95b374688b10dee
Instruction Fuzzy Hash: C6A1B371244206FFE714EF64C888FAAB7E8FF44355F10862AF999C2150D738E955CB92

Function 0078AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0078AF18
_wcscmp.LIBCMT ref: 0078AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0078AF51
CharUpperBuffW.USER32(?,00000000), ref: 0078AF6E
_wcscmp.LIBCMT ref: 0078AF8C
_wcsstr.LIBCMT ref: 0078AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0078AFD5
_wcscmp.LIBCMT ref: 0078AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0078B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0078B055
_wcscmp.LIBCMT ref: 0078B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0078B08D
GetWindowRect.USER32(00000004,?), ref: 0078B0F6

Strings

@, xrefs: 0078AEF9
ThumbnailClass, xrefs: 0078AFE0, 0078B060

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: e232edf851395b30ca99f295de0a0d5168269649d7fce1790c65d19e5297597f
Instruction ID: 833094549b5c905ebbe9195aa930e4862e6eacfb31ababf99086bc0193ae0f08
Opcode Fuzzy Hash: e232edf851395b30ca99f295de0a0d5168269649d7fce1790c65d19e5297597f
Instruction Fuzzy Hash: ED81C371148309EFEB05EF14C889FAA77D8EF44714F04856AFD858A0A6DB38DD49CB61

Function 0078ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0078AC33

Strings

[REGEXPTITLE:, xrefs: 0078AC5B
[HANDLE:, xrefs: 0078AC3F
ACTIVE, xrefs: 0078AC0E
CLASSNAME=, xrefs: 0078AC70
HANDLE=, xrefs: 0078AC2C
[ACTIVE, xrefs: 0078AC20
[CLASS:, xrefs: 0078AC83
[LAST, xrefs: 0078ACE0
[ALL, xrefs: 0078ACD9
LAST, xrefs: 0078ABF8
ALL, xrefs: 0078ACC7
REGEXP=, xrefs: 0078AC48

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 651fdd9a86d7b27211450bffffae492347d0d57299a7f75c3b543fe53a588b9c
Instruction ID: 91f1138abfe7fcf343256242991d47a40934689ff645fa37a9869a51099e48c0
Opcode Fuzzy Hash: 651fdd9a86d7b27211450bffffae492347d0d57299a7f75c3b543fe53a588b9c
Instruction Fuzzy Hash: 2C31C4B0A88249F6EA18FA55DD4BEEE77A49F14711F60442AF801710D2EF5D6F04C762

Function 007A4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 007A5013
LoadCursorW.USER32(00000000,00007F00), ref: 007A501E
LoadCursorW.USER32(00000000,00007F03), ref: 007A5029
LoadCursorW.USER32(00000000,00007F8B), ref: 007A5034
LoadCursorW.USER32(00000000,00007F01), ref: 007A503F
LoadCursorW.USER32(00000000,00007F81), ref: 007A504A
LoadCursorW.USER32(00000000,00007F88), ref: 007A5055
LoadCursorW.USER32(00000000,00007F80), ref: 007A5060
LoadCursorW.USER32(00000000,00007F86), ref: 007A506B
LoadCursorW.USER32(00000000,00007F83), ref: 007A5076
LoadCursorW.USER32(00000000,00007F85), ref: 007A5081
LoadCursorW.USER32(00000000,00007F82), ref: 007A508C
LoadCursorW.USER32(00000000,00007F84), ref: 007A5097
LoadCursorW.USER32(00000000,00007F04), ref: 007A50A2
LoadCursorW.USER32(00000000,00007F02), ref: 007A50AD
LoadCursorW.USER32(00000000,00007F89), ref: 007A50B8
GetCursorInfo.USER32(?), ref: 007A50C8

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 44174dbd19f46ef9a52183b3b704060dd245de8705445bad60a35b4fba4845ff
Instruction ID: 6b5aba5be1b31715feb70bff0bc4fd4c7bbd7422d2325e570333ded84753f7ce
Opcode Fuzzy Hash: 44174dbd19f46ef9a52183b3b704060dd245de8705445bad60a35b4fba4845ff
Instruction Fuzzy Hash: 3331E1B1D4831DAADB109FB68C899AFBFE8FB44750F50452AA50DE7281DA78A5008E91

Function 007BA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007BA259
DestroyWindow.USER32(?,?), ref: 007BA2D3

Part of subcall function 00737BCC: _memmove.LIBCMT ref: 00737C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007BA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007BA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007BA382
DestroyWindow.USER32(00000000), ref: 007BA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00730000,00000000), ref: 007BA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007BA3F4
GetDesktopWindow.USER32 ref: 007BA40D
GetWindowRect.USER32(00000000), ref: 007BA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007BA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007BA444

Part of subcall function 007325DB: GetWindowLongW.USER32(?,000000EB), ref: 007325EC

Strings

0, xrefs: 007BA26F
tooltips_class32, xrefs: 007BA346, 007BA3D4

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 88f0c009c3d5d3c3e55acb85c2a9311dd0fd96f49a2c868ed85e12b85ffe0060
Instruction ID: 0cf3ac3f19e52cc1b076abce9a89dc0e293ea98ecdbc3c6f731cf5dbd1beddc2
Opcode Fuzzy Hash: 88f0c009c3d5d3c3e55acb85c2a9311dd0fd96f49a2c868ed85e12b85ffe0060
Instruction Fuzzy Hash: C871CD70140645BFE725DF28CC49FAA7BE5FB88704F04852DF985872A1DBB8E902CB56

Function 007BC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623

DragQueryPoint.SHELL32(?,?), ref: 007BC627

Part of subcall function 007BAB37: ClientToScreen.USER32(?,?), ref: 007BAB60
Part of subcall function 007BAB37: GetWindowRect.USER32(?,?), ref: 007BABD6
Part of subcall function 007BAB37: PtInRect.USER32(?,?,007BC014), ref: 007BABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 007BC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007BC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007BC6BE
_wcscat.LIBCMT ref: 007BC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007BC705
SendMessageW.USER32(?,000000B0,?,?), ref: 007BC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 007BC735
SendMessageW.USER32(?,000000B1,?,?), ref: 007BC757
DragFinish.SHELL32(?), ref: 007BC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007BC851

Strings

@GUI_DRAGID, xrefs: 007BC7C9
@GUI_DRAGFILE, xrefs: 007BC800
@GUI_DROPID, xrefs: 007BC77E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: d2668ffe42db3c9dde564e5a3f7e531230a49f6369a8b58671e52efd5996feac
Instruction ID: d7bc2ae29efa0ee93b6cc6e19ad464fc3e8a78448e9f04a37b3b05add6438e2b
Opcode Fuzzy Hash: d2668ffe42db3c9dde564e5a3f7e531230a49f6369a8b58671e52efd5996feac
Instruction Fuzzy Hash: D5617271108300EFD701EF64CC89EAFBBE8EF88710F00492EF695961A1DB74A909CB56

Function 007B4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007B4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007B446F

Strings

CHECK, xrefs: 007B448F
ISCHECKED, xrefs: 007B45F2
EXISTS, xrefs: 007B44D8
UNCHECK, xrefs: 007B464B
GETITEMCOUNT, xrefs: 007B4551
EXPAND, xrefs: 007B4521
GETTOTALCOUNT, xrefs: 007B4456
GETTEXT, xrefs: 007B45C2
GETSELECTED, xrefs: 007B457F
COLLAPSE, xrefs: 007B44B5
SELECT, xrefs: 007B4620

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 046511abf9e829a23223180ffcd29772fae70ea924a1a9d54c0253d39f32aa26
Instruction ID: 68c9cffa9bc6a2d8aa5c6051b397dd37c30574eeb314422f1047dc4a77393d97
Opcode Fuzzy Hash: 046511abf9e829a23223180ffcd29772fae70ea924a1a9d54c0253d39f32aa26
Instruction Fuzzy Hash: BD918A71200700DFDB14EF24C895AAEB7A1AF95354F04886CF9965B3A3CB79ED09CB81

Function 007BB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007BB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007B91C2), ref: 007BB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007BB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007BB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007BB9C3
FreeLibrary.KERNEL32(?), ref: 007BB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007BB9DF
DestroyIcon.USER32(?,?,?,?,?,007B91C2), ref: 007BB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007BBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007BBA17

Part of subcall function 00752EFD: __wcsicmp_l.LIBCMT ref: 00752F86

Strings

.exe, xrefs: 007BB84A
.dll, xrefs: 007BB86D
.icl, xrefs: 007BB82A

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: fdc10b39941451c3386324d64e12d8379c9035a90c5abfd6e7a7557f6840e15b
Instruction ID: 6d92645aaf8838290a0f5d40fb64bcb75471f14ae9fb32df3c53e67e60a49baf
Opcode Fuzzy Hash: fdc10b39941451c3386324d64e12d8379c9035a90c5abfd6e7a7557f6840e15b
Instruction Fuzzy Hash: 8761DEB1900209FAEB14DF64CC45FFE7BA8EB08B11F108215FE15D61C1DBB8A981DBA0

Function 0079A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00739837: __itow.LIBCMT ref: 00739862
Part of subcall function 00739837: __swprintf.LIBCMT ref: 007398AC

CharLowerBuffW.USER32(?,?), ref: 0079A3CB
GetDriveTypeW.KERNEL32 ref: 0079A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0079A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0079A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0079A4C5

Part of subcall function 00737BCC: _memmove.LIBCMT ref: 00737C06

Strings

type cdaudio alias cd wait, xrefs: 0079A443
closed, xrefs: 0079A3DF, 0079A3E8
close cd wait, xrefs: 0079A4B0
close, xrefs: 0079A3D1
set cd door , xrefs: 0079A466
wait, xrefs: 0079A482
open , xrefs: 0079A427
open, xrefs: 0079A3F2

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 707bec6b5834581bf8d05f5ea734f6594f2ca91a117ad857c6f70bd9967bcaaa
Instruction ID: 6bb4329f7ae1ec9a957c07a9bee6b45daaefb65a9dfd31dca64c19fe7817e4bb
Opcode Fuzzy Hash: 707bec6b5834581bf8d05f5ea734f6594f2ca91a117ad857c6f70bd9967bcaaa
Instruction Fuzzy Hash: 8C518CB1104345DFD744EF25C88596AB3F8EF88718F00886CF88A57262DB79ED09CB82

Function 0078F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0076E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0078F8DF
LoadStringW.USER32(00000000,?,0076E029,00000001), ref: 0078F8E8

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0076E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0078F90A
LoadStringW.USER32(00000000,?,0076E029,00000001), ref: 0078F90D
__swprintf.LIBCMT ref: 0078F95D
__swprintf.LIBCMT ref: 0078F96E
_wprintf.LIBCMT ref: 0078FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0078FA2E

Strings

Error: , xrefs: 0078F9E5
Line %d:, xrefs: 0078F968
Line %d (File "%s"):, xrefs: 0078F957
^ ERROR, xrefs: 0078F9C3
%s (%d) : ==> %s: %s %s, xrefs: 0078FA12

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: c3cf60569da33ed404e4c14c141d5d2edd7ab2bb507b37092423ed1a4f7dda22
Instruction ID: 71426e728e1eec44087ef4552f783d03c557cab803214cf3be6176882e6390a0
Opcode Fuzzy Hash: c3cf60569da33ed404e4c14c141d5d2edd7ab2bb507b37092423ed1a4f7dda22
Instruction Fuzzy Hash: 2A4120B290410DEADB19FBE0DD4AEEEB778AF18310F504465F505B6092EA396F09CB61

Function 007BBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,007B9207,?,?), ref: 007BBA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,007B9207,?,?,00000000,?), ref: 007BBA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,007B9207,?,?,00000000,?), ref: 007BBA78
CloseHandle.KERNEL32(00000000,?,?,?,?,007B9207,?,?,00000000,?), ref: 007BBA85
GlobalLock.KERNEL32(00000000), ref: 007BBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,007B9207,?,?,00000000,?), ref: 007BBA9D
GlobalUnlock.KERNEL32(00000000), ref: 007BBAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,007B9207,?,?,00000000,?), ref: 007BBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007B9207,?,?,00000000,?), ref: 007BBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,007C2CAC,?), ref: 007BBAD7
GlobalFree.KERNEL32(00000000), ref: 007BBAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 007BBB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 007BBB36
DeleteObject.GDI32(00000000), ref: 007BBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007BBB74

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1f3ce5ed4f43b702eae3e9b05a448a423b3a43655e293143d0738c8705336230
Instruction ID: 2d50cb3272c7d77e53fdc750fb12fb22135ba935d69ade83365ca9df02acf432
Opcode Fuzzy Hash: 1f3ce5ed4f43b702eae3e9b05a448a423b3a43655e293143d0738c8705336230
Instruction Fuzzy Hash: 56410775600208EFDB119F69DC88FABBBB8FB89B11F108169F906D7260D7789D01CB64

Function 0079D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0079DA10
_wcscat.LIBCMT ref: 0079DA28
_wcscat.LIBCMT ref: 0079DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0079DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0079DA63
GetFileAttributesW.KERNEL32(?), ref: 0079DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0079DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0079DAA7

Strings

*.*, xrefs: 0079DAE6

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 0d6d8c88a57d9f1ef58d4fed549335093311797832a7d791c93f8815746d1b0d
Instruction ID: db0667e72addc43e5c88c3df2e012a2386b5c0d00254b955404f9666393deb09
Opcode Fuzzy Hash: 0d6d8c88a57d9f1ef58d4fed549335093311797832a7d791c93f8815746d1b0d
Instruction Fuzzy Hash: C7819FB15043419FCF34EF64D845AAAB7E8EF99320F14882AF889D7251E638ED45CB52

Function 007BC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007BC1FC
GetFocus.USER32 ref: 007BC20C
GetDlgCtrlID.USER32(00000000), ref: 007BC217
_memset.LIBCMT ref: 007BC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007BC36D
GetMenuItemCount.USER32(?), ref: 007BC38D
GetMenuItemID.USER32(?,00000000), ref: 007BC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007BC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007BC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007BC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007BC489

Strings

0, xrefs: 007BC33A

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: c6f24078a35cf5ae4e672874b2e6d183b902b6e0001444fc6bd3f0a4b7f692e6
Instruction ID: 2f725f828ad088dcd3186c2d959beb3cd3cb25ce6944a3434f71af6a5ec5012b
Opcode Fuzzy Hash: c6f24078a35cf5ae4e672874b2e6d183b902b6e0001444fc6bd3f0a4b7f692e6
Instruction Fuzzy Hash: 8B815C70608341AFD711DF14C898BAABBE8FF88754F00892EFA9597291D778D905CB62

Function 007A731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007A738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007A739B
CreateCompatibleDC.GDI32(?), ref: 007A73A7
SelectObject.GDI32(00000000,?), ref: 007A73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007A7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 007A7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007A7468
SelectObject.GDI32(00000006,?), ref: 007A7470
DeleteObject.GDI32(?), ref: 007A7479
DeleteDC.GDI32(00000006), ref: 007A7480
ReleaseDC.USER32(00000000,?), ref: 007A748B

Strings

(, xrefs: 007A7410

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a9e4e8459bc1e9a66d2489709bb127d8391566ffc0f5e1055ac0f529e996a4fb
Instruction ID: 06c1d45e8ad6858d460d9a566325fabaa051fc563e66727e92865f55f48a1cb7
Opcode Fuzzy Hash: a9e4e8459bc1e9a66d2489709bb127d8391566ffc0f5e1055ac0f529e996a4fb
Instruction Fuzzy Hash: 86516A71904309EFCB14CFA8CC85EAEBBB9EF89710F14862DF99997221C775A840CB50

Function 00736A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00750957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00736B0C,?,00008000), ref: 00750973

Part of subcall function 00734750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00734743,?,?,007337AE,?), ref: 00734770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00736BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00736CFA

Part of subcall function 0073586D: _wcscpy.LIBCMT ref: 007358A5

Part of subcall function 0075363D: _iswctype.LIBCMT ref: 00753645

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0076E496
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0076E421
AU3!, xrefs: 00736B61
Error opening the file, xrefs: 0076E43D, 0076E4B8
Bad directive syntax error, xrefs: 0076E79D
Unterminated string, xrefs: 0076E7E4
EA06, xrefs: 0076E452

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 950ab3280ecf8207c5179aaab16cf65f44a579e9a91230c963086498556d351e
Instruction ID: f24d345859e09286ee50d8b2f3f7f0c8405f4b9705a0b933c64a4261eda1fbf2
Opcode Fuzzy Hash: 950ab3280ecf8207c5179aaab16cf65f44a579e9a91230c963086498556d351e
Instruction Fuzzy Hash: 0C029D74108341DFD724EF24C885AAFBBE5EF99314F10491DF886972A2DB38E949CB52

Function 00792D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00792D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00792DDD
GetMenuItemCount.USER32(007F5890), ref: 00792E66
DeleteMenu.USER32(007F5890,00000005,00000000,000000F5,?,?), ref: 00792EF6
DeleteMenu.USER32(007F5890,00000004,00000000), ref: 00792EFE
DeleteMenu.USER32(007F5890,00000006,00000000), ref: 00792F06
DeleteMenu.USER32(007F5890,00000003,00000000), ref: 00792F0E
GetMenuItemCount.USER32(007F5890), ref: 00792F16
SetMenuItemInfoW.USER32(007F5890,00000004,00000000,00000030), ref: 00792F4C
GetCursorPos.USER32(?), ref: 00792F56
SetForegroundWindow.USER32(00000000), ref: 00792F5F
TrackPopupMenuEx.USER32(007F5890,00000000,?,00000000,00000000,00000000), ref: 00792F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00792F7E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: cd3bdccfc49dfde73cf81c3a841c10daad7437cc48b7eae93fc2714a89d51881
Instruction ID: 095629983f9607dcf9f8116975519dbeb9f658cc976bf2152cd8ef53e0e3aac0
Opcode Fuzzy Hash: cd3bdccfc49dfde73cf81c3a841c10daad7437cc48b7eae93fc2714a89d51881
Instruction Fuzzy Hash: DC71F670640205BFEF21AF54EC89FAABF65FF04724F104216F625A61E2C7B96C21DB94

Function 007A88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007A88D7
CoInitialize.OLE32(00000000), ref: 007A8904
CoUninitialize.OLE32 ref: 007A890E
GetRunningObjectTable.OLE32(00000000,?), ref: 007A8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 007A8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,007C2C0C), ref: 007A8B6F
CoGetObject.OLE32(?,00000000,007C2C0C,?), ref: 007A8B92
SetErrorMode.KERNEL32(00000000), ref: 007A8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007A8C25
VariantClear.OLEAUT32(?), ref: 007A8C35

Strings

,,|, xrefs: 007A88C1

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,|
API String ID: 2395222682-2928947247
Opcode ID: 5213ad74a5fdd4ace71019cc722dba93009c355ddbbe4c6a9cd7f43ee12aa9ca
Instruction ID: 5c1a53cfb9c1520ba0e72941183d024cb92a7ed4a65879ec9cc68be77e8d374c
Opcode Fuzzy Hash: 5213ad74a5fdd4ace71019cc722dba93009c355ddbbe4c6a9cd7f43ee12aa9ca
Instruction Fuzzy Hash: 7FC124B1608305AFD740DF28C88492BB7E9FF89748F004A5DF98A9B251DB75ED05CB62

Function 007877DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00737BCC: _memmove.LIBCMT ref: 00737C06

_memset.LIBCMT ref: 0078786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007878A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007878BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007878D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00787902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0078792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00787935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0078793A

Strings

\IPC$, xrefs: 00787882
\CLSID, xrefs: 00787822
SOFTWARE\Classes\, xrefs: 0078780C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: d7070198c70ccc9678eb6cee4e8acb6dc30efd74719d16d049c1aff2cddc7ff7
Instruction ID: 857c1359f855f2ffc73eedb0dbe7d9f08ed2afd14fbd56f1b2c54d0331730564
Opcode Fuzzy Hash: d7070198c70ccc9678eb6cee4e8acb6dc30efd74719d16d049c1aff2cddc7ff7
Instruction Fuzzy Hash: B1410BB2C14229EBDF25EBA4DC59DEDB778FF04710F404529F805A3162EA389D04CB90

Function 007B0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AFDAD,?,?), ref: 007B0E31

Strings

HKEY_LOCAL_MACHINE, xrefs: 007B0E9A
HKCU, xrefs: 007B0F21
HKCC, xrefs: 007B0EFF
HKU, xrefs: 007B0F43
HKEY_CLASSES_ROOT, xrefs: 007B0EC4
HKEY_USERS, xrefs: 007B0F32
HKEY_CURRENT_USER, xrefs: 007B0F10
HKCR, xrefs: 007B0ED9
HKLM, xrefs: 007B0EAF
HKEY_CURRENT_CONFIG, xrefs: 007B0EEE

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: d8ba491218e98b0c6186dcb3879557e806a94f5bab21fd5bbe22a29b24bfb9b4
Instruction ID: f1af55683cb22bce433311e2f6c02eb566a3788c92ab36d4916c709d6da95253
Opcode Fuzzy Hash: d8ba491218e98b0c6186dcb3879557e806a94f5bab21fd5bbe22a29b24bfb9b4
Instruction Fuzzy Hash: 2941167220028ACFDF20EE10D859AFF3764AF16304F144468FC555B292DB7CA91ACBA0

Function 0078F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0076E2A0,00000010,?,Bad directive syntax error,007BF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0078F7C2
LoadStringW.USER32(00000000,?,0076E2A0,00000010), ref: 0078F7C9

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

_wprintf.LIBCMT ref: 0078F7FC
__swprintf.LIBCMT ref: 0078F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0078F88D

Strings

Line %d:, xrefs: 0078F818
Line %d (File "%s"):, xrefs: 0078F833
., xrefs: 0078F873
Error: , xrefs: 0078F85B
%s (%d) : ==> %s.: %s %s, xrefs: 0078F7F7

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 7124aa5391b03da96cb5a24c9d27d76ae994d16728126170fb25cba0868e1930
Instruction ID: 17876ea0817d87883e31a2dac73d285f7e023f28af5c4dbc0ace3b535947c5b6
Opcode Fuzzy Hash: 7124aa5391b03da96cb5a24c9d27d76ae994d16728126170fb25cba0868e1930
Instruction Fuzzy Hash: 4C217E7295021EEFDF16EF90CC4AEEE7739BF18300F044869F505660A2EA79A618DB51

Function 007952C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00737BCC: _memmove.LIBCMT ref: 00737C06

Part of subcall function 00737924: _memmove.LIBCMT ref: 007379AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00795330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00795346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00795357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00795369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0079537A

Strings

status PlayMe mode, xrefs: 0079532B
alias PlayMe, xrefs: 00795309
close PlayMe, xrefs: 00795341, 0079536E
play PlayMe, xrefs: 00795375
open , xrefs: 007952DF
play PlayMe wait, xrefs: 00795364

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: eb6efccccc56cf85302ecf2b3f68ff6a7b5b73b240e34c41c8d401b91c486085
Instruction ID: 75051661ca5b7b007b184f784659784febcb53734f99babc59ec04263907b643
Opcode Fuzzy Hash: eb6efccccc56cf85302ecf2b3f68ff6a7b5b73b240e34c41c8d401b91c486085
Instruction Fuzzy Hash: 3D11EBB095116DB9EB64B7B2DC4EDFF7B7CEB95B44F000419B405920D2DEA81D44C671

Function 007946B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007946D2
gethostname.WSOCK32(?,00000100), ref: 007946EC
gethostbyname.WSOCK32(?), ref: 007946F9
_wcscpy.LIBCMT ref: 00794721
_memmove.LIBCMT ref: 00794734
inet_ntoa.WSOCK32(?), ref: 0079473F
_strcat.LIBCMT ref: 0079474D
_wcscpy.LIBCMT ref: 00794764
WSACleanup.WSOCK32 ref: 00794772
_wcscpy.LIBCMT ref: 00794780

Strings

0.0.0.0, xrefs: 0079471B

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: c4fecf46becd7b43c5c5a50da8adf656a22c09df3f1b6c21aa2cdecf797e8819
Instruction ID: c66986db7208b94a70922793feb0563fddc7ff9cc02fa1fe2102729f6699c2a2
Opcode Fuzzy Hash: c4fecf46becd7b43c5c5a50da8adf656a22c09df3f1b6c21aa2cdecf797e8819
Instruction Fuzzy Hash: 7111EB31500118BFDF10AB70AC4AFDA77BCEF06711F0442B5F44596151EFBD9E868A50

Function 00794F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00794F7A

Part of subcall function 0075049F: timeGetTime.WINMM(?,75A4B400,00740E7B), ref: 007504A3

Sleep.KERNEL32(0000000A), ref: 00794FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00794FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00794FEC
SetActiveWindow.USER32 ref: 0079500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00795019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00795038
Sleep.KERNEL32(000000FA), ref: 00795043
IsWindow.USER32 ref: 0079504F
EndDialog.USER32(00000000), ref: 00795060

Strings

BUTTON, xrefs: 00794FDE

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8ce1077630c1eabb2b194ecf7f9ee5180a2fd1393b92b9113750f151736826c4
Instruction ID: 4c8282b164e1545cd43f95f33b26582b0bc6caa708c16f6fbdfcc9c26e0bf70f
Opcode Fuzzy Hash: 8ce1077630c1eabb2b194ecf7f9ee5180a2fd1393b92b9113750f151736826c4
Instruction Fuzzy Hash: E121C3B0205605BFEB115F34FC89F363B6AEB08B55F089224F505921B1DB7D8D20C769

Function 0079D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00739837: __itow.LIBCMT ref: 00739862
Part of subcall function 00739837: __swprintf.LIBCMT ref: 007398AC

CoInitialize.OLE32(00000000), ref: 0079D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0079D67D
SHGetDesktopFolder.SHELL32(?), ref: 0079D691
CoCreateInstance.OLE32(007C2D7C,00000000,00000001,007E8C1C,?), ref: 0079D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0079D74C
CoTaskMemFree.OLE32(?,?), ref: 0079D7A4
_memset.LIBCMT ref: 0079D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0079D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0079D840
CoTaskMemFree.OLE32(00000000), ref: 0079D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0079D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0079D880

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 9ccafec51354390512849a3ce403fac276e2fadc92cb1b0dc085b768f07b0cbe
Instruction ID: 569799b672aac9b3559634bdf8efb5f727826525d828b0d76b0b534f247bfa0c
Opcode Fuzzy Hash: 9ccafec51354390512849a3ce403fac276e2fadc92cb1b0dc085b768f07b0cbe
Instruction Fuzzy Hash: 01B10A75A00109EFDB14DFA4D888EAEBBB9FF48314F148569E909EB261DB34ED41CB50

Function 0078C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0078C283
GetWindowRect.USER32(00000000,?), ref: 0078C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0078C2F3
GetDlgItem.USER32(?,00000002), ref: 0078C2FE
GetWindowRect.USER32(00000000,?), ref: 0078C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0078C364
GetDlgItem.USER32(?,000003E9), ref: 0078C372
GetWindowRect.USER32(00000000,?), ref: 0078C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0078C3C6
GetDlgItem.USER32(?,000003EA), ref: 0078C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0078C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0078C3FE

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7472f3944eebff4ba670e6049831967441bcb2f02c0418d9b4ee2e3f31ece3ff
Instruction ID: 543f49549403ceddbacc04bc60a7ce4b81c757d9591b3109899dafc6192275b6
Opcode Fuzzy Hash: 7472f3944eebff4ba670e6049831967441bcb2f02c0418d9b4ee2e3f31ece3ff
Instruction Fuzzy Hash: F2515F71B00205ABDB18DFA9DD99FAEBBBAFB88710F14C22DF915D6290D7749D008B14

Function 0073201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00731B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00732036,?,00000000,?,?,?,?,007316CB,00000000,?), ref: 00731B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007320D3
KillTimer.USER32(-00000001,?,?,?,?,007316CB,00000000,?,?,00731AE2,?,?), ref: 0073216E
DestroyAcceleratorTable.USER32(00000000), ref: 0076BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007316CB,00000000,?,?,00731AE2,?,?), ref: 0076BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007316CB,00000000,?,?,00731AE2,?,?), ref: 0076BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007316CB,00000000,?,?,00731AE2,?,?), ref: 0076BD0A
DeleteObject.GDI32(00000000), ref: 0076BD1C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 9413c68435dc4d3e7521960350f725e9ce121a42b16b17af525714216b4e242b
Instruction ID: 0e32c403dcf5ba8eb4dca460fb9946353fb1ff7ce9a419d1bb9035ea7c344489
Opcode Fuzzy Hash: 9413c68435dc4d3e7521960350f725e9ce121a42b16b17af525714216b4e242b
Instruction Fuzzy Hash: 83617B31100A10DFEB39AF14DD48B29B7F1FF41712F508528EA428B972C77CA896DB94

Function 007321A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 007325DB: GetWindowLongW.USER32(?,000000EB), ref: 007325EC

GetSysColor.USER32(0000000F), ref: 007321D3

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a1f4e337dc448d8ceba2d86b354a1f7cc888e785cc1b6aa31708fc604de5287d
Instruction ID: 0e66be8baf6f157d722779dc741cb2ddde75e92e3d17379ff9766f3b9306b34b
Opcode Fuzzy Hash: a1f4e337dc448d8ceba2d86b354a1f7cc888e785cc1b6aa31708fc604de5287d
Instruction Fuzzy Hash: F441A331100548EBEB215F28DC88BBA3B65FB06731F258365FE658A1E3C7398C42DB25

Function 0079A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,007BF910), ref: 0079A90B
GetDriveTypeW.KERNEL32(00000061,007E89A0,00000061), ref: 0079A9D5
_wcscpy.LIBCMT ref: 0079A9FF

Strings

ramdisk, xrefs: 0079A97F
fixed, xrefs: 0079A953
removable, xrefs: 0079A93D
cdrom, xrefs: 0079A927
all, xrefs: 0079A911
unknown, xrefs: 0079A996
network, xrefs: 0079A969

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: f389eacc625b7307269e8c527285ee23ed60c006d0a0c07fd279ebcafb9d3eb9
Instruction ID: e3d0722ee6c83dc697166d43678ca3be558c3766fca942caaf7fba2b443cc11c
Opcode Fuzzy Hash: f389eacc625b7307269e8c527285ee23ed60c006d0a0c07fd279ebcafb9d3eb9
Instruction Fuzzy Hash: B751DE31108300EFCB14EF14D896AAFB7A5FF84310F00882DF985572A2DB79A909CB93

Function 00739837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00739862
__swprintf.LIBCMT ref: 007398AC
__i64tow.LIBCMT ref: 0076F5E6

Strings

False, xrefs: 0076F5AE
True, xrefs: 0076F5A7
%.15g, xrefs: 007398A6
0x%p, xrefs: 0076F5C8

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 7ac9c98ed89eab358a05804d9c7d53f1aeaaaac49650d94bfa1200877b18db98
Instruction ID: df69b95cbb9d312ac684079bbced998662dce5e23e55a0119eaec9ce74f02d6b
Opcode Fuzzy Hash: 7ac9c98ed89eab358a05804d9c7d53f1aeaaaac49650d94bfa1200877b18db98
Instruction Fuzzy Hash: A341B671604205EFEB24DF34D846EBA73E8FF45300F20446EEA4AD7293EAB99D458B11

Function 007B7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007B716A
CreateMenu.USER32 ref: 007B7185
SetMenu.USER32(?,00000000), ref: 007B7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B7221
IsMenu.USER32(?), ref: 007B7237
CreatePopupMenu.USER32 ref: 007B7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007B726E
DrawMenuBar.USER32 ref: 007B7276

Strings

F, xrefs: 007B7262
0, xrefs: 007B7160

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: b9d9b9aaa12e6a136a1c0c54daddeae1d6d119b1b292196652067f3ae8cd95fd
Instruction ID: 54a5e1668cf6e46077d8cf055bdb77c87a60218de116c10e7ac59ef0f3a59817
Opcode Fuzzy Hash: b9d9b9aaa12e6a136a1c0c54daddeae1d6d119b1b292196652067f3ae8cd95fd
Instruction Fuzzy Hash: 6A416974A01209EFDB24DF64D988FDA7BB5FF88350F144128F906A7361D739A920CBA0

Function 007B74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007B755E
CreateCompatibleDC.GDI32(00000000), ref: 007B7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007B7578
SelectObject.GDI32(00000000,00000000), ref: 007B7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 007B758B
DeleteDC.GDI32(00000000), ref: 007B7594
GetWindowLongW.USER32(?,000000EC), ref: 007B759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007B75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007B75BE

Strings

static, xrefs: 007B74F6

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 4c20b01a70c1df0a0e61454465468af58ec92268db90a63df179e650009989f3
Instruction ID: cf1f4e923164f60b499784a0c7d8d7d8dfa148871469c9cd693c35bd76de2fd8
Opcode Fuzzy Hash: 4c20b01a70c1df0a0e61454465468af58ec92268db90a63df179e650009989f3
Instruction Fuzzy Hash: 99316D72104218BBDF259F74DC08FEA3B69FF49720F114325FA15A61A0C739E821DBA4

Function 00756E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00756E3E

Part of subcall function 00758B28: __getptd_noexit.LIBCMT ref: 00758B28

__gmtime64_s.LIBCMT ref: 00756ED7
__gmtime64_s.LIBCMT ref: 00756F0D
__gmtime64_s.LIBCMT ref: 00756F2A
__allrem.LIBCMT ref: 00756F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00756F9C
__allrem.LIBCMT ref: 00756FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00756FD1
__allrem.LIBCMT ref: 00756FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00757006
__invoke_watson.LIBCMT ref: 00757077

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 5bd3327c5a3caaf0f4210fb3bed57978a41179db1179bf90da07795e3d6fbf3a
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 1C71F876A00716EBD714AE68DC46BAAB3E8BF04725F148229FC15D72C1E7B9DD04C790

Function 00792527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00792542
GetMenuItemInfoW.USER32(007F5890,000000FF,00000000,00000030), ref: 007925A3
SetMenuItemInfoW.USER32(007F5890,00000004,00000000,00000030), ref: 007925D9
Sleep.KERNEL32(000001F4), ref: 007925EB
GetMenuItemCount.USER32(?), ref: 0079262F
GetMenuItemID.USER32(?,00000000), ref: 0079264B
GetMenuItemID.USER32(?,-00000001), ref: 00792675
GetMenuItemID.USER32(?,?), ref: 007926BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00792700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00792714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00792735

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 0319e2aa05c27b45139add07cd8f085dae823421ff9e238327c8b285f2759787
Instruction ID: 33e23f3a8222175609ebb295099fa37a68933cc1ea7f24f4d5c3f627db25e224
Opcode Fuzzy Hash: 0319e2aa05c27b45139add07cd8f085dae823421ff9e238327c8b285f2759787
Instruction Fuzzy Hash: 5D618DB0900249BFDF21EFA4EC88EBE7BB9FB01344F144159E941A3652D739AD16DB60

Function 007B6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007B6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007B6FA8
GetWindowLongW.USER32(?,000000F0), ref: 007B6FCC
_memset.LIBCMT ref: 007B6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007B6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007B7067

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 8b68c55d201f911e9f8a356ae138ec8348120f904e38a7ca517da079877eccf8
Instruction ID: 7e772f9d33427a72e139f5b7e46b207748b507c85c23f4b4323521d34f30067e
Opcode Fuzzy Hash: 8b68c55d201f911e9f8a356ae138ec8348120f904e38a7ca517da079877eccf8
Instruction Fuzzy Hash: 8E617971900208AFDB10DFA8CC85FEE77B8EF49710F10415AFA15AB2A1C779AD41CBA0

Function 00786B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00786BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00786C18
VariantInit.OLEAUT32(?), ref: 00786C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00786C4A
VariantCopy.OLEAUT32(?,?), ref: 00786C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00786CB1
VariantClear.OLEAUT32(?), ref: 00786CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00786CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00786CDC
VariantClear.OLEAUT32(?), ref: 00786CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00786CF9

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f1c1513f87c2c74b828b5f2be3b9b2f1ceabea3b2fd850d892f610a38431e1d2
Instruction ID: 5b42551bc8a3b4a6e28233058fe8b43c6a14feb864efb815920f65b325ed1bdc
Opcode Fuzzy Hash: f1c1513f87c2c74b828b5f2be3b9b2f1ceabea3b2fd850d892f610a38431e1d2
Instruction Fuzzy Hash: 1F416271A00219EFCF00EF68DC48DAEBBB9EF08754F008165E955A7261CB78A945CBA0

Function 007A5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007A5793
inet_addr.WSOCK32(?), ref: 007A57D8
gethostbyname.WSOCK32(?), ref: 007A57E4
IcmpCreateFile.IPHLPAPI ref: 007A57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007A5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007A5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 007A58ED
WSACleanup.WSOCK32 ref: 007A58F3

Strings

Ping, xrefs: 007A5816

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c067256831944ad54b6b0bd77366de5ece4dd6a4927db5d766dcf773c5e41967
Instruction ID: a407d4cb35937c255a867e91467db4616ef430d8bab995aadd20a90062b48552
Opcode Fuzzy Hash: c067256831944ad54b6b0bd77366de5ece4dd6a4927db5d766dcf773c5e41967
Instruction Fuzzy Hash: 1C516F71604700DFD710AF24DC89B6AB7E4EF89710F048A69F956DB2A1DB7CE900DB42

Function 0079B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0079B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0079B546
GetLastError.KERNEL32 ref: 0079B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0079B5BD

Strings

READY, xrefs: 0079B596
READONLY, xrefs: 0079B588
UNKNOWN, xrefs: 0079B575
NOTREADY, xrefs: 0079B57C
INVALID, xrefs: 0079B58F

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 31c58806dfeb82277960d23bcbf04289bd490b3c331fa46b6a9be22a8e5d1b76
Instruction ID: 14c668107e9bfd919f3bfd8169844c356205ae874cf0356656350665d0f1ee49
Opcode Fuzzy Hash: 31c58806dfeb82277960d23bcbf04289bd490b3c331fa46b6a9be22a8e5d1b76
Instruction Fuzzy Hash: 8F31AF75A00209EFDB00EF68ED89EAE7BB4FF08300F118125F505EB292DB789A11CB41

Function 00788F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

Part of subcall function 0078AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0078AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00789014
GetDlgCtrlID.USER32 ref: 0078901F
GetParent.USER32 ref: 0078903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0078903E
GetDlgCtrlID.USER32(?), ref: 00789047
GetParent.USER32(?), ref: 00789063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00789066

Strings

ListBox, xrefs: 00788FD1
ComboBox, xrefs: 00788F9C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 0621db6112d6141e0e8aa4f8fc76a70b5039aefeb6c90d5aa214d7ee910761b7
Instruction ID: a5060352fb290c6238ed39e01cd6dd6933f4c89a209b38246ffcaef7747eab5c
Opcode Fuzzy Hash: 0621db6112d6141e0e8aa4f8fc76a70b5039aefeb6c90d5aa214d7ee910761b7
Instruction Fuzzy Hash: ED21D370A40108FBDF08ABA0CC89EFEBB74EF59310F104216F921972A2DB7D9815DB21

Function 0078907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

Part of subcall function 0078AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0078AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007890FD
GetDlgCtrlID.USER32 ref: 00789108
GetParent.USER32 ref: 00789124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00789127
GetDlgCtrlID.USER32(?), ref: 00789130
GetParent.USER32(?), ref: 0078914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0078914F

Strings

ListBox, xrefs: 007890BC
ComboBox, xrefs: 00789087

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 6ad92bbe0e64690b189cd94e9062a94349087050cbfbd154e7f4ff172b2789fb
Instruction ID: b1e01a045efca8287e2783349a839619843cc94b14cf93751f655c33048020ba
Opcode Fuzzy Hash: 6ad92bbe0e64690b189cd94e9062a94349087050cbfbd154e7f4ff172b2789fb
Instruction Fuzzy Hash: 54219074A40109FBEF15ABA4CC89FFEBB64EB58300F144116FA11972A2DB7D5815DB21

Function 00789163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0078916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00789184
_wcscmp.LIBCMT ref: 00789196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00789211

Strings

smallicons, xrefs: 007891D9
details, xrefs: 007891BF
SHELLDLL_DefView, xrefs: 00789190
list, xrefs: 007891F3
largeicons, xrefs: 007891A5

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: e518cc7b64868093e95ceb38814591311171f157c5eb35faaa9473977eb2d8a5
Instruction ID: e8facd49b2bf4814f8fc78ce20e1d0b2d66a29426dd20ae6c17c4e7eed6f1780
Opcode Fuzzy Hash: e518cc7b64868093e95ceb38814591311171f157c5eb35faaa9473977eb2d8a5
Instruction Fuzzy Hash: D911E77668C307F9FA153624EC0FDB7379CAF15721B200026FE00A40D2FEAD68525A54

Function 00797990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00797A6C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 9bbd09fe78f0a2c0edd554e2db21b344b44c864743cf2500fbb69ce3fa16741d
Instruction ID: fec4dffaa46c971644e3844a4c97cfb411b07ead8eaa3299ec33baf6beaf31b5
Opcode Fuzzy Hash: 9bbd09fe78f0a2c0edd554e2db21b344b44c864743cf2500fbb69ce3fa16741d
Instruction Fuzzy Hash: E1B16E7191421ADFDF04DFA4E885BBEB7B8EF09321F244429EA41E7251D778A941CBA0

Function 007911CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007911F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00790268,?,00000001), ref: 00791204
GetWindowThreadProcessId.USER32(00000000), ref: 0079120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00790268,?,00000001), ref: 0079121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0079122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00790268,?,00000001), ref: 00791245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00790268,?,00000001), ref: 00791257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00790268,?,00000001), ref: 0079129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00790268,?,00000001), ref: 007912B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00790268,?,00000001), ref: 007912BC

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 180a51ce0b7720833d35dfc27673cc80bdafa7ebfceea67d84e8efcedb43f483
Instruction ID: 294895dd391adbfcc6e57ed93128272846ae7fa3f6dbb12f43b7e01ccf5ca62c
Opcode Fuzzy Hash: 180a51ce0b7720833d35dfc27673cc80bdafa7ebfceea67d84e8efcedb43f483
Instruction Fuzzy Hash: BC317875640205BBEF10AF54FD88FA937A9BB59715F508225F900CA1A0D77C9940CB68

Function 0073FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0073FAA6
OleUninitialize.OLE32(?,00000000), ref: 0073FB45
UnregisterHotKey.USER32(?), ref: 0073FC9C
DestroyWindow.USER32(?), ref: 007745D6
FreeLibrary.KERNEL32(?), ref: 0077463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00774668

Strings

close all, xrefs: 0073FAA1

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 81c83733b9aa477e11573f1805623aa8f29b0666c3078d6bff6f7a17571dfd19
Instruction ID: 2491ae13413fc5089a97ced5f801b74c3e3cf8400c4c6c451deefbf9906feeca
Opcode Fuzzy Hash: 81c83733b9aa477e11573f1805623aa8f29b0666c3078d6bff6f7a17571dfd19
Instruction Fuzzy Hash: 30A17070701212CFDB19EF14C998F69F364BF05750F5082ADE80AAB262DB38AD16CF90

Function 007A9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A9167
VariantInit.OLEAUT32(?), ref: 007A9238
VariantInit.OLEAUT32(?), ref: 007A9339
VariantClear.OLEAUT32(?), ref: 007A9343
VariantClear.OLEAUT32(?), ref: 007A93A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 007A91C8, 007A92F6, 007A93AE
,,|, xrefs: 007A91E5
Incorrect Object type in FOR..IN loop, xrefs: 007A931C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,|$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-1977917988
Opcode ID: 1906bb205992c213ca0c681aab7868e7d651f577a1b1cc8edcebeba3a061a831
Instruction ID: f9217a55fd7d6b217b797a6c2c605fbc10593dcd53fe1173637b462ec8766a25
Opcode Fuzzy Hash: 1906bb205992c213ca0c681aab7868e7d651f577a1b1cc8edcebeba3a061a831
Instruction Fuzzy Hash: 01919271A00215EBDF24CF95C848FAEB7B8EF86710F108259F615AB280D7789915CBA0

Function 0078A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0078A439), ref: 0078A377

Strings

CLASS, xrefs: 0078A0F6
TEXT, xrefs: 0078A2AE
REGEXPCLASS, xrefs: 0078A13C
NAME, xrefs: 0078A1A9
CLASSNN, xrefs: 0078A119
INSTANCE, xrefs: 0078A285

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: cbe0077235380aea78f83f6e1e689fe736ef1cbc2db7846e8e2c36e9a5b4a44b
Instruction ID: 2b69d71e29cd679f05cf290d4e9cabc35bf85858a820e203cdbd94351eac7706
Opcode Fuzzy Hash: cbe0077235380aea78f83f6e1e689fe736ef1cbc2db7846e8e2c36e9a5b4a44b
Instruction Fuzzy Hash: E391E531A40606FBEB18EFA0C44ABEDFB74BF04310F54811AE849A7152DF386999CBD1

Function 00732E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00732EAE

Part of subcall function 00731DB3: GetClientRect.USER32(?,?), ref: 00731DDC
Part of subcall function 00731DB3: GetWindowRect.USER32(?,?), ref: 00731E1D
Part of subcall function 00731DB3: ScreenToClient.USER32(?,?), ref: 00731E45

GetDC.USER32 ref: 0076CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0076CD45
SelectObject.GDI32(00000000,00000000), ref: 0076CD53
SelectObject.GDI32(00000000,00000000), ref: 0076CD68
ReleaseDC.USER32(?,00000000), ref: 0076CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0076CDFB

Strings

U, xrefs: 0076CCD0

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: addcbc547fa9692d308ef20f58564db696af9cf2ccb41b4070a5d5c4ff142808
Instruction ID: c58ef859f0fa8becf47be07e325f6c920a7a5154f3095a85a78d7d7c3ef345d7
Opcode Fuzzy Hash: addcbc547fa9692d308ef20f58564db696af9cf2ccb41b4070a5d5c4ff142808
Instruction Fuzzy Hash: 3771D431500205DFDF229F64CC89AFA7BB5FF48354F14427AED965A2A6C7398C41DB60

Function 007A1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007A1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007A1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 007A1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007A1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007A1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 007A1B10
InternetCloseHandle.WININET(00000000), ref: 007A1B57

Part of subcall function 007A2483: GetLastError.KERNEL32(?,?,007A1817,00000000,00000000,00000001), ref: 007A2498
Part of subcall function 007A2483: SetEvent.KERNEL32(?,?,007A1817,00000000,00000000,00000001), ref: 007A24AD

Strings

, xrefs: 007A1B01

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 88befdbadb86d89a174f6151fa9796a7284a305e3d0ae944c3063f9cee1ee8c6
Instruction ID: f9332ca85acb249e35b83974ccbf4ef92a7f2e868a0d5f4b036c73f646c163ac
Opcode Fuzzy Hash: 88befdbadb86d89a174f6151fa9796a7284a305e3d0ae944c3063f9cee1ee8c6
Instruction Fuzzy Hash: 9741A1B1501218BFFB118F60CC89FFB7BACEF49750F408266F9059A141EB789E448BA4

Function 007A8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,007BF910), ref: 007A8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007BF910), ref: 007A8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007A8ED6
SysFreeString.OLEAUT32(?), ref: 007A8F00

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: f0fd82f39eadf6a464f76301c54089d5423613eccca94e6b8f135e2909e025b5
Instruction ID: 56b05cfd6e573278db734f5d0e380d9a62c7a730b09f4c9bf84a7bb9f7016a6f
Opcode Fuzzy Hash: f0fd82f39eadf6a464f76301c54089d5423613eccca94e6b8f135e2909e025b5
Instruction Fuzzy Hash: FCF15C71A00109EFDF44DF94C888EAEB7B9FF8A314F108698F905AB251DB35AE45CB51

Function 007AF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007AF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007AF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007AF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007AF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007AF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007AFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007AFA7C
CloseHandle.KERNEL32(?), ref: 007AFAAB
CloseHandle.KERNEL32(?), ref: 007AFB22

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: b1310cd7130c137417057474d2291b1ff233964a598e9abda78ee6fc800cd8e9
Instruction ID: 749468b19de5f160b7e5709e85cdbf7e558e8484539fd78f88523c240fcbbcbd
Opcode Fuzzy Hash: b1310cd7130c137417057474d2291b1ff233964a598e9abda78ee6fc800cd8e9
Instruction Fuzzy Hash: 2CE1B171604300DFD714EF74C885B6ABBE1AF86310F148A6DF8859B2A2DB79EC45CB52

Function 00794CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0079466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00793697,?), ref: 0079468B

Part of subcall function 0079466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00793697,?), ref: 007946A4

Part of subcall function 00794A31: GetFileAttributesW.KERNEL32(?,0079370B), ref: 00794A32

lstrcmpiW.KERNEL32(?,?), ref: 00794D40
_wcscmp.LIBCMT ref: 00794D5A
MoveFileW.KERNEL32(?,?), ref: 00794D75

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: e9ff2ff7ad8657f16e3f8fc051adc7a49cb72991cf4307cc020305732ec06de4
Instruction ID: eee6412692abfda4c2db2ea0ccdc4cfc827a6394217272db33dec14f1d2517cf
Opcode Fuzzy Hash: e9ff2ff7ad8657f16e3f8fc051adc7a49cb72991cf4307cc020305732ec06de4
Instruction Fuzzy Hash: 195172B21083859BDB24DB60D885DDFB3ECAF85351F00492EF689D3152EF78A189C766

Function 007B8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007B86FF

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: e669a522766729d9c73fded6e616683725ed560356f736c4b5793fe31f07e2ed
Instruction ID: 7f06efa70429ce685d314237080ad16f4666d7d4bc34d17033481ef8950f08a9
Opcode Fuzzy Hash: e669a522766729d9c73fded6e616683725ed560356f736c4b5793fe31f07e2ed
Instruction Fuzzy Hash: B2519130510244FFEB649F68CC89FE97B68FB05768F644215FA10E61A2CF79A980DB52

Function 00732B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0076C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0076C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0076C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0076C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0076C370
DestroyIcon.USER32(00000000), ref: 0076C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0076C39C
DestroyIcon.USER32(?), ref: 0076C3AB

Part of subcall function 007BA4AF: DeleteObject.GDI32(00000000), ref: 007BA4E8

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 87ab2dca6de1627cc18ea1ef1ec49c350c38ca864f5ae6b610c55cac6fc48d87
Instruction ID: 54f98ff5300acd0bcfea1c7fc22ed70111fa5340488fac8fddeab238e774b0c1
Opcode Fuzzy Hash: 87ab2dca6de1627cc18ea1ef1ec49c350c38ca864f5ae6b610c55cac6fc48d87
Instruction Fuzzy Hash: E3516B70600209EFEB20DF65CC45FAA7BB5FB58720F108628F94297292DB78ED51DB60

Function 0078966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0078A84C
Part of subcall function 0078A82C: GetCurrentThreadId.KERNEL32 ref: 0078A853
Part of subcall function 0078A82C: AttachThreadInput.USER32(00000000,?,00789683,?,00000001), ref: 0078A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0078968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007896AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007896AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 007896B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007896D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007896D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 007896E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007896F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007896FB

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: bef90b1efab631cd965c648a3b95b122d05022d47e2b71d1ff6cae016fc6e2b0
Instruction ID: 383fc542707ae19262fd655df0f34cf3afa6e329cda3052cee0da0c58d33957f
Opcode Fuzzy Hash: bef90b1efab631cd965c648a3b95b122d05022d47e2b71d1ff6cae016fc6e2b0
Instruction Fuzzy Hash: 0911CEB1A50218FEF6106B649C89F6A3B2DEB4CB64F204525F744AB0A0C9F65C109BA8

Function 00788921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0078853C,00000B00,?,?), ref: 0078892A
HeapAlloc.KERNEL32(00000000,?,0078853C,00000B00,?,?), ref: 00788931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0078853C,00000B00,?,?), ref: 00788946
GetCurrentProcess.KERNEL32(?,00000000,?,0078853C,00000B00,?,?), ref: 0078894E
DuplicateHandle.KERNEL32(00000000,?,0078853C,00000B00,?,?), ref: 00788951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0078853C,00000B00,?,?), ref: 00788961
GetCurrentProcess.KERNEL32(0078853C,00000000,?,0078853C,00000B00,?,?), ref: 00788969
DuplicateHandle.KERNEL32(00000000,?,0078853C,00000B00,?,?), ref: 0078896C
CreateThread.KERNEL32(00000000,00000000,00788992,00000000,00000000,00000000), ref: 00788986

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ff650be6758b8d3d482ad523739c0e47c366f31921b37bb937615bf9a54a3856
Instruction ID: 17e69bb2678b1d455276dc4d36de556bf5c8b360f377d302608d2c60e400c4f5
Opcode Fuzzy Hash: ff650be6758b8d3d482ad523739c0e47c366f31921b37bb937615bf9a54a3856
Instruction Fuzzy Hash: 5301A8B524030CFFE610AFA9DC49F6B7BACEB89B11F408521FA05DB1A1CA749C008B25

Function 007A9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 007A9BA4, 007A9EC8
Not an Object type, xrefs: 007A9B7B

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: cdea0b67f0bfbe6bee839aa385853c304702428343a6c596c082369b1b24fda3
Instruction ID: 363ea66a066a4ed34600dd86c3a99e6cebe49c17a0d701595eb037e0cfe14704
Opcode Fuzzy Hash: cdea0b67f0bfbe6bee839aa385853c304702428343a6c596c082369b1b24fda3
Instruction Fuzzy Hash: FAC1C571A002099FDF10DF68C884BAEB7F5FF89314F148569EA05EB281E7789D51CBA0

Function 007A975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0078710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00787044,80070057,?,?,?,00787455), ref: 00787127
Part of subcall function 0078710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00787044,80070057,?,?), ref: 00787142
Part of subcall function 0078710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00787044,80070057,?,?), ref: 00787150
Part of subcall function 0078710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00787044,80070057,?), ref: 00787160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 007A9806
_memset.LIBCMT ref: 007A9813
_memset.LIBCMT ref: 007A9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 007A9982
CoTaskMemFree.OLE32(?), ref: 007A998D

Strings

NULL Pointer assignment, xrefs: 007A99DB

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 442f7e0d0074a4e660a425298a7f4ca47e3d9674964b88dea15df36ade025e9a
Instruction ID: 26bc13efb0ceb7a0bcfab90acda38e579b1846b5abc1db27b7115ada3b3eb624
Opcode Fuzzy Hash: 442f7e0d0074a4e660a425298a7f4ca47e3d9674964b88dea15df36ade025e9a
Instruction Fuzzy Hash: 3F915A71D00228EBDB10DFA4DC45EDEBBB9BF49310F20811AF519A7241DB75AA44CFA0

Function 007B6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007B6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 007B6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007B6E52
_wcscat.LIBCMT ref: 007B6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 007B6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007B6EF2

Strings

SysListView32, xrefs: 007B6DF6

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 1ec6942bacc188bcb82206e589d9bd450550d0a1ebd1372c4ca1c14c3fcac263
Instruction ID: 3067d0e2963ab87aa56d0a28dde626b8224c6ef8214770f58dfc9dff2e92946b
Opcode Fuzzy Hash: 1ec6942bacc188bcb82206e589d9bd450550d0a1ebd1372c4ca1c14c3fcac263
Instruction Fuzzy Hash: E341A275A00348EFEF219F64CC89BEE77A8EF08754F10452AFA44E7291D6799D84CB60

Function 007AE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00793C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00793C7A
Part of subcall function 00793C55: Process32FirstW.KERNEL32(00000000,?), ref: 00793C88
Part of subcall function 00793C55: CloseHandle.KERNEL32(00000000), ref: 00793D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007AE9A4
GetLastError.KERNEL32 ref: 007AE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007AE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 007AEA63
GetLastError.KERNEL32(00000000), ref: 007AEA6E
CloseHandle.KERNEL32(00000000), ref: 007AEAA3

Strings

SeDebugPrivilege, xrefs: 007AE9C2

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 621145d9eaa4c6960be05c7a24cccb7a063597f70a9114f639852d97e1f4e4de
Instruction ID: 68f8cb50d088cf5ca31a3f31671a588b5f17506d2b27c8ad7b1fea7021491d7c
Opcode Fuzzy Hash: 621145d9eaa4c6960be05c7a24cccb7a063597f70a9114f639852d97e1f4e4de
Instruction Fuzzy Hash: C5419A71200200DFDB10EF28CCA9F6EB7A5AF85710F048518F9429B2D2CBB9AD04CB96

Function 00792F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00793033

Strings

stop, xrefs: 00793004
question, xrefs: 00792FEC
blank, xrefs: 00792FB5
warning, xrefs: 0079301C
info, xrefs: 00792FD4

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: c859732d6a28caf2694d6ee20f5c8b5f37947379b739bd3fbc156a719022e5b7
Instruction ID: d1a93cb2d04d281e5c93156f4c62843af2700de18abbd5d23ff18498de22511d
Opcode Fuzzy Hash: c859732d6a28caf2694d6ee20f5c8b5f37947379b739bd3fbc156a719022e5b7
Instruction Fuzzy Hash: EE116D31348386BEDF149B5DEC47CAB779CDF1A360B10002AF90466182DFBC5F0556A5

Function 007942F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00794312
LoadStringW.USER32(00000000), ref: 00794319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0079432F
LoadStringW.USER32(00000000), ref: 00794336
_wprintf.LIBCMT ref: 0079435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0079437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00794357

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 6fd335964ae5f255db3c484396898e1d870615a1b98df178f617bea890de8bf6
Instruction ID: 56792fa2e75a58ea6e078374f01e3fdf15f6fa94a52586642e484d8099a770af
Opcode Fuzzy Hash: 6fd335964ae5f255db3c484396898e1d870615a1b98df178f617bea890de8bf6
Instruction Fuzzy Hash: E80162F290020CBFE75197A4DD89FE6776CEB08701F0045A1FB49E6051EA785E854B75

Function 007BD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623

GetSystemMetrics.USER32(0000000F), ref: 007BD47C
GetSystemMetrics.USER32(0000000F), ref: 007BD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007BD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007BD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007BD716
ShowWindow.USER32(00000003,00000000), ref: 007BD735
InvalidateRect.USER32(?,00000000,00000001), ref: 007BD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 007BD77D

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 54c7071fcb3d47174c4108435e8741af49624cf348e5c9d33fc505091ed186e6
Instruction ID: a20f843988d14769cde1f44475c7203720aa1e7aeb006bbc368ab777efd0b402
Opcode Fuzzy Hash: 54c7071fcb3d47174c4108435e8741af49624cf348e5c9d33fc505091ed186e6
Instruction Fuzzy Hash: 13B19A71600215EBDF24CF68C9C9BE97BB1BF04715F08C169ED489B295EB38AD50CBA0

Function 00732A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0076C1C7,00000004,00000000,00000000,00000000), ref: 00732ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0076C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00732B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0076C1C7,00000004,00000000,00000000,00000000), ref: 0076C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0076C1C7,00000004,00000000,00000000,00000000), ref: 0076C286

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 60ed5e7d993762ecb642fe8dbf9ac53159acf5896ed2f1292c1ad9b42f71263f
Instruction ID: eea7c2630870551f286c4229eaba10a91c08a8bdf8645a927e9a5ae97bf7fe7e
Opcode Fuzzy Hash: 60ed5e7d993762ecb642fe8dbf9ac53159acf5896ed2f1292c1ad9b42f71263f
Instruction Fuzzy Hash: 0A41F831204680AFE73A9B29CC9CB7A7B92BB45310F64C819ED8786563C67DA843D720

Function 007970C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007970DD

Part of subcall function 00750DB6: std::exception::exception.LIBCMT ref: 00750DEC
Part of subcall function 00750DB6: __CxxThrowException@8.LIBCMT ref: 00750E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00797114
EnterCriticalSection.KERNEL32(?), ref: 00797130
_memmove.LIBCMT ref: 0079717E
_memmove.LIBCMT ref: 0079719B
LeaveCriticalSection.KERNEL32(?), ref: 007971AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007971BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 007971DE

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: f47dc0b6d697840493b6101c059e74258863a5fe3d2139619bc63257d1d2e202
Instruction ID: f077e12a8fc531d51397f6015b7dfff1689450835f51340b3468f4c71b36a7f4
Opcode Fuzzy Hash: f47dc0b6d697840493b6101c059e74258863a5fe3d2139619bc63257d1d2e202
Instruction Fuzzy Hash: 7C315231A00209EBCF00EFA4DC89EAE7778FF45711F1481A5ED04AB256D7789E14CBA4

Function 007B61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007B61EB
GetDC.USER32(00000000), ref: 007B61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007B61FE
ReleaseDC.USER32(00000000,00000000), ref: 007B620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007B6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007B6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007B902A,?,?,000000FF,00000000,?,000000FF,?), ref: 007B6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007B62B1

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7696cf409ab009b55e9912145537ebcf8f4824b2991abf5df899774781dbe0bc
Instruction ID: 27ef5fe3394294c94806da0c4e3b9065b506b663bd809bbacef498be11689f1f
Opcode Fuzzy Hash: 7696cf409ab009b55e9912145537ebcf8f4824b2991abf5df899774781dbe0bc
Instruction Fuzzy Hash: C7314F72101214BFEB118F54CC8AFEA3BA9FF49765F044165FE089A191D6799C41CB64

Function 0078BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0078BBC4
_memcmp.LIBCMT ref: 0078BBE6
_memcmp.LIBCMT ref: 0078BBFE
_memcmp.LIBCMT ref: 0078BC11
_memcmp.LIBCMT ref: 0078BC2B
_memcmp.LIBCMT ref: 0078BC3E
_memcmp.LIBCMT ref: 0078BC56
_memcmp.LIBCMT ref: 0078BC71

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7f2c627c7552f50284cd13bae2f1d48e7ce529fbef3dbb2c1dd88ac160644dc5
Instruction ID: b3b8c8c6ad68c3d40ff96b236572a74de7341655c3823fb4dbd098c759e997d8
Opcode Fuzzy Hash: 7f2c627c7552f50284cd13bae2f1d48e7ce529fbef3dbb2c1dd88ac160644dc5
Instruction Fuzzy Hash: 0521CFE1681305BBB21476219D46FFB7B5D9E10389F484028FD0596A43EBACDE1683B1

Function 0079EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00739837: __itow.LIBCMT ref: 00739862
Part of subcall function 00739837: __swprintf.LIBCMT ref: 007398AC

Part of subcall function 0074FC86: _wcscpy.LIBCMT ref: 0074FCA9

_wcstok.LIBCMT ref: 0079EC94
_wcscpy.LIBCMT ref: 0079ED23
_memset.LIBCMT ref: 0079ED56

Strings

X, xrefs: 0079ED93

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 561633eee07b8c43003af80ba61d7fcd285d744cbf8ea7e2b1021b7e5c43a5dd
Instruction ID: c0818e91cb66f8a0ad15cbd7fbafc4e5eadd01ccb7b804d459802872151b0b31
Opcode Fuzzy Hash: 561633eee07b8c43003af80ba61d7fcd285d744cbf8ea7e2b1021b7e5c43a5dd
Instruction Fuzzy Hash: 6CC19271608340DFDB64EF24D889A5AB7E4FF85310F00492DF999972A2DB78EC45CB42

Function 007A6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 007A6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007A6C21
WSAGetLastError.WSOCK32(00000000), ref: 007A6C34
htons.WSOCK32(?), ref: 007A6CEA
inet_ntoa.WSOCK32(?), ref: 007A6CA7

Part of subcall function 0078A7E9: _strlen.LIBCMT ref: 0078A7F3
Part of subcall function 0078A7E9: _memmove.LIBCMT ref: 0078A815

_strlen.LIBCMT ref: 007A6D44
_memmove.LIBCMT ref: 007A6DAD

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 07fe4f48811a0f8dc529e48fe5aee18b487699187b5578e87ce3cdd6fde3c671
Instruction ID: 94928efb2247e764857447e4cc5435604710fe1c285519a650eb087f2d0f2592
Opcode Fuzzy Hash: 07fe4f48811a0f8dc529e48fe5aee18b487699187b5578e87ce3cdd6fde3c671
Instruction Fuzzy Hash: 2681D3B1204300EBD710EB24CC8AF6BB7A8AFC5714F184A1CF5559B292DB78ED04CB92

Function 00731424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c748f79875f6b707158e92affc1b3f9174e52d2e8cc610b970b291ce4ebb8d
Instruction ID: 3f1e6e70c5e19346c85e02d93459c0a482105e944b24db5074438c83fb5f230d
Opcode Fuzzy Hash: e4c748f79875f6b707158e92affc1b3f9174e52d2e8cc610b970b291ce4ebb8d
Instruction Fuzzy Hash: 75716C30900149EFDB04DF98CC89EBEBB79FF85310F54C159F915AA252C738AA51CBA4

Function 007BB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(013F4D98), ref: 007BB3EB
IsWindowEnabled.USER32(013F4D98), ref: 007BB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007BB4DB
SendMessageW.USER32(013F4D98,000000B0,?,?), ref: 007BB512
IsDlgButtonChecked.USER32(?,?), ref: 007BB54F
GetWindowLongW.USER32(013F4D98,000000EC), ref: 007BB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007BB589

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e0fc058789072627763f5ffcda8cd3626c21224cbad756272642abcf488fd86f
Instruction ID: c91046d22ef660962edf6052f93e56a3623aba17c69171ceea4b7f3859ea016f
Opcode Fuzzy Hash: e0fc058789072627763f5ffcda8cd3626c21224cbad756272642abcf488fd86f
Instruction Fuzzy Hash: F3718E34604644EFDB249F94C894FFABBB9FF09300F148169FE45972A2C7B9A950CB50

Function 007AF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007AF448
_memset.LIBCMT ref: 007AF511
ShellExecuteExW.SHELL32(?), ref: 007AF556

Part of subcall function 00739837: __itow.LIBCMT ref: 00739862
Part of subcall function 00739837: __swprintf.LIBCMT ref: 007398AC

Part of subcall function 0074FC86: _wcscpy.LIBCMT ref: 0074FCA9

GetProcessId.KERNEL32(00000000), ref: 007AF5CD
CloseHandle.KERNEL32(00000000), ref: 007AF5FC

Strings

@, xrefs: 007AF525

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 8709eeabdd708eeaf81c7562dad5db4fed1fb22969023b56845082163ea2d972
Instruction ID: 0539fed3ae308509c2a3b16de9de9d5f431547785b2c5fae382f94e2b044a356
Opcode Fuzzy Hash: 8709eeabdd708eeaf81c7562dad5db4fed1fb22969023b56845082163ea2d972
Instruction Fuzzy Hash: D761C175A00619DFCB04DFA8C8859AEBBF5FF89310F148169E855AB352CB38AD41CF90

Function 00790F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00790F8C
GetKeyboardState.USER32(?), ref: 00790FA1
SetKeyboardState.USER32(?), ref: 00791002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00791030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0079104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00791095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007910B8

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ec4a5abc017da0447160f050412ffc42e2bb4257bbda507e355415cbda183960
Instruction ID: cac217d83763e86b7c1425b14d3931b073114f3cc196f9ebf101a9aeee402c29
Opcode Fuzzy Hash: ec4a5abc017da0447160f050412ffc42e2bb4257bbda507e355415cbda183960
Instruction Fuzzy Hash: 675124606447D67DFF3242389C09BBABEAA6B06304F088589E1D4458C3C2DDECE8D750

Function 00790D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00790DA5
GetKeyboardState.USER32(?), ref: 00790DBA
SetKeyboardState.USER32(?), ref: 00790E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00790E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00790E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00790EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00790EC9

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2ac316fb2de085d29b4d4f33f8a58e56f232ce7f2de06254f75a91f6d2a48a8a
Instruction ID: 8e8d78bbb47f082902a0c25a26a9a4355c68a16663308b3a676bb2985b4be025
Opcode Fuzzy Hash: 2ac316fb2de085d29b4d4f33f8a58e56f232ce7f2de06254f75a91f6d2a48a8a
Instruction Fuzzy Hash: 2E5115A06247D57DFF3297349C45B7ABFA96B06300F088889F1D4468C2C39DAC98D7A0

Function 007955FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0079560A
_wcsncpy.LIBCMT ref: 0079563F
_wcsncpy.LIBCMT ref: 00795671
_wcsncpy.LIBCMT ref: 007956A4
_wcsncpy.LIBCMT ref: 007956E6
_wcsncpy.LIBCMT ref: 00795720
_wcsncpy.LIBCMT ref: 0079574F

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: f8d2f805e93b424e0807265e970f83167aafab74fc9b56a128c702a52a2ffa2e
Instruction ID: 92596ccff6642e3f08c1f90077b0b98a9c18fa44bd22381bdbb0da514adab1f4
Opcode Fuzzy Hash: f8d2f805e93b424e0807265e970f83167aafab74fc9b56a128c702a52a2ffa2e
Instruction Fuzzy Hash: 0041BA66C10614B6CF11EBF4DC4AACFB3B89F05311F508555E908E3222FB78A759C7A6

Function 0078D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0078D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0078D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0078D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0078D69D

Strings

,,|, xrefs: 0078D578
DllGetClassObject, xrefs: 0078D610

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,|$DllGetClassObject
API String ID: 753597075-1863548374
Opcode ID: e2d6ff8124b4477ad0e1f64af55b05a46c8b4a09177c0c9cb9d634e0f25cfc0d
Instruction ID: 33faf06a276931ff64702757cbceda6bd99f87eb17ca893820e9ddad4a565856
Opcode Fuzzy Hash: e2d6ff8124b4477ad0e1f64af55b05a46c8b4a09177c0c9cb9d634e0f25cfc0d
Instruction Fuzzy Hash: CE4191B1640208EFDB25EF54C884B9A7BA9EF44350F1581ADEC09DF245E7B9DD40CBA0

Function 00793671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0079466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00793697,?), ref: 0079468B

Part of subcall function 0079466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00793697,?), ref: 007946A4

lstrcmpiW.KERNEL32(?,?), ref: 007936B7
_wcscmp.LIBCMT ref: 007936D3
MoveFileW.KERNEL32(?,?), ref: 007936EB
_wcscat.LIBCMT ref: 00793733
SHFileOperationW.SHELL32(?), ref: 0079379F

Strings

\*.*, xrefs: 0079372D

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: adaaba427517a65e838092e50f1ee0e7c173fa58c48ff27a584ba24014f26eac
Instruction ID: 1129b67c4baeb2f45af4ae16e149a0846319da67bf2a918522ee4cd86bcfd7d1
Opcode Fuzzy Hash: adaaba427517a65e838092e50f1ee0e7c173fa58c48ff27a584ba24014f26eac
Instruction Fuzzy Hash: 3F4194B1508344AEDB51EF64D446DDF77E8EF89340F00492EF499C3251EA38D689C756

Function 007B7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007B72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B7351
IsMenu.USER32(?), ref: 007B7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007B73B1
DrawMenuBar.USER32 ref: 007B73C4

Strings

0, xrefs: 007B729E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 4c786b2fb4b03989a75998b45bcdb36c65388d3a62cfc7f7bd7ec8e5250d871b
Instruction ID: 03a75e3949c5ff7229952f065067c3733820d5be49837efeaab2d60093bf4efb
Opcode Fuzzy Hash: 4c786b2fb4b03989a75998b45bcdb36c65388d3a62cfc7f7bd7ec8e5250d871b
Instruction Fuzzy Hash: 8B412275A04248EFDB24DF64D884EEABBF8FB48350F148529FD15AB250D738AD60DB60

Function 007B0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007B0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007B0FFE
FreeLibrary.KERNEL32(00000000), ref: 007B10B5

Part of subcall function 007B0FA5: RegCloseKey.ADVAPI32(?), ref: 007B101B
Part of subcall function 007B0FA5: FreeLibrary.KERNEL32(?), ref: 007B106D
Part of subcall function 007B0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007B1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 007B1058

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: c06052001540d4186859300ad8e5cd417303c01917db04626472edd234e103a2
Instruction ID: b95cb9858ccf9ee2964357b2696f6f78daf910125ef0be2fc4711676b3020b85
Opcode Fuzzy Hash: c06052001540d4186859300ad8e5cd417303c01917db04626472edd234e103a2
Instruction Fuzzy Hash: 7D311A71900109FFDB15EBA4DC99FFFB7BCEF08300F40426AF501A2151EA789E859AA4

Function 007B62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007B62EC
GetWindowLongW.USER32(013F4D98,000000F0), ref: 007B631F
GetWindowLongW.USER32(013F4D98,000000F0), ref: 007B6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007B6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007B63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 007B63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007B63DB

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d72f9da3898e0815c2c30e7e74d3171f9fc67815a905f3a47263214ded91d5a4
Instruction ID: 7fa594cf8819fcee6c0edc25c864f8dc82d841e5a484f71b0d3e10b475390a1f
Opcode Fuzzy Hash: d72f9da3898e0815c2c30e7e74d3171f9fc67815a905f3a47263214ded91d5a4
Instruction Fuzzy Hash: 8131E035644650EFDB208F18DC88FA537E1FB4A754F1982A4FA019B2B2CB79A840DB55

Function 0078DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0078DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0078DB54
SysAllocString.OLEAUT32(00000000), ref: 0078DB57
SysAllocString.OLEAUT32(?), ref: 0078DB75
SysFreeString.OLEAUT32(?), ref: 0078DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0078DBA3
SysAllocString.OLEAUT32(?), ref: 0078DBB1

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d5e598183cc952c645db13bb647cfc2277c477b7cdac9d0846894bda1f83f4eb
Instruction ID: 0c23217211d72ea6d279c5217f279d91c87b844bdf14313800ebef843f954eaf
Opcode Fuzzy Hash: d5e598183cc952c645db13bb647cfc2277c477b7cdac9d0846894bda1f83f4eb
Instruction Fuzzy Hash: 6721B676600219AFDF20EFB8DC88DBB77ACEB09760B118525FD14DB290D678DC4587A8

Function 007A6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007A7D8B: inet_addr.WSOCK32(00000000), ref: 007A7DB6

socket.WSOCK32(00000002,00000001,00000006), ref: 007A61C6
WSAGetLastError.WSOCK32(00000000), ref: 007A61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007A620E
connect.WSOCK32(00000000,?,00000010), ref: 007A6217
WSAGetLastError.WSOCK32 ref: 007A6221
closesocket.WSOCK32(00000000), ref: 007A624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007A6263

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 1e6e0d4bdd04e8e6d1b7d08391b6f56b55f9f10d15a3d3616c4b38e3c05c8102
Instruction ID: 3102648f1dfb8d534fa08c0179b50c31025934e0f8f8623a47ecea485eb5c411
Opcode Fuzzy Hash: 1e6e0d4bdd04e8e6d1b7d08391b6f56b55f9f10d15a3d3616c4b38e3c05c8102
Instruction Fuzzy Hash: D7318471600118ABEF10AF64CC89FBD7BA9EB85750F048169F90597291DB78AD448B61

Function 0078F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0078F671
__wcsnicmp.LIBCMT ref: 0078F692
__wcsnicmp.LIBCMT ref: 0078F6AC

Strings

#requireadmin, xrefs: 0078F68C
#OnAutoItStartRegister, xrefs: 0078F6A6
#notrayicon, xrefs: 0078F669

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 94c7c31385d0c3247caa81a051d6759ca1534bfdd178a9aa438735aed2a228b8
Instruction ID: 2c1e017c24decee93f7b2eae3d8d3041fbf755adfc619bb1840cce38c9a8f799
Opcode Fuzzy Hash: 94c7c31385d0c3247caa81a051d6759ca1534bfdd178a9aa438735aed2a228b8
Instruction Fuzzy Hash: E82149B2294512E6E220F634AC07FA77398DF59350F50443DF84696052FB9D9D46C3A5

Function 0078DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0078DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0078DC2F
SysAllocString.OLEAUT32(00000000), ref: 0078DC32
SysAllocString.OLEAUT32 ref: 0078DC53
SysFreeString.OLEAUT32 ref: 0078DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0078DC76
SysAllocString.OLEAUT32(?), ref: 0078DC84

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b9d009ead561d71cc18c532f4ab49e76e4b1eab65a94aed51e897f405eabea12
Instruction ID: b53da2bb966cb270c43f1c5ca617b190dd55f01b49eb9dd4b54c4276d535e34e
Opcode Fuzzy Hash: b9d009ead561d71cc18c532f4ab49e76e4b1eab65a94aed51e897f405eabea12
Instruction Fuzzy Hash: 8E214475644204AF9B20FFA8DC89DAB77ECEB09760B108125F914CB2A1D6B8DC41C764

Function 007B75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00731D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00731D73
Part of subcall function 00731D35: GetStockObject.GDI32(00000011), ref: 00731D87
Part of subcall function 00731D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00731D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007B7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007B763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007B764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007B7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007B7665

Strings

Msctls_Progress32, xrefs: 007B7603

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 70a24a020936311847727d88b71632eb2fd2aa079b4d2bd631950188b812b257
Instruction ID: ec230dce9d553ccf119a1e945464d609babb88f83e0a4c1a333cc4531bfc84f8
Opcode Fuzzy Hash: 70a24a020936311847727d88b71632eb2fd2aa079b4d2bd631950188b812b257
Instruction Fuzzy Hash: 0E11B2B2110219BFEF159F64CC85EE77F6DEF08798F014115FB04A60A0CA76AC21DBA4

Function 00759AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00759AE6

Part of subcall function 00753187: EncodePointer.KERNEL32(00000000), ref: 0075318A
Part of subcall function 00753187: __initp_misc_winsig.LIBCMT ref: 007531A5
Part of subcall function 00753187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00759EA0
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00759EB4
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00759EC7
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00759EDA
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00759EED
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00759F00
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00759F13
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00759F26
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00759F39
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00759F4C
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00759F5F
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00759F72
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00759F85
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00759F98
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00759FAB
Part of subcall function 00753187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00759FBE

__mtinitlocks.LIBCMT ref: 00759AEB
__mtterm.LIBCMT ref: 00759AF4

Part of subcall function 00759B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00759AF9,00757CD0,007EA0B8,00000014), ref: 00759C56
Part of subcall function 00759B5C: _free.LIBCMT ref: 00759C5D
Part of subcall function 00759B5C: DeleteCriticalSection.KERNEL32(007EEC00,?,?,00759AF9,00757CD0,007EA0B8,00000014), ref: 00759C7F

__calloc_crt.LIBCMT ref: 00759B19
__initptd.LIBCMT ref: 00759B3B
GetCurrentThreadId.KERNEL32 ref: 00759B42

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 45bdf250d9f29a6be9798c6ca832aa61d88ced22c3bfd14ec83a11adfcaf64cf
Instruction ID: f4d32a44d5719e97036174ed9524917625990c4b8b5c563b7be95b75f80db2be
Opcode Fuzzy Hash: 45bdf250d9f29a6be9798c6ca832aa61d88ced22c3bfd14ec83a11adfcaf64cf
Instruction Fuzzy Hash: 15F0C23260A715EAF62476787C0B6CA3690DB02732B208A1AFE10D50D2FEDC98494565

Function 0075406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00753F85), ref: 00754085
GetProcAddress.KERNEL32(00000000), ref: 0075408C
EncodePointer.KERNEL32(00000000), ref: 00754097
DecodePointer.KERNEL32(00753F85), ref: 007540B2

Strings

RoUninitialize, xrefs: 00754074
combase.dll, xrefs: 00754080

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 42c4324116814780b7b494304f507d201a52935f42228a303ef751b82cd68d24
Instruction ID: dab0ee8c50f70f072fa9693ef77b31538325d0c48cbc188c5c51ea59930ad50f
Opcode Fuzzy Hash: 42c4324116814780b7b494304f507d201a52935f42228a303ef751b82cd68d24
Instruction Fuzzy Hash: 34E09A70645605ABDA109F61EC09F553BA4B714B46F148628F511D11A0CBBE5684CA19

Function 007964B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0079660B
_memmove.LIBCMT ref: 00796546

Part of subcall function 00739837: __itow.LIBCMT ref: 00739862
Part of subcall function 00739837: __swprintf.LIBCMT ref: 007398AC

_memmove.LIBCMT ref: 007965B9
_memmove.LIBCMT ref: 007966A0
_memmove.LIBCMT ref: 007966B9
_memmove.LIBCMT ref: 007966D5

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: a5949a5a8617db4c5741801bd851b8f9126fbbcc744c2f3eb8fa314980665f8a
Instruction ID: f0765fea3f8c79382f0a3b9075dd4b711d519ce1a4f6caebfe8c69d9f7272cf4
Opcode Fuzzy Hash: a5949a5a8617db4c5741801bd851b8f9126fbbcc744c2f3eb8fa314980665f8a
Instruction Fuzzy Hash: DB61AA3090025AEBDF02EF64DC8AEFE37A5AF44308F044618FD556B292DB79E805CB90

Function 007B01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

Part of subcall function 007B0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AFDAD,?,?), ref: 007B0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007B02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007B02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007B0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007B0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007B038C
RegCloseKey.ADVAPI32(00000000), ref: 007B0399

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 6a5846053db42dd99d6b52e21a7cf975d8beb88a367d43984c5ae544e87d6fcf
Instruction ID: 0a9572ba6f16d1741075150b17ecef1fb2a7dfaa804e4dbd14d59e50f17cd746
Opcode Fuzzy Hash: 6a5846053db42dd99d6b52e21a7cf975d8beb88a367d43984c5ae544e87d6fcf
Instruction Fuzzy Hash: 48514871208204EFD714EF64C889EABBBE9FF84714F04491DF545872A2DB79E905CB92

Function 007B5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007B57FB
GetMenuItemCount.USER32(00000000), ref: 007B5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007B585A
GetMenuItemID.USER32(?,?), ref: 007B58C9
GetSubMenu.USER32(?,?), ref: 007B58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 007B5928

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 452d97b75c03a7dfcc0363dc6767725667ec55b58af559fe51e38b3851243cd4
Instruction ID: 47fbe9849c0c00c0c4caa3ab528d07eba3372ce87d26848bfa43207299a920d6
Opcode Fuzzy Hash: 452d97b75c03a7dfcc0363dc6767725667ec55b58af559fe51e38b3851243cd4
Instruction Fuzzy Hash: 93514935A00615EFDF11EF64C849BEEB7B4EF48720F104069E945BB352CB79AE418B90

Function 0078EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0078EF06
VariantClear.OLEAUT32(00000013), ref: 0078EF78
VariantClear.OLEAUT32(00000000), ref: 0078EFD3
_memmove.LIBCMT ref: 0078EFFD
VariantClear.OLEAUT32(?), ref: 0078F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0078F078

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 21bf7799000e75ea6ab21b12cf94e8fa72cd9aa59e57910140fb26a5632aab66
Instruction ID: 4d3b83a22bc44f7c0cb46c6dd1cffaecd9efd974c206b5f8a7d76e2082a88f1f
Opcode Fuzzy Hash: 21bf7799000e75ea6ab21b12cf94e8fa72cd9aa59e57910140fb26a5632aab66
Instruction Fuzzy Hash: CF5149B5A00209EFDB14DF58C884AAAB7B8FF4C314B158569ED59DB301E739E911CBA0

Function 0079220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00792258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007922A3
IsMenu.USER32(00000000), ref: 007922C3
CreatePopupMenu.USER32 ref: 007922F7
GetMenuItemCount.USER32(000000FF), ref: 00792355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00792386

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: f30c6ed5e61f70cd5ac72150c2c316225e48869d7ff4ba88abd86b86bca34a4d
Instruction ID: a6a5e9b3cabc3b63516b2fd9a8ea0fd665d1973e1847eac974c2b24847e704e9
Opcode Fuzzy Hash: f30c6ed5e61f70cd5ac72150c2c316225e48869d7ff4ba88abd86b86bca34a4d
Instruction Fuzzy Hash: 7D51AF70600209FFDF21EF68E888BADBBF5BF45314F108229E811A7292D77D9946CB51

Function 00731765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0073179A
GetWindowRect.USER32(?,?), ref: 007317FE
ScreenToClient.USER32(?,?), ref: 0073181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0073182C
EndPaint.USER32(?,?), ref: 00731876

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 27121a53c8bb814d1a2da9dfb8a6968db8ab472b8b0eb8d0af1db6e9f57bbf26
Instruction ID: 2724cc6b5497b8223361854518b2332e0095e412035147678e83c2529bcdaaae
Opcode Fuzzy Hash: 27121a53c8bb814d1a2da9dfb8a6968db8ab472b8b0eb8d0af1db6e9f57bbf26
Instruction Fuzzy Hash: 0C41A031504701EFE710DF28CC84FB67BE8EB4A734F048668FA95872A2C7389845DB65

Function 007BB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(007F57B0,00000000,013F4D98,?,?,007F57B0,?,007BB5A8,?,?), ref: 007BB712
EnableWindow.USER32(00000000,00000000), ref: 007BB736
ShowWindow.USER32(007F57B0,00000000,013F4D98,?,?,007F57B0,?,007BB5A8,?,?), ref: 007BB796
ShowWindow.USER32(00000000,00000004,?,007BB5A8,?,?), ref: 007BB7A8
EnableWindow.USER32(00000000,00000001), ref: 007BB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 007BB7EF

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: badac653824e6d201482395f2a81b5d9a33344b52c9f197c5316532de07f2f21
Instruction ID: 910dc56d65aa557abef22cc0bc63b08962ebc1f98ce392156d1ebed877ff352e
Opcode Fuzzy Hash: badac653824e6d201482395f2a81b5d9a33344b52c9f197c5316532de07f2f21
Instruction Fuzzy Hash: 20418134600640AFDB21CF24C899FD47BE0FF45714F5881BAED488F6A2CBB5A856CB50

Function 007A709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,007A4E41,?,?,00000000,00000001), ref: 007A70AC

Part of subcall function 007A39A0: GetWindowRect.USER32(?,?), ref: 007A39B3

GetDesktopWindow.USER32 ref: 007A70D6
GetWindowRect.USER32(00000000), ref: 007A70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007A710F

Part of subcall function 00795244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007952BC

GetCursorPos.USER32(?), ref: 007A713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007A7199

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: d041fc4f2a320f26ba301e7b9b608335b351dfda11d4e7e40e5f1a9177897a38
Instruction ID: 39b3c2252f854d40ecf1e7d86d1a71304d6e33bfdd37f8efe17623030aedcb95
Opcode Fuzzy Hash: d041fc4f2a320f26ba301e7b9b608335b351dfda11d4e7e40e5f1a9177897a38
Instruction Fuzzy Hash: 7731E172509309ABC724DF14DC49F9BB7E9FFC9304F004A29F48497191CA38EA09CB96

Function 00788879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007880A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007880C0
Part of subcall function 007880A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007880CA
Part of subcall function 007880A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007880D9
Part of subcall function 007880A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007880E0
Part of subcall function 007880A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007880F6

GetLengthSid.ADVAPI32(?,00000000,0078842F), ref: 007888CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007888D6
HeapAlloc.KERNEL32(00000000), ref: 007888DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 007888F6
GetProcessHeap.KERNEL32(00000000,00000000,0078842F), ref: 0078890A
HeapFree.KERNEL32(00000000), ref: 00788911

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 2a757d430216de4eeb0ef754a8851766f1f5d62a5353355a8b292cbce3a493ff
Instruction ID: 77b273d9c800612ca9efc20cc1838d8a9dbbb97337fd9c8f65b844358f6372dd
Opcode Fuzzy Hash: 2a757d430216de4eeb0ef754a8851766f1f5d62a5353355a8b292cbce3a493ff
Instruction Fuzzy Hash: AC11B171551209FFDB50AFA8DC09FBE7769EF44311F908528E85597210CB3AAD00DB62

Function 007885B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007885E2
OpenProcessToken.ADVAPI32(00000000), ref: 007885E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007885F8
CloseHandle.KERNEL32(00000004), ref: 00788603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00788632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00788646

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: fc488c731c6e4aff114502a0b1a41a1bb27079fa6cd2c7c3e8321869c81d0e11
Instruction ID: 6a5c3271c81f825322755e10541d85ffcb30da83d9ca45ef43b8d1d25964fcd5
Opcode Fuzzy Hash: fc488c731c6e4aff114502a0b1a41a1bb27079fa6cd2c7c3e8321869c81d0e11
Instruction Fuzzy Hash: 67116A7254020DABDF019FA8DD49FDE7BA9EF08704F048164FE04A2161C77A8D60EB61

Function 0078B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0078B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0078B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0078B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0078B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0078B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0078B7FE

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b870d03de368d13063e165da1a0e73eee1dd7b847ab204ec1138cf8383aa6dc0
Instruction ID: 1e76193b12bac9949750b893be14422089d62b943e3e05a88b5810f877b4e5bc
Opcode Fuzzy Hash: b870d03de368d13063e165da1a0e73eee1dd7b847ab204ec1138cf8383aa6dc0
Instruction Fuzzy Hash: 11017175A40309BBEB10ABA69C49F5EBFA8EB48711F008166FE04A7291D6349C00CF91

Function 00750162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00750193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0075019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007501A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007501B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 007501B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 007501C1

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 97af032ba25793d21ef91bcab3d00fc8d5e446880dd45a92f88ac4014d860d7a
Instruction ID: 12c4ff67ee73e7d33c919a264c448ebd9f7a5ebc5c3657b0869f4f408c23b1ab
Opcode Fuzzy Hash: 97af032ba25793d21ef91bcab3d00fc8d5e446880dd45a92f88ac4014d860d7a
Instruction Fuzzy Hash: C6016CB0901759BDE3008F5A8C85B52FFA8FF19754F00411BE15C47941C7F5A864CBE5

Function 007953E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007953F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0079540F
GetWindowThreadProcessId.USER32(?,?), ref: 0079541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0079542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00795437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0079543E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 31ac676e8f4f64160f43d9cbef5641e51066a32c6b74ed70e32c84d9772fb9f0
Instruction ID: 723118a9430f1599fca6d1e0d0716d70f62973546c9d4c7b557977f567bd3862
Opcode Fuzzy Hash: 31ac676e8f4f64160f43d9cbef5641e51066a32c6b74ed70e32c84d9772fb9f0
Instruction Fuzzy Hash: 76F06D32640158BBE7215BA69C0DFEB7B7CEBCAF15F004269FA04D106096A81A0187B9

Function 00797230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00797243
EnterCriticalSection.KERNEL32(?,?,00740EE4,?,?), ref: 00797254
TerminateThread.KERNEL32(00000000,000001F6,?,00740EE4,?,?), ref: 00797261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00740EE4,?,?), ref: 0079726E

Part of subcall function 00796C35: CloseHandle.KERNEL32(00000000,?,0079727B,?,00740EE4,?,?), ref: 00796C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00797281
LeaveCriticalSection.KERNEL32(?,?,00740EE4,?,?), ref: 00797288

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 82465cd7757894c7c1b689e890185e3d40189dc823cc05ad9c56dee7592b11b6
Instruction ID: 2191063732dfaf4893b1a584dcfa96721ae33805a3dcd2e9aa88042246262686
Opcode Fuzzy Hash: 82465cd7757894c7c1b689e890185e3d40189dc823cc05ad9c56dee7592b11b6
Instruction Fuzzy Hash: 47F03A36540612EBDB121B64ED4CEDE7739FF45B02B104631F502D50A0CB7E5801CB64

Function 00788992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0078899D
UnloadUserProfile.USERENV(?,?), ref: 007889A9
CloseHandle.KERNEL32(?), ref: 007889B2
CloseHandle.KERNEL32(?), ref: 007889BA
GetProcessHeap.KERNEL32(00000000,?), ref: 007889C3
HeapFree.KERNEL32(00000000), ref: 007889CA

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 40a93ff8716eda121a04bad0b3c2d068f2d2af65802fd1c4417342c17ab7a50b
Instruction ID: c280ecd3fcea8e66ac0927720c95ca50bc5069dae0013c85245c4d2f8d5badce
Opcode Fuzzy Hash: 40a93ff8716eda121a04bad0b3c2d068f2d2af65802fd1c4417342c17ab7a50b
Instruction Fuzzy Hash: F5E05276104509FBDA011FE5EC0CE5ABFA9FB89B62B548731F219C1470CB3A9861DB58

Function 00787530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007C2C7C,?), ref: 007876EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007C2C7C,?), ref: 00787702
CLSIDFromProgID.OLE32(?,?,00000000,007BFB80,000000FF,?,00000000,00000800,00000000,?,007C2C7C,?), ref: 00787727
_memcmp.LIBCMT ref: 00787748

Strings

,,|, xrefs: 0078753D

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,|
API String ID: 314563124-2928947247
Opcode ID: ce41799c78093c3e72febc65459f46837a7c9aecf74804900359b15cfae44695
Instruction ID: 7a2c0f1a77b2f25c6a98dbc18596e90d6f14d72f776d2fecb6c5c582fb5ff630
Opcode Fuzzy Hash: ce41799c78093c3e72febc65459f46837a7c9aecf74804900359b15cfae44695
Instruction Fuzzy Hash: D5810D75A00109EFCB04DFA4C988EEEB7B9FF89315F204558F506AB251DB75AE06CB60

Function 007A85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007A8613
CharUpperBuffW.USER32(?,?), ref: 007A8722
VariantClear.OLEAUT32(?), ref: 007A889A

Part of subcall function 00797562: VariantInit.OLEAUT32(00000000), ref: 007975A2
Part of subcall function 00797562: VariantCopy.OLEAUT32(00000000,?), ref: 007975AB
Part of subcall function 00797562: VariantClear.OLEAUT32(00000000), ref: 007975B7

Strings

AUTOIT.ERROR, xrefs: 007A8728
Incorrect Parameter format, xrefs: 007A864B, 007A880D

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: c51bb67ae9b1b341a1a0eb544a0418933dbbaeb70263cf402bdab352f3ec2d34
Instruction ID: 452f30c8d1904f92316b7cb7b09ff530ae32d8956a150f8d88b12165be9cd49c
Opcode Fuzzy Hash: c51bb67ae9b1b341a1a0eb544a0418933dbbaeb70263cf402bdab352f3ec2d34
Instruction Fuzzy Hash: 00916B71604301DFCB50DF24C48595ABBE4EFCA714F148A2DF99A8B362DB39E905CB92

Function 00792A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0074FC86: _wcscpy.LIBCMT ref: 0074FCA9

_memset.LIBCMT ref: 00792B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00792BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00792C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00792C97

Strings

0, xrefs: 00792B73

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 22f4cffda48d945ed8878c38d9a392a32ebd84423ef811ec1c0b90061dc3b9fd
Instruction ID: 55cecd7a3b67aa7a7589842c17c47d7b4e8a6403d4287d36587f1cedb46c4d84
Opcode Fuzzy Hash: 22f4cffda48d945ed8878c38d9a392a32ebd84423ef811ec1c0b90061dc3b9fd
Instruction Fuzzy Hash: 2251C471508301AADB24FF28E845A6F77E4EF56350F144A2DF895D31A2DB78CD06C7A2

Function 00743137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00743277
_memmove.LIBCMT ref: 00743310
_free.LIBCMT ref: 00743336
_memmove.LIBCMT ref: 007433E9

Strings

3ct, xrefs: 00743225
_t, xrefs: 00743322

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memmove$_free
String ID: 3ct$_t
API String ID: 2620147621-1670605766
Opcode ID: cfe8e9f3f2c5a52513844a8c0988385d4d434102435d459f0fecaebeebc69c66
Instruction ID: 3305dda857f09488474ba0ca2a2084898468ec3735d1926352ac2904e734fcd7
Opcode Fuzzy Hash: cfe8e9f3f2c5a52513844a8c0988385d4d434102435d459f0fecaebeebc69c66
Instruction Fuzzy Hash: 4A516B716047818FDB25CF28C441BAABBF5BF85350F08892DE98D87351EB39E905CB92

Function 00746192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00746248
_memmove.LIBCMT ref: 007462E4
_memset.LIBCMT ref: 00746308

Strings

3ct, xrefs: 007462AF
ERCP, xrefs: 007461B3

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3ct$ERCP
API String ID: 2532777613-50398335
Opcode ID: e40f9e66306d41204efdc87978ba38c467b753dd439f5443cf509c68d0766866
Instruction ID: a1ffefca67ef2d6d092e2b16a5d6a7fb4faa81e162dfa56a2e9507bc9ed73e19
Opcode Fuzzy Hash: e40f9e66306d41204efdc87978ba38c467b753dd439f5443cf509c68d0766866
Instruction Fuzzy Hash: 4D51AF71A00309EBDB24DF65C8457EAB7F4FF09304F20456EE94ACB241E7B8AA44CB91

Function 00792753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007927C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007927DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00792822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007F5890,00000000), ref: 0079286B

Strings

0, xrefs: 007927B5

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: d0185fab37b5155d69a69f33bf51b141c3d308fe5f7116d1af3a42eabfb5eb24
Instruction ID: a0083b05f5a094ea87736cb361b0167b1d927cfb108d8efd10008845407c93e3
Opcode Fuzzy Hash: d0185fab37b5155d69a69f33bf51b141c3d308fe5f7116d1af3a42eabfb5eb24
Instruction Fuzzy Hash: 2E41B274204301AFDB24EF24EC44F6ABBE4EF85314F144A2DF96597292D738E806CB62

Function 007AD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007AD7C5

Part of subcall function 0073784B: _memmove.LIBCMT ref: 00737899

Strings

stdcall, xrefs: 007AD847
cdecl, xrefs: 007AD81C
none, xrefs: 007AD8A0
winapi, xrefs: 007AD836

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: e499cf0eacf7777b0a1fe26a0d126e4baacdd43fc6298291f7651a112ad96074
Instruction ID: ac786952a08d488ee4c60585df61ab505f2e2e3b5dac70104ce8491b267b6a5c
Opcode Fuzzy Hash: e499cf0eacf7777b0a1fe26a0d126e4baacdd43fc6298291f7651a112ad96074
Instruction Fuzzy Hash: 8831CF71904219EBDF24EF54C8559EEB3B4FF45320F008629E82697AD2DB79AD05CB80

Function 00788E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

Part of subcall function 0078AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0078AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00788F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00788F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00788F57

Part of subcall function 00737BCC: _memmove.LIBCMT ref: 00737C06

Strings

ListBox, xrefs: 00788ED3
ComboBox, xrefs: 00788E9E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 191d8640ed01be0f86e302501d61439c833e6d65c34b606702760158e332797f
Instruction ID: 30bfccb9b96a6230d704760e41cdf9b024430c61be76bc6b3e0f62825abde525
Opcode Fuzzy Hash: 191d8640ed01be0f86e302501d61439c833e6d65c34b606702760158e332797f
Instruction Fuzzy Hash: 5121F2B1A80104FAEB18BBB08C4ADFEB769DF05320F14811AF921A72E1DB3D1809D711

Function 007A182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007A184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007A1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007A18A2
InternetCloseHandle.WININET(00000000), ref: 007A18E9

Part of subcall function 007A2483: GetLastError.KERNEL32(?,?,007A1817,00000000,00000000,00000001), ref: 007A2498
Part of subcall function 007A2483: SetEvent.KERNEL32(?,?,007A1817,00000000,00000000,00000001), ref: 007A24AD

Strings

, xrefs: 007A1893

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: e155ed68bb046e85b88d0d9edc88059f36d77c9cffb366504654a6e7d680dd1b
Instruction ID: 85b88cd0e7fb48c4da5278f03d80f309b873a3a4c227388d00ba478ebd4b5b23
Opcode Fuzzy Hash: e155ed68bb046e85b88d0d9edc88059f36d77c9cffb366504654a6e7d680dd1b
Instruction Fuzzy Hash: 2E21B0B1500308BFFB119B64CC89EBB77EDEB8AB54F50822AF80596140EA2C9D0597A5

Function 007B63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00731D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00731D73
Part of subcall function 00731D35: GetStockObject.GDI32(00000011), ref: 00731D87
Part of subcall function 00731D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00731D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007B6461
LoadLibraryW.KERNEL32(?), ref: 007B6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007B647D
DestroyWindow.USER32(?), ref: 007B6485

Strings

SysAnimate32, xrefs: 007B643C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 18c587c54d94da24a6c97a439ef639756804b8f5684ef7332fb378737b098db0
Instruction ID: a8cf98b26d31dbd24ebc04064c329ad6ea544c2b13a1309dd37ea2b8f5ccc0e6
Opcode Fuzzy Hash: 18c587c54d94da24a6c97a439ef639756804b8f5684ef7332fb378737b098db0
Instruction Fuzzy Hash: C5217971210645AFEF104F64DC84FFA77A9EB59728F108629FB1093090D67DDC419760

Function 00796D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00796DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00796DEF
GetStdHandle.KERNEL32(0000000C), ref: 00796E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00796E3B

Strings

nul, xrefs: 00796E36

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a680ad9688dcdd61b65eb95cc659f1226a839d7190e7b3cc717013cb4eab795d
Instruction ID: b255befd710ad204b14f74ceb9c64e175a77bfa418cc38a6fe4931821dd3fd1d
Opcode Fuzzy Hash: a680ad9688dcdd61b65eb95cc659f1226a839d7190e7b3cc717013cb4eab795d
Instruction Fuzzy Hash: DA215175700209ABDF209F29EC05A9A77A4FF45720F204B19FDA1D72D0D7789950CB54

Function 00796E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00796E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00796EBB
GetStdHandle.KERNEL32(000000F6), ref: 00796ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00796F06

Strings

nul, xrefs: 00796F01

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f7d7870fa1a64a52b364afa8ff18a625114d3a5524fb890db674e6ec8391a9bf
Instruction ID: 4d763728f3ab787a583cd43f24ece8752b0a2c1e0d872d44ce40549e406f4920
Opcode Fuzzy Hash: f7d7870fa1a64a52b364afa8ff18a625114d3a5524fb890db674e6ec8391a9bf
Instruction Fuzzy Hash: 65217179500305ABDF209F69EC04A9A77A8FF45720F204B19FCA1D72D0E778A851CB65

Function 0079AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0079AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0079ACA8
__swprintf.LIBCMT ref: 0079ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,007BF910), ref: 0079ACFF

Strings

%lu, xrefs: 0079ACBB

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 5138e00ff5c2a23ec0db9a5b8685c6eac1ee12f17a3aa890cb891a07cc6e781b
Instruction ID: b27df0e7ba46e0be5380c0350de7da68a0d93aa44b65ec31d2fe545cc8b09780
Opcode Fuzzy Hash: 5138e00ff5c2a23ec0db9a5b8685c6eac1ee12f17a3aa890cb891a07cc6e781b
Instruction Fuzzy Hash: CC21A47060010DEFCB10DF58CD49EEE77B8EF49714B004069F909EB252DA75EA01CB61

Function 00791142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0078FCED,?,00790D40,?,00008000), ref: 0079115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0078FCED,?,00790D40,?,00008000), ref: 00791184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0078FCED,?,00790D40,?,00008000), ref: 0079118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0078FCED,?,00790D40,?,00008000), ref: 007911C1

Strings

@y, xrefs: 0079119D

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @y
API String ID: 2875609808-330097415
Opcode ID: a689d7b464721d6213d3089749efd97a8bd1edc7d2627aedddf231423aa51340
Instruction ID: 5eeb1492a1524281eefcbe08ed31354558164b21a289525a5f5027105392c4cb
Opcode Fuzzy Hash: a689d7b464721d6213d3089749efd97a8bd1edc7d2627aedddf231423aa51340
Instruction Fuzzy Hash: 73113C31D4051EE7CF009FA9E888BEEBB78FF09711F808555EA45B6240CB789960CB95

Function 00791AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00791B19

Strings

EXISTS, xrefs: 00791B41
KEYS, xrefs: 00791B30
APPEND, xrefs: 00791B52
REMOVE, xrefs: 00791B1F

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: d314abe625546127adea76da4f4a047725f8dce0b37c97a2d5e1f063b295a789
Instruction ID: 6a432669e24706b7abb71390decdf8c1fef9ecf8c66554d2c558c7f7309bbaeb
Opcode Fuzzy Hash: d314abe625546127adea76da4f4a047725f8dce0b37c97a2d5e1f063b295a789
Instruction Fuzzy Hash: F9118E71900249CFCF00EF64D8558FEB3B5FF25304B548468D81567292EB3A5D1ACB40

Function 007AEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007AEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007AEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007AED6A
CloseHandle.KERNEL32(?), ref: 007AEDEB

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: c83e05a13a02c07c0178cc6650b950dfa593a2e47dcb8d882d23a8bd1bd9c4e2
Instruction ID: 30c5c1dbec82a2fa62fcd36bb97c33eb8b198bff7922554ab140fbae183eb68d
Opcode Fuzzy Hash: c83e05a13a02c07c0178cc6650b950dfa593a2e47dcb8d882d23a8bd1bd9c4e2
Instruction Fuzzy Hash: 678183716047109FE760EF28C88AF6AB7E5AF89710F04891DF995DB2D2DBB4AC40CB51

Function 007B0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

Part of subcall function 007B0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AFDAD,?,?), ref: 007B0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007B00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007B013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007B0183
RegCloseKey.ADVAPI32(?,?), ref: 007B01AF
RegCloseKey.ADVAPI32(00000000), ref: 007B01BC

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 06248520ab1e345240da9cab81ca688c69dbe3ae55463699da5d3d7c009b0e8a
Instruction ID: f2e70edce1e95d44a3309a45f50507d1939c238df7ddeb6992de9bf8ad84c9b2
Opcode Fuzzy Hash: 06248520ab1e345240da9cab81ca688c69dbe3ae55463699da5d3d7c009b0e8a
Instruction Fuzzy Hash: CF512971208208EFD714EB58CC85FAFB7E9AF84714F40891DF555872A2DB79E904CB92

Function 007AD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00739837: __itow.LIBCMT ref: 00739862
Part of subcall function 00739837: __swprintf.LIBCMT ref: 007398AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007AD927
GetProcAddress.KERNEL32(00000000,?), ref: 007AD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 007AD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 007ADA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007ADA21

Part of subcall function 00735A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00797896,?,?,00000000), ref: 00735A2C
Part of subcall function 00735A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00797896,?,?,00000000,?,?), ref: 00735A50

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 0beeaf2a914ad93f39925504a8db0d32d43b5de2eac7c62df49801343a102243
Instruction ID: 5aabdb70097cfaaf90392dcc264ee58d6ee84361f9250832a1516673f80865b5
Opcode Fuzzy Hash: 0beeaf2a914ad93f39925504a8db0d32d43b5de2eac7c62df49801343a102243
Instruction Fuzzy Hash: A3513675A00209DFDB10EFA8C4889ADB7B4EF49310F04C165E916AB312DB39ED45CF81

Function 0079E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0079E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0079E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0079E687

Part of subcall function 00739837: __itow.LIBCMT ref: 00739862
Part of subcall function 00739837: __swprintf.LIBCMT ref: 007398AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0079E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0079E6B4

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: d08ae08d9b7d1cdd77d26d0cc078f01d59f4c5f80db7d272ab74938726352732
Instruction ID: e9b61d447c3a3a9f5e27457ee63b00740f57f01c045216f50db78e922deee42c
Opcode Fuzzy Hash: d08ae08d9b7d1cdd77d26d0cc078f01d59f4c5f80db7d272ab74938726352732
Instruction Fuzzy Hash: C0510735A00205DFDB01EF64C985AADBBF5EF49314F1480A9E909AB362CB75ED11CF50

Function 007BA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40c026e16b2fea3b088b55358732aed04517f92fb2e843336b8e8e621d272a1
Instruction ID: 2b662bd4de75c46f9d6a30fdf286748052bd8c05401e90a7e89cf37eb44fef28
Opcode Fuzzy Hash: f40c026e16b2fea3b088b55358732aed04517f92fb2e843336b8e8e621d272a1
Instruction Fuzzy Hash: 2B41903590450CBBD760EB2CCC89FE9BBB8EB09310F144265F916A72E1D738AD41DA61

Function 00732344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00732357
ScreenToClient.USER32(007F57B0,?), ref: 00732374
GetAsyncKeyState.USER32(00000001), ref: 00732399
GetAsyncKeyState.USER32(00000002), ref: 007323A7

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 7528e81b8f509c68847ce0981c14899ae12d4d26e911f0c794968f5dc9080bf2
Instruction ID: 6d7d040ef3ec836b4f4baeb6817c8931e10b9a6e5f6b8f38fc0d39fc91c4b59e
Opcode Fuzzy Hash: 7528e81b8f509c68847ce0981c14899ae12d4d26e911f0c794968f5dc9080bf2
Instruction Fuzzy Hash: 38417F35604119FBDF299F68CC48BE9BB74FB05360F20431AF869D22A2C7389991DB91

Function 007863AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007863E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00786433
TranslateMessage.USER32(?), ref: 0078645C
DispatchMessageW.USER32(?), ref: 00786466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00786475

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 72db66407603d31e9ed9ed823399f7b07d178fa08b01d87529971288a540f185
Instruction ID: f794d7d33a2eeeca7cb1e7e906c9da7071c3f72f00efa5945ae4fe369723b684
Opcode Fuzzy Hash: 72db66407603d31e9ed9ed823399f7b07d178fa08b01d87529971288a540f185
Instruction Fuzzy Hash: 5B31E571980686BFDB24EFB4CC48FBABBA8BB00310F108265E529C21A0E73D9545D760

Function 00788A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00788A30
PostMessageW.USER32(?,00000201,00000001), ref: 00788ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00788AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00788AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00788AF8

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 73afe6b1b6a968b9ccf0d75fa35d831d4e3ebce56873ce769d3300285841b568
Instruction ID: 1ecb824f0ca424dabcc34786cbd1e5d1ce23dbaa7516bd8fe70584302611a148
Opcode Fuzzy Hash: 73afe6b1b6a968b9ccf0d75fa35d831d4e3ebce56873ce769d3300285841b568
Instruction Fuzzy Hash: 7231B171500219EBDB14DFA8DD4DB9E3BB5EB04315F108229F925E62D0C7B49914DB92

Function 0078B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0078B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0078B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0078B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0078B27F
_wcsstr.LIBCMT ref: 0078B289

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 72960cf4e733ec0c1fbbb0fc09b6532202810b4755cc925dfe3bb0b822934b58
Instruction ID: 3d2cae3aa6f8bbb3351dc5dd459d8dd5e8d1f4e8c3e8ba2796a4809d36d61450
Opcode Fuzzy Hash: 72960cf4e733ec0c1fbbb0fc09b6532202810b4755cc925dfe3bb0b822934b58
Instruction Fuzzy Hash: 02210772644204BBEB25AB799C09E7F7B98EF49760F108139FC04DA161EFA9DC4197A0

Function 007BB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623

GetWindowLongW.USER32(?,000000F0), ref: 007BB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007BB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007BB1CF
GetSystemMetrics.USER32(00000004), ref: 007BB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,007A0E90,00000000), ref: 007BB216

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: aa091a446b027187de78cb701ea1d97b7a552146baa491703c3d8d9f0829d3fe
Instruction ID: 859483d1e343942f4381ee94fc3677e12228ef37d3513aff2f1b558e5bd2edf6
Opcode Fuzzy Hash: aa091a446b027187de78cb701ea1d97b7a552146baa491703c3d8d9f0829d3fe
Instruction Fuzzy Hash: A4216071A10659AFCB209F39DC14BAA3BA4FB05761F158728FD22D71E0E7789920CB90

Function 00789307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00789320

Part of subcall function 00737BCC: _memmove.LIBCMT ref: 00737C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00789352
__itow.LIBCMT ref: 0078936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00789392
__itow.LIBCMT ref: 007893A3

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 5cd6fed63a013ec36614543760abc5a44a00715a4c65d809f76fb9f4956b3805
Instruction ID: 2ba4edd191e517161757ac7a9ced9a5b8bb93ae81f4358a44a0d7607d7575ddd
Opcode Fuzzy Hash: 5cd6fed63a013ec36614543760abc5a44a00715a4c65d809f76fb9f4956b3805
Instruction Fuzzy Hash: FB21C571740208FBDB20AA648C8DEFE7BADEB49B14F084025FE45E71D1D6B88D459791

Function 007A5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007A5A6E
GetForegroundWindow.USER32 ref: 007A5A85
GetDC.USER32(00000000), ref: 007A5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 007A5ACD
ReleaseDC.USER32(00000000,00000003), ref: 007A5B08

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: d4cbb3b4ee0866c41d92f8fc1607b2db266369f2835913da5d781392c8015980
Instruction ID: d1c3ec562a585304ecfb69cc50bcd7c062a97ebb3d33c5c6732b243bfa9201e6
Opcode Fuzzy Hash: d4cbb3b4ee0866c41d92f8fc1607b2db266369f2835913da5d781392c8015980
Instruction Fuzzy Hash: 4621A475A00104EFDB00EFA4DC88E9ABBE5EF89710F14C579F84997352CA78AC01CB50

Function 007312F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0073134D
SelectObject.GDI32(?,00000000), ref: 0073135C
BeginPath.GDI32(?), ref: 00731373
SelectObject.GDI32(?,00000000), ref: 0073139C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 31ba17816d179fbfeecb9170a70fccc67a1021c9db17883de5ea1a89f0db1906
Instruction ID: 1456736cdd5cfa8c2ff437d903f4a48895e6fbbaa484a8c33b4aa8b85b3ebf45
Opcode Fuzzy Hash: 31ba17816d179fbfeecb9170a70fccc67a1021c9db17883de5ea1a89f0db1906
Instruction Fuzzy Hash: 51216D30800A08EFEB109F25EC04B797BA8FB047A1F54C326F910965B2D77C9895DF98

Function 00794A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00794ABA
__beginthreadex.LIBCMT ref: 00794AD8
MessageBoxW.USER32(?,?,?,?), ref: 00794AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00794B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00794B0A

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: f1695ba069230ade50af7a47aea911e9d637fb845e94f36a5b034129da18bf3a
Instruction ID: 99a6fbcb8be24546beace79ab31222ae2444b9192dc0f16528917eb48e08ebc9
Opcode Fuzzy Hash: f1695ba069230ade50af7a47aea911e9d637fb845e94f36a5b034129da18bf3a
Instruction Fuzzy Hash: 841108B6904248BBCB008FACEC08FAB7FADEB49320F148365F914D3260D679C90487A4

Function 00788202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0078821E
GetLastError.KERNEL32(?,00787CE2,?,?,?), ref: 00788228
GetProcessHeap.KERNEL32(00000008,?,?,00787CE2,?,?,?), ref: 00788237
HeapAlloc.KERNEL32(00000000,?,00787CE2,?,?,?), ref: 0078823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00788255

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6fc51e82a181cfce7101defdacd3c485727fcc5efa54aabc122612f2567eb048
Instruction ID: 02e666f2c6e55b9866bfe34e26228fe8c616bec9e0c7b15d9c868e321ce22a69
Opcode Fuzzy Hash: 6fc51e82a181cfce7101defdacd3c485727fcc5efa54aabc122612f2567eb048
Instruction Fuzzy Hash: DB016271240208BFDB105FA9DC48D677BACFF857547504629F809C3120DA358C00CB60

Function 0078710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00787044,80070057,?,?,?,00787455), ref: 00787127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00787044,80070057,?,?), ref: 00787142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00787044,80070057,?,?), ref: 00787150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00787044,80070057,?), ref: 00787160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00787044,80070057,?,?), ref: 0078716C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b96576546373840e6fc57cc39790caa4a868b0e69d244b6b2ca4231a0796960d
Instruction ID: aa67e6dabf9aa00a6d633d0a5dcbd74d458f3878ee4504bd5d20dc502ec311d4
Opcode Fuzzy Hash: b96576546373840e6fc57cc39790caa4a868b0e69d244b6b2ca4231a0796960d
Instruction Fuzzy Hash: 57017172A05208ABDB159F64DC88FAA7BADEB84BA1F244164FD05D7210D739DD40D7A0

Function 00795244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00795260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0079526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00795276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00795280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007952BC

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 170064ab6654f0ebfe1267e3f80e46108bfd6126cd6b1f9e400a783f637ca96a
Instruction ID: 34a7e8d7adbce5ca1ab6b304d97fedbec6d79a91f02bc4b85f6ae0844ee3af27
Opcode Fuzzy Hash: 170064ab6654f0ebfe1267e3f80e46108bfd6126cd6b1f9e400a783f637ca96a
Instruction Fuzzy Hash: E50157B1D01A2DDBCF00EFE8EC48AEDBB78FB0D711F404566E941B2241CB38595087A5

Function 0078810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00788121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0078812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0078813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00788141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00788157

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9bc94537ddc681713f3bea44ef11ed2ff450f224db87728ce0b880159943a6eb
Instruction ID: dae074511820fd3d3f0e41146fa4ffc71596dbca77cb8aa63b00765caa38efab
Opcode Fuzzy Hash: 9bc94537ddc681713f3bea44ef11ed2ff450f224db87728ce0b880159943a6eb
Instruction Fuzzy Hash: 4DF0AF70280308BFEB516FA8EC8CF673BACEF49B54B404129F945C2160CF689C01DB61

Function 0078C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0078C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0078C20E
MessageBeep.USER32(00000000), ref: 0078C226
KillTimer.USER32(?,0000040A), ref: 0078C242
EndDialog.USER32(?,00000001), ref: 0078C25C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 713069180364a2499f0b37ab6826178c8c8caa2829114d365c23da90e093e647
Instruction ID: 80d08f5f676e02b45d48f8ff093065da97a556df54ef42b8a8c47820492151d2
Opcode Fuzzy Hash: 713069180364a2499f0b37ab6826178c8c8caa2829114d365c23da90e093e647
Instruction Fuzzy Hash: DF01D630444704ABEB216B64ED4EF9677B8FF00F06F004369F982A14E1DBF86944CBA4

Function 007313B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007313BF
StrokeAndFillPath.GDI32(?,?,0076B888,00000000,?), ref: 007313DB
SelectObject.GDI32(?,00000000), ref: 007313EE
DeleteObject.GDI32 ref: 00731401
StrokePath.GDI32(?), ref: 0073141C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e1527dec706aad5796ec43a26bd3f0eafef0482f9625f601a5c1e7901cf27cc9
Instruction ID: 6f54fcab0126244945b0380c44814a99acdbf3362245b94f2f88f109e3094f5d
Opcode Fuzzy Hash: e1527dec706aad5796ec43a26bd3f0eafef0482f9625f601a5c1e7901cf27cc9
Instruction Fuzzy Hash: 61F0FF31004B48EBEB116F2AEC4CB683FA4AB01766F58C325F529490F2C73D8995DF58

Function 0079C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0079C432
CoCreateInstance.OLE32(007C2D6C,00000000,00000001,007C2BDC,?), ref: 0079C44A

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

CoUninitialize.OLE32 ref: 0079C6B7

Strings

.lnk, xrefs: 0079C3C6, 0079C3EE, 0079C3F8

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 8194bb1d32d91f2216e34e2dad6ff8fe666bc0ff12ab535953a816bbe1c210ce
Instruction ID: dcdbba65e16c4d5ddb899a2b525cb0cb0f8169da7d230307ff49c538f4f246ab
Opcode Fuzzy Hash: 8194bb1d32d91f2216e34e2dad6ff8fe666bc0ff12ab535953a816bbe1c210ce
Instruction Fuzzy Hash: CAA12AB1208305EFE704EF54C885EABB7A8FF85354F00491DF195971A2EB75AA09CB52

Function 00742CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00750DB6: std::exception::exception.LIBCMT ref: 00750DEC
Part of subcall function 00750DB6: __CxxThrowException@8.LIBCMT ref: 00750E01

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

Part of subcall function 00737A51: _memmove.LIBCMT ref: 00737AAB

__swprintf.LIBCMT ref: 00742ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00742D66

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: a8ec3d4965691ff996da629bf3d79cdac50f53c72e1e58bd78e7c85254a48710
Instruction ID: 6cc0bdc6132cc93eae4c2ab6582ec5170843c0f393c431066663f0f12e9bfd01
Opcode Fuzzy Hash: a8ec3d4965691ff996da629bf3d79cdac50f53c72e1e58bd78e7c85254a48710
Instruction Fuzzy Hash: EC919DB1108701DFDB18EF24C889D6EB7A4EF85350F50491DF8859B2A2EB78ED49CB52

Function 0079B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00734750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00734743,?,?,007337AE,?), ref: 00734770

CoInitialize.OLE32(00000000), ref: 0079B9BB
CoCreateInstance.OLE32(007C2D6C,00000000,00000001,007C2BDC,?), ref: 0079B9D4
CoUninitialize.OLE32 ref: 0079B9F1

Part of subcall function 00739837: __itow.LIBCMT ref: 00739862
Part of subcall function 00739837: __swprintf.LIBCMT ref: 007398AC

Strings

.lnk, xrefs: 0079B99D, 0079B9AB

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 3575050546b0a8dec80bf54dc9fd96d1f350c9f32b19868cbd71a6169342ef90
Instruction ID: 9ed87f66df1c48113239a504c3fd828b1a4a7d475f4bcefc6a9b9d15356a79ca
Opcode Fuzzy Hash: 3575050546b0a8dec80bf54dc9fd96d1f350c9f32b19868cbd71a6169342ef90
Instruction Fuzzy Hash: 8AA134B56043019FDB00DF14D984D5ABBE5FF89324F048998F9999B3A2CB39EC45CB91

Function 0078B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0078B4BE

Strings

Container, xrefs: 0078B43B
AutoIt3GUI, xrefs: 0078B436
%|, xrefs: 0078B561

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%|
API String ID: 3565006973-2882729281
Opcode ID: e02d5ea16c69ccf1341756142917c802307490bb4be746bd512f497c979c124c
Instruction ID: a24f3d3d63c6e7189fb9d73253f1ad89127d39ba6ecf80e51b5b24b591d7d519
Opcode Fuzzy Hash: e02d5ea16c69ccf1341756142917c802307490bb4be746bd512f497c979c124c
Instruction Fuzzy Hash: 7D915770640601EFDB14EF64C885B6ABBF9FF49710F20856DE94ACB6A1DBB4E841CB50

Function 0075501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007550AD

Part of subcall function 007600F0: __87except.LIBCMT ref: 0076012B

Strings

pow, xrefs: 00755085, 007550A2

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 4461a50bcbb320a3c950089ef94418d40eea115b68f953bb0a0085fa51f9aa75
Instruction ID: 395f208fc1abccde873b9759b7a3da87bbded496960a2049806a393e4be814c4
Opcode Fuzzy Hash: 4461a50bcbb320a3c950089ef94418d40eea115b68f953bb0a0085fa51f9aa75
Instruction Fuzzy Hash: 7E516B6090890687DB156724C8653BF2B94AF41711F208D59ECDB862E9EE7C8DCCDAC6

Function 00778584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0077862B
_memmove.LIBCMT ref: 00778685

Strings

3ct, xrefs: 0077860C
_t, xrefs: 007786FF, 0077DFDC, 0077DFF8

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memmove
String ID: 3ct$_t
API String ID: 4104443479-1670605766
Opcode ID: 6677ba12863107e43923d5f663fff9f31f10c5297c5890aeffced1e64352f04e
Instruction ID: 227c323581a0d3b8cb5072bf87dbd8610f6b4d43f210b31bb4d74c5e70a53108
Opcode Fuzzy Hash: 6677ba12863107e43923d5f663fff9f31f10c5297c5890aeffced1e64352f04e
Instruction Fuzzy Hash: 2A515FB0D00615DFCF64CF68C884AAEBBF1FF44344F24852AE85AD7250EB38A955DB52

Function 007897F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007914BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00789296,?,?,00000034,00000800,?,00000034), ref: 007914E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0078983F

Part of subcall function 00791487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007892C5,?,?,00000800,?,00001073,00000000,?,?), ref: 007914B1

Part of subcall function 007913DE: GetWindowThreadProcessId.USER32(?,?), ref: 00791409
Part of subcall function 007913DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0078925A,00000034,?,?,00001004,00000000,00000000), ref: 00791419
Part of subcall function 007913DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0078925A,00000034,?,?,00001004,00000000,00000000), ref: 0079142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007898AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007898F9

Strings

@, xrefs: 00789911

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 402350fbe4bcfaf09ad1ba8d54d84bdf72596fca66cf65f34b11823884633935
Instruction ID: f7aaf426c2ff128fe5364a17304be070cfa3ccf20e196fc4ccb970506fc8e53f
Opcode Fuzzy Hash: 402350fbe4bcfaf09ad1ba8d54d84bdf72596fca66cf65f34b11823884633935
Instruction Fuzzy Hash: 99418C7690021DAFCF10EFA4CC85AEEBBB8EB49300F004199FA45B7191DA746E45CBA0

Function 007B7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007BF910,00000000,?,?,?,?), ref: 007B79DF
GetWindowLongW.USER32 ref: 007B79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007B7A0C

Strings

SysTreeView32, xrefs: 007B79B1

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ac52d315c49617a73465c9af35e890b7201b2ede41f5d7b903602abbea265e10
Instruction ID: 46f33f310829c0bae002f96f8190a93c49cfbe23e9eee3c46b6e340a5b541d48
Opcode Fuzzy Hash: ac52d315c49617a73465c9af35e890b7201b2ede41f5d7b903602abbea265e10
Instruction Fuzzy Hash: 8731B03120460AABEB158E38CC45BEA77A9EF45324F208725F975D22E1D739ED51CB50

Function 007B73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007B7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007B7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 007B7499

Strings

SysMonthCal32, xrefs: 007B742C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 88809b6a43051381e5e05804e14da07703a51ba497b169298af6eef26942dff6
Instruction ID: 6aec6ecc902934e64d9ab1083c830424447d300dfe33eb0c3400ef5985c9a98c
Opcode Fuzzy Hash: 88809b6a43051381e5e05804e14da07703a51ba497b169298af6eef26942dff6
Instruction Fuzzy Hash: 5921A132600258BBDF158FA4CC46FEA3B79EF88724F110214FE156B1D0DAB9AC51DBA0

Function 007B7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007B7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007B7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007B7C5F

Strings

msctls_updown32, xrefs: 007B7BC4

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 01f75814a59ad841964ef0f3e66a0f62b2a140c9c45b814f0d243a0650505f15
Instruction ID: 66212b1812d3a87f8c26ed5e9aa1de4bb35afc6764cbddb1b29f6ef43b55645e
Opcode Fuzzy Hash: 01f75814a59ad841964ef0f3e66a0f62b2a140c9c45b814f0d243a0650505f15
Instruction Fuzzy Hash: D8216DB1604208AFDB15DF18DCC5DB63BACEB4A394B544059FA019B361CB75EC11CA70

Function 007B6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007B6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007B6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007B6D70

Strings

Listbox, xrefs: 007B6D08

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d7547ddaf30f2959998303e9090372944f32047df5e3158f5abde691ac60ec9a
Instruction ID: c5a5d0e0d6a04563f32da24e599b387df5cc1527fa40e9175f5eb56c1e7bc904
Opcode Fuzzy Hash: d7547ddaf30f2959998303e9090372944f32047df5e3158f5abde691ac60ec9a
Instruction Fuzzy Hash: 3E218032710118BFDF118F54CC45FFB3BAAEF89754F018124FA459B1A0CA79AC5197A0

Function 007A39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 007A3A66

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 007A3A58
, $, xrefs: 007A3AA6
%|, xrefs: 007A39F4

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%|
API String ID: 3506404897-2300887487
Opcode ID: e7859a28c9410e75688485a9d6a039bf7ff29c5d6801fa62e2fbd59900b03c1f
Instruction ID: 064293e1f9748b385d141e6bce1ff14d706506787f0942f1d4f8cfd3ee356aec
Opcode Fuzzy Hash: e7859a28c9410e75688485a9d6a039bf7ff29c5d6801fa62e2fbd59900b03c1f
Instruction Fuzzy Hash: A921A771600229EFCF54EF64CC86EAE77B5AF45700F504458F549A7182DB38EA45CB71

Function 007B770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007B7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007B7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007B7794

Strings

msctls_trackbar32, xrefs: 007B7749

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fc6b13aed7c56ec3247cb0c7ef42ea8be2cd5d3a4865f7342060b3ebd263f876
Instruction ID: 1393d48d5ff892945ab7f3137bfd590266481aa4adb7edaf6431af338a862bb6
Opcode Fuzzy Hash: fc6b13aed7c56ec3247cb0c7ef42ea8be2cd5d3a4865f7342060b3ebd263f876
Instruction Fuzzy Hash: 2B11E372254208BEEF249F65CC05FEB77A9EFC9B54F114628FA41A6090C676E811CB20

Function 00759B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00759B94

Part of subcall function 00759C0B: __mtinitlocknum.LIBCMT ref: 00759C1D
Part of subcall function 00759C0B: EnterCriticalSection.KERNEL32(00000000,?,00759A7C,0000000D), ref: 00759C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00759BA4

Part of subcall function 00759100: ___addlocaleref.LIBCMT ref: 0075911C
Part of subcall function 00759100: ___removelocaleref.LIBCMT ref: 00759127
Part of subcall function 00759100: ___freetlocinfo.LIBCMT ref: 0075913B

Strings

8~, xrefs: 00759B8A, 00759B9F, 00759BAB
8~, xrefs: 00759B85

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8~$8~
API String ID: 547918592-4061854447
Opcode ID: c1dd61124575347b4c34182f356dd927211b47aaf1833a0cf35fcc645f5ecfce
Instruction ID: a4e45f901d472552a38a87873e9488b5c06e8c06fa6fdb63670d4f61ec265dfd
Opcode Fuzzy Hash: c1dd61124575347b4c34182f356dd927211b47aaf1833a0cf35fcc645f5ecfce
Instruction Fuzzy Hash: D3E086F1943345E7EA50B7A4694BF8C36505B04723F204159F9556D0C1DEFC1408851B

Function 00734C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00734B83,?), ref: 00734C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00734C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00734C50
kernel32.dll, xrefs: 00734C3F

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 60eb9fa85155b888f5077cef934ff36bc8fd8c915fd1f1146ac7876ca193b6fa
Instruction ID: ce621d29b847a93e7395a3e44fa154869b763df5be99414d0d185a79e656d974
Opcode Fuzzy Hash: 60eb9fa85155b888f5077cef934ff36bc8fd8c915fd1f1146ac7876ca193b6fa
Instruction Fuzzy Hash: D0D0C2B0511717CFD7244F36CC0871672D5AF04740F10CC39D492C6160E678D880C620

Function 00734C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00734BD0,?,00734DEF,?,007F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00734C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00734C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00734C1D
kernel32.dll, xrefs: 00734C0C

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 8b1c5a162f04bad659abac749e6196ea160d173ecb098f304f27e0a1d0045e1d
Instruction ID: 92d1580ced1991cf6913d012af6304bf1a991d554d263cd9fa29fefe73b5e7b1
Opcode Fuzzy Hash: 8b1c5a162f04bad659abac749e6196ea160d173ecb098f304f27e0a1d0045e1d
Instruction Fuzzy Hash: 8AD0C27051171BCFDB205F75CC08707B6E6EF08741F00CC39D481C2150E6B8D880C620

Function 007B0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,007B1039), ref: 007B0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007B0E07

Strings

RegDeleteKeyExW, xrefs: 007B0E01
advapi32.dll, xrefs: 007B0DF0

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 32cff744dbe990542bac6ed451492974332bd5275017f885090e71580794ab95
Instruction ID: f518b4867287fcde0fd1a8f11fa85c298613aef2872aa69406b6031fb37edcb4
Opcode Fuzzy Hash: 32cff744dbe990542bac6ed451492974332bd5275017f885090e71580794ab95
Instruction Fuzzy Hash: 86D0C27140031ACFC3205F79CC097C372D5AF04741F00CC3DD591C2190E6B8E4A0C644

Function 007A90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,007A8CF4,?,007BF910), ref: 007A90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007A9100

Strings

GetModuleHandleExW, xrefs: 007A90FA
kernel32.dll, xrefs: 007A90E9

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 8c66a7132c40ce231d800714d30023377151b862745deffc84a5a25b713ccf2f
Instruction ID: fa9e3c3ba42c20aa966cf8693752f9404d6ae84a1755db23dd700f6d99d28732
Opcode Fuzzy Hash: 8c66a7132c40ce231d800714d30023377151b862745deffc84a5a25b713ccf2f
Instruction Fuzzy Hash: 91D0C7B052071BCFCB208F39CC08B0272E9AF06B41B22CD3AD486D2190FA78C880CA90

Function 00771714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00771718
__swprintf.LIBCMT ref: 00771749

Strings

WIN_XPe, xrefs: 00771788
%.3d, xrefs: 00771723

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: dff36749101ecf352f2ccf4d0316b874060ab6b6a79780c4095fcd4c0bbc337e
Instruction ID: 2782038b5f50b856724f851091a3f35032af16d63dd6ca7ee4e8336ced7bd969
Opcode Fuzzy Hash: dff36749101ecf352f2ccf4d0316b874060ab6b6a79780c4095fcd4c0bbc337e
Instruction Fuzzy Hash: 23D05B7280510CFACF4997949C89CFD737CB718381F904562F90AE2050E23D8B54D761

Function 0078717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559fad1b89b0a43a53c04d3a04492efc812125a0e8f61ce518153a9a97f2adf4
Instruction ID: bbd6cb65ddfd90e106c13d88c496bbd94348b6a7b0be9df95183d471b1fd347a
Opcode Fuzzy Hash: 559fad1b89b0a43a53c04d3a04492efc812125a0e8f61ce518153a9a97f2adf4
Instruction Fuzzy Hash: ACC19375A04216EFCB18DFA4C884EAEBBB5FF48714B248598F80ADB251D734DD41DB90

Function 007AE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 007AE0BE
CharLowerBuffW.USER32(?,?), ref: 007AE101

Part of subcall function 007AD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007AD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007AE301
_memmove.LIBCMT ref: 007AE314

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: b5d736eea904a19e72723d29832f1adbcde20eb68d80882f0269e0acd0ba2276
Instruction ID: 4e03960245bd7199bd8b7cd8c1ce156db16882468085607d62e1c46d7b790f8a
Opcode Fuzzy Hash: b5d736eea904a19e72723d29832f1adbcde20eb68d80882f0269e0acd0ba2276
Instruction Fuzzy Hash: 8AC15771608301DFC714DF28C484A6ABBE4FF8A714F048A6DF8999B351D775E906CB82

Function 007A8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007A80C3
CoUninitialize.OLE32 ref: 007A80CE

Part of subcall function 0078D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0078D5D4

VariantInit.OLEAUT32(?), ref: 007A80D9
VariantClear.OLEAUT32(?), ref: 007A83AA

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 362b34ccb99b0d18f358c5a413f6f016eb527ef526fdb39c0efc9d8a45e32531
Instruction ID: 2d2c3a4ac4b07a4087b9e0c8d3bb4002e1f41004c003dc18bc66f683164bdce5
Opcode Fuzzy Hash: 362b34ccb99b0d18f358c5a413f6f016eb527ef526fdb39c0efc9d8a45e32531
Instruction Fuzzy Hash: BDA16975604701DFDB40DF24C885B6AB7E4BF8A724F048508FA959B3A2CB78EC05CB82

Function 0078687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0078688E
SysAllocString.OLEAUT32(00000000), ref: 00786937
VariantCopy.OLEAUT32 ref: 00786966
VariantClear.OLEAUT32(?), ref: 0078698D

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 7984e8a23c8a5078641207398f9b02ed347f46baa8249ad757649874243556aa
Instruction ID: a5dfcc710d0759d5e38ec16aaa9584493e1cbc4257a8e84c6218959fc3544122
Opcode Fuzzy Hash: 7984e8a23c8a5078641207398f9b02ed347f46baa8249ad757649874243556aa
Instruction Fuzzy Hash: E851E774780301FADF28BF65D895A2AB3E5AF44310F20C81FE686DB291DA7CD8408742

Function 007B97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(013FE638,?), ref: 007B9863
ScreenToClient.USER32(00000002,00000002), ref: 007B9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 007B9903

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 363fb5277333b48ad457944a0a181e48c2879f0ff9beece89b4ed95504db2b02
Instruction ID: bb81b12a97dc104b70b73b77aed4ead575a0d5d3a50d99968c178cd5a7174638
Opcode Fuzzy Hash: 363fb5277333b48ad457944a0a181e48c2879f0ff9beece89b4ed95504db2b02
Instruction Fuzzy Hash: C3513034A00609EFCF14CF54D884AEE7BB5FF55360F148169FA659B2A0D735AD41CB90

Function 00789A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00789AD2
__itow.LIBCMT ref: 00789B03

Part of subcall function 00789D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00789DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00789B6C
__itow.LIBCMT ref: 00789BC3

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 30709f0cc2a4a151fd7543ed8b2d2f45171cedf6c444e0eb3b4a1108854a6fd1
Instruction ID: c2a216d61d9f54425197989d27c1e11b4e1d1edf64e98bcc7ca3ceae81e7e250
Opcode Fuzzy Hash: 30709f0cc2a4a151fd7543ed8b2d2f45171cedf6c444e0eb3b4a1108854a6fd1
Instruction Fuzzy Hash: 074181B0A40208EBDF25EF54D849BFE7FB9EF48754F040059FA05A7292DB789944CB61

Function 007A69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007A69D1
WSAGetLastError.WSOCK32(00000000), ref: 007A69E1

Part of subcall function 00739837: __itow.LIBCMT ref: 00739862
Part of subcall function 00739837: __swprintf.LIBCMT ref: 007398AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007A6A45
WSAGetLastError.WSOCK32(00000000), ref: 007A6A51

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: d721160653b6fb8c21971043632d20a1fb9cbd4200eecc8b657fc30530e56394
Instruction ID: cbb1621f8127eacea21b9d20a464214845e14110241ccc914682353f83f4a44d
Opcode Fuzzy Hash: d721160653b6fb8c21971043632d20a1fb9cbd4200eecc8b657fc30530e56394
Instruction Fuzzy Hash: 0C41A275740200AFEB60AF24DC8AF6A77E49B45B14F04C158FA59AB2C3DAB99D008B91

Function 007A641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,007BF910), ref: 007A64A7
_strlen.LIBCMT ref: 007A64D9

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: b9484e13d0e1b0d02468a228c7133ebc95dddcf087a72d1f99a1b258c11c3499
Instruction ID: b87ea0df87dc9156257816d6086c7024601e27f245c7a90f73f91c9a93e2204d
Opcode Fuzzy Hash: b9484e13d0e1b0d02468a228c7133ebc95dddcf087a72d1f99a1b258c11c3499
Instruction Fuzzy Hash: F441F571A00104EFDB14FBA8DCC9FAEB7A9AF49310F148255F91997297DB38AE14CB50

Function 0079B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0079B89E
GetLastError.KERNEL32(?,00000000), ref: 0079B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0079B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0079B915

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 640e08a34a7e4d3f9b87209c360cf7d212d23103c8351fbfad98c5a113d037ea
Instruction ID: faacf1a2086506a0dc1e535d0cfc3ab56e9c4985db9eb0d0766e2a523dff7e8b
Opcode Fuzzy Hash: 640e08a34a7e4d3f9b87209c360cf7d212d23103c8351fbfad98c5a113d037ea
Instruction Fuzzy Hash: E1411939600610DFDB10EF15D588A9DBBE1AF89720F198098ED4A9B362CB79FD01CB91

Function 007B8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007B88DE

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 55e3b337b742af579bb03fc675cfd135305f66e14fb0df2020e722662cea9296
Instruction ID: f3fd9ea8e4b41a6981b513d05273e1a97f9a48428c70ada046ad3ef4a7e6538a
Opcode Fuzzy Hash: 55e3b337b742af579bb03fc675cfd135305f66e14fb0df2020e722662cea9296
Instruction Fuzzy Hash: FC31A134610108FFEFA49A58CC49FF97BA9EB05350F544112FA15E62A1CA7CE980D757

Function 007BAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007BAB60
GetWindowRect.USER32(?,?), ref: 007BABD6
PtInRect.USER32(?,?,007BC014), ref: 007BABE6
MessageBeep.USER32(00000000), ref: 007BAC57

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 41d17a0c9164e61a507749324b42320201d5f06020edd1a1d7a087e2e0b33628
Instruction ID: 122abbd14a5b9ef1a327d39f41901e77f818360416a6d5ad701d420443aaa907
Opcode Fuzzy Hash: 41d17a0c9164e61a507749324b42320201d5f06020edd1a1d7a087e2e0b33628
Instruction Fuzzy Hash: 4041AD70600619EFCB21EF58C884BA97BF5FF49350F1881A9E914DB260D738E841CBA2

Function 00790AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00790B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00790B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00790BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00790BFB

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6890d832d882f123578f76a1b707e45b89e2a010d502bc0168f1b342020769a5
Instruction ID: 23c1bd6b838f67ec44186418f57ec0e56411a6ef34494f4680b6394ce5c32b0b
Opcode Fuzzy Hash: 6890d832d882f123578f76a1b707e45b89e2a010d502bc0168f1b342020769a5
Instruction Fuzzy Hash: 59315AB0D50618AEFF358B29AC09BFEBBA9AF45318F04835AE490521D1C37C899097E5

Function 00790C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00790C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00790C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00790CE1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00790D33

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c9d10ec27f2430657c0be755c980e09dcfd6f2cc5dbd0cda8342e771ad577bb4
Instruction ID: 606796d302bc11183ec24e07dc98520ee5a7ca829af75c3a5f21c633330d9e9a
Opcode Fuzzy Hash: c9d10ec27f2430657c0be755c980e09dcfd6f2cc5dbd0cda8342e771ad577bb4
Instruction Fuzzy Hash: CF312630A50618AEFF308B65AC08BFEBBB6AF46310F04831AE485521D1C33D9D55D7E5

Function 007661C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007661FB
__isleadbyte_l.LIBCMT ref: 00766229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00766257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0076628D

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b1fb700f8bff15815bff00baf719e18bdf9b91a658e22b09ecbb3c497d5d5673
Instruction ID: d54151709878220b64e83ed75d61ba17083e5f04f2e0ec65321c060b1e74d17a
Opcode Fuzzy Hash: b1fb700f8bff15815bff00baf719e18bdf9b91a658e22b09ecbb3c497d5d5673
Instruction Fuzzy Hash: 8131DE3060024AEFDF218F65CC58BAA7FA9FF42320F554128EC26971A1E739E950DB90

Function 007B4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007B4F02

Part of subcall function 00793641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0079365B
Part of subcall function 00793641: GetCurrentThreadId.KERNEL32 ref: 00793662
Part of subcall function 00793641: AttachThreadInput.USER32(00000000,?,00795005), ref: 00793669

GetCaretPos.USER32(?), ref: 007B4F13
ClientToScreen.USER32(00000000,?), ref: 007B4F4E
GetForegroundWindow.USER32 ref: 007B4F54

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: e4c6b95159a032272b2610deef2bff6d224eda993555fd744122b503e0b3d960
Instruction ID: 6381aadc0605de721e003ba77bf22bec257a4cb23426fc0243508a8fdf6dba10
Opcode Fuzzy Hash: e4c6b95159a032272b2610deef2bff6d224eda993555fd744122b503e0b3d960
Instruction Fuzzy Hash: 94310F71D00208AFDB00EFA5C885EEFB7F9EF94300F10406AE555E7242DA79AE058BA1

Function 007BC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623

GetCursorPos.USER32(?), ref: 007BC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0076B9AB,?,?,?,?,?), ref: 007BC4E7
GetCursorPos.USER32(?), ref: 007BC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0076B9AB,?,?,?), ref: 007BC56E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c7edc64bd1bd4cfd50a1d6baf9186ccbfa4f6db2d6fd07dacf29848369da7aa0
Instruction ID: 636537d61357e78a32b55e884e9b4d5d2b944475f102d7003ceb155126802421
Opcode Fuzzy Hash: c7edc64bd1bd4cfd50a1d6baf9186ccbfa4f6db2d6fd07dacf29848369da7aa0
Instruction Fuzzy Hash: FE319135600458EFCB268F58C858FFA7BB5EF09710F148169FA058B262C739AD60DBA4

Function 00788656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0078810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00788121
Part of subcall function 0078810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0078812B
Part of subcall function 0078810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0078813A
Part of subcall function 0078810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00788141
Part of subcall function 0078810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00788157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007886A3
_memcmp.LIBCMT ref: 007886C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007886FC
HeapFree.KERNEL32(00000000), ref: 00788703

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 13c9dcb70b42369c5fcf08f6966153408a93a0cf13c7fd2aa88970986406c3d6
Instruction ID: aa54aa6a430ab20d05bc393989f640b550b35751a299d6a561d3492842f040bf
Opcode Fuzzy Hash: 13c9dcb70b42369c5fcf08f6966153408a93a0cf13c7fd2aa88970986406c3d6
Instruction Fuzzy Hash: CD219071E80108EFDB50EFA8CD49BEEB7B8EF44305F558059E454A7242EB39AE05CB51

Function 0075098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 007509AE

Part of subcall function 00735A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00797896,?,?,00000000), ref: 00735A2C
Part of subcall function 00735A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00797896,?,?,00000000,?,?), ref: 00735A50

_fprintf.LIBCMT ref: 007509E5
OutputDebugStringW.KERNEL32(?), ref: 00785DBB

Part of subcall function 00754AAA: _flsall.LIBCMT ref: 00754AC3

__setmode.LIBCMT ref: 00750A1A

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: f5bc03b126e4a27f60a02f2ca40baf2026ef5a94043269e9dac73cc96dd8cc1d
Instruction ID: a0008d47d7e0b087ef65d8c5cf64092a185b92642bbab2d9183f939f8b04bd35
Opcode Fuzzy Hash: f5bc03b126e4a27f60a02f2ca40baf2026ef5a94043269e9dac73cc96dd8cc1d
Instruction Fuzzy Hash: 5B115731604204EFDB04B3B49C8E9FE77689F42321F104119FA0453183EEAD589A97E5

Function 007A1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007A17A3

Part of subcall function 007A182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007A184C
Part of subcall function 007A182D: InternetCloseHandle.WININET(00000000), ref: 007A18E9

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 2c970dba344ed1dc75e8460517aafd187a2b2338dfa8cc37c1cb23704a663bbe
Instruction ID: 5ed1dd371955f504ebd53e9b3151550ecbf0babf1500d945f6430507b67bef04
Opcode Fuzzy Hash: 2c970dba344ed1dc75e8460517aafd187a2b2338dfa8cc37c1cb23704a663bbe
Instruction Fuzzy Hash: E721D431200601BFFB129F64CC00FBABBA9FF8AB21F50422AF91196551DB7D981197A4

Function 00793A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007BFAC0), ref: 00793A64
GetLastError.KERNEL32 ref: 00793A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00793A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007BFAC0), ref: 00793ADF

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f0b565a83ff4e63772da79fa7e9c4e14beb2ba7133bcf08829ce242c638c8662
Instruction ID: cfd3ab6f875e8a496c2ab1bf1691651777f405386f0f15d041285fd33a087bbb
Opcode Fuzzy Hash: f0b565a83ff4e63772da79fa7e9c4e14beb2ba7133bcf08829ce242c638c8662
Instruction Fuzzy Hash: D621A674508201DF8B10DF28DC859AA77E4FF55764F108A1EF499C72A2D739DE45CB42

Function 007650E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00765101

Part of subcall function 0075571C: __FF_MSGBANNER.LIBCMT ref: 00755733
Part of subcall function 0075571C: __NMSG_WRITE.LIBCMT ref: 0075573A
Part of subcall function 0075571C: RtlAllocateHeap.NTDLL(013E0000,00000000,00000001,00000000,?,?,?,00750DD3,?), ref: 0075575F

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: e3cb17089f2a048a4b462ca787c9b68919f0559b2c8932eb87416373574539e7
Instruction ID: 6b667ec64dddab498846d318e70c60317fe3a53662b91e0033dcd4bb26d4f76b
Opcode Fuzzy Hash: e3cb17089f2a048a4b462ca787c9b68919f0559b2c8932eb87416373574539e7
Instruction Fuzzy Hash: EC1129B2900A19EFCB353F74EC49BAD37989F063A2F204529FD06AA150DE7C8D44A795

Function 007A6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00735A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00797896,?,?,00000000), ref: 00735A2C
Part of subcall function 00735A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00797896,?,?,00000000,?,?), ref: 00735A50

gethostbyname.WSOCK32(?), ref: 007A6399
WSAGetLastError.WSOCK32(00000000), ref: 007A63A4
_memmove.LIBCMT ref: 007A63D1
inet_ntoa.WSOCK32(?), ref: 007A63DC

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 2e5d2b59b2f9908c65746a7347e8d23413a9806f76407d177bff4fcdc6b9d419
Instruction ID: d35ac5d941adb3e08754da1fddafe3c9b8439f94701d0b7442a5d33197b31265
Opcode Fuzzy Hash: 2e5d2b59b2f9908c65746a7347e8d23413a9806f76407d177bff4fcdc6b9d419
Instruction Fuzzy Hash: CC116031500109EFDB04FBA4DD8ADEEB7B8AF49310B148165F505A7262DB39AF14DBA1

Function 00788B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00788B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00788B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00788B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00788BA4

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: edd0008a04626a5eb79c6ac005bfcde0a6ef73fe646941b27a8cf4735f844f52
Instruction ID: e79216dd57fada431d8be6e01ec8dc61f9e4ed93837348d93291a3e8d0d6c863
Opcode Fuzzy Hash: edd0008a04626a5eb79c6ac005bfcde0a6ef73fe646941b27a8cf4735f844f52
Instruction Fuzzy Hash: 65115EB9941218FFDB11DFA5CC84F9DBB74FB48710F204095E900B7290DA716E10DB94

Function 00731290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00732612: GetWindowLongW.USER32(?,000000EB), ref: 00732623

DefDlgProcW.USER32(?,00000020,?), ref: 007312D8
GetClientRect.USER32(?,?), ref: 0076B5FB
GetCursorPos.USER32(?), ref: 0076B605
ScreenToClient.USER32(?,?), ref: 0076B610

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1233403e9f3b941ae567975276a306e4c183141f0e5f153bb29e48a73b1db2d9
Instruction ID: 08208e0fd6f8fc0b0f0ca738ca8f51c8a812a35158a4939adc5ecdeccd097a34
Opcode Fuzzy Hash: 1233403e9f3b941ae567975276a306e4c183141f0e5f153bb29e48a73b1db2d9
Instruction Fuzzy Hash: 6C111635A00019EBDB10EF98D8899EE77B8FB05300F804565FA41E7242C738BA51CBA9

Function 0078D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0078D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0078D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0078D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0078D897

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 0bfa6f9039f33b9f9361285bf121c0b7a85b370cc423e106c722637b14601fef
Instruction ID: 2aa416056b31ed03be234eb3938ecb15966e41427b2ad0d402c5c5b608e6da18
Opcode Fuzzy Hash: 0bfa6f9039f33b9f9361285bf121c0b7a85b370cc423e106c722637b14601fef
Instruction Fuzzy Hash: 4F1161B5645304EBE330AF51DC08F97BBBCEB00B10F108569E516D6090D7B8E949ABA1

Function 00766FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00766FDB

Part of subcall function 007676C2: __fltout2.LIBCMT ref: 007676EB

__cftog_l.LIBCMT ref: 00767001
__cftoe_l.LIBCMT ref: 00767033

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 2cea45afdb0f0d82210b3531bcb38cfc78f580552a653eac8cbba980487f5742
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 61014B7244814ABBCF1A5E84CC05CEE3F62BB18399B588455FE1A98031D23AC9B1EB91

Function 007BB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007BB2E4
ScreenToClient.USER32(?,?), ref: 007BB2FC
ScreenToClient.USER32(?,?), ref: 007BB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007BB33B

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1768d1364cf5199b18b484b2d816885610e9101d3400af4cb6b28ab3f0ab30af
Instruction ID: 09a1426fd6f4415c2473385b915176efb2a53b20d83a1ddf676e903d5b9239ee
Opcode Fuzzy Hash: 1768d1364cf5199b18b484b2d816885610e9101d3400af4cb6b28ab3f0ab30af
Instruction Fuzzy Hash: 751144B9D00209EFDB41CFA9C884AEEBBF9FF08314F108166E914E3220D775AA558F54

Function 007BB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007BB644
_memset.LIBCMT ref: 007BB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007F6F20,007F6F64), ref: 007BB682
CloseHandle.KERNEL32 ref: 007BB694

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 14637baa2a88c60bc3b987affde9990ff86f12ce5a9ad5ece0f43dda8c1efa19
Instruction ID: add703498ad70044d30b228ae130a929cf7b1281bc2ac39087590106b9971042
Opcode Fuzzy Hash: 14637baa2a88c60bc3b987affde9990ff86f12ce5a9ad5ece0f43dda8c1efa19
Instruction Fuzzy Hash: A6F0DAB2640304BBE2102765BC0AFBB7BDCEB09795F048025FA08E6192D7BA5C10C7AC

Function 00796BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00796BE6

Part of subcall function 007976C4: _memset.LIBCMT ref: 007976F9

_memmove.LIBCMT ref: 00796C09
_memset.LIBCMT ref: 00796C16
LeaveCriticalSection.KERNEL32(?), ref: 00796C26

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: efc34cd2bada9b53fb54b34fef95c15a4d58301f842b76679b5cfb831bce18f9
Instruction ID: 0aa612dc4a86dd1b31c3301f1399fecffeae0bd51ff9eb61a34e366df8f61e73
Opcode Fuzzy Hash: efc34cd2bada9b53fb54b34fef95c15a4d58301f842b76679b5cfb831bce18f9
Instruction Fuzzy Hash: 8DF0543A200100BBCF056F95EC89E8ABB29EF45321F04C065FE089E227C775E811CBB4

Function 00732218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00732231
SetTextColor.GDI32(?,000000FF), ref: 0073223B
SetBkMode.GDI32(?,00000001), ref: 00732250
GetStockObject.GDI32(00000005), ref: 00732258
GetWindowDC.USER32(?,00000000), ref: 0076BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0076BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0076BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0076BEC2
GetPixel.GDI32(00000000,?,?), ref: 0076BEE2
ReleaseDC.USER32(?,00000000), ref: 0076BEED

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: d23ccc99100474102baa55e9915cc138d5703fd97ec512511d72d349fe939d35
Instruction ID: 39912f9e7f109a23093039ecf2eb65dccc4a7f494c633bf7f85a0fe5c01c068c
Opcode Fuzzy Hash: d23ccc99100474102baa55e9915cc138d5703fd97ec512511d72d349fe939d35
Instruction Fuzzy Hash: 03E06D32104248EAEF215FA8FC0DBD83F10EB06732F00C366FA69980F1877A4990DB12

Function 00788712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0078871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,007882E6), ref: 00788722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007882E6), ref: 0078872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,007882E6), ref: 00788736

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: de15035a647d4b61667a0096b7ece7cdaade3f6f926f7ca2655b4bf67292c4c7
Instruction ID: f0abf7e0ccf6f1bec2d1b7192175da2d98fc465d41ab4247993354526c338f48
Opcode Fuzzy Hash: de15035a647d4b61667a0096b7ece7cdaade3f6f926f7ca2655b4bf67292c4c7
Instruction Fuzzy Hash: D6E08636655211ABD7606FF05D0CF963BBCEF54B91F14C828F245CA050DA3C8441C755

Function 00736240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%|, xrefs: 0073624E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID:
String ID: %|
API String ID: 0-1433500012
Opcode ID: 68d08ae06187cfe173f0fc2ffe6550a0f536c5a6bdd894fc5f990267604a4c50
Instruction ID: 64715360b80b480ebf2eff0aece2051a4e6cab3dae0f4c808ba2ca20e5769fca
Opcode Fuzzy Hash: 68d08ae06187cfe173f0fc2ffe6550a0f536c5a6bdd894fc5f990267604a4c50
Instruction Fuzzy Hash: D3B17F71D00109EAEF24EF94C8859FEBBB5FF44310F548126E952A7193EB389E85CB91

Function 0079AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0074FC86: _wcscpy.LIBCMT ref: 0074FCA9

Part of subcall function 00739837: __itow.LIBCMT ref: 00739862
Part of subcall function 00739837: __swprintf.LIBCMT ref: 007398AC

__wcsnicmp.LIBCMT ref: 0079B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0079B0F6

Strings

LPT, xrefs: 0079B027

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: c7d914b292613c915d42032e279b917bb5c65a94d152864a72b2b1e86052abb0
Instruction ID: 2ebc0d6a61dd3b716af328c5d50898833ddde6557a3d5592930a65a21b782b5c
Opcode Fuzzy Hash: c7d914b292613c915d42032e279b917bb5c65a94d152864a72b2b1e86052abb0
Instruction Fuzzy Hash: 3D61BF75A00218EFCF14DF98E995EAEB7B4EF08310F004069F916AB391D778AE40CB50

Function 00742957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00742968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00742981

Strings

@, xrefs: 00742975

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 8170f2e6bdb091f7c1bf5e18878182926d62a5b51a8b40859cfd772278b4bb37
Instruction ID: 53ccd2f3b99b88268ea9bf9a4947299fb6b52ea7a62942d167dbf60886d6ba6a
Opcode Fuzzy Hash: 8170f2e6bdb091f7c1bf5e18878182926d62a5b51a8b40859cfd772278b4bb37
Instruction Fuzzy Hash: 455125724187449BE320EF10D88ABAFBBF8FB85344F41885DF2D8411A2DB759529CB66

Function 00799734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00734F0B: __fread_nolock.LIBCMT ref: 00734F29

_wcscmp.LIBCMT ref: 00799824
_wcscmp.LIBCMT ref: 00799837

Strings

FILE, xrefs: 00799770

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 06c57d546b4e3f4abec3e824c3f997bb95c25eaf5fea2f4d8496df180303d0cd
Instruction ID: 153f07142bf30b1a883f3b018cff0bc530463de53fd847ef5f7bf97edce67361
Opcode Fuzzy Hash: 06c57d546b4e3f4abec3e824c3f997bb95c25eaf5fea2f4d8496df180303d0cd
Instruction Fuzzy Hash: 3D41D971A0020ABAEF249AA5DC49FEFB7BDDF85714F10046DFA04A7181DA79A9048B61

Function 007A258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007A25D4

Strings

|, xrefs: 007A25A5

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 9758017b2794c85cd940502fb2c91709ee75afafbd5bf6aec2042c7373608c2d
Instruction ID: 456bf98a8505b556b4c4da6b5e300fe3e5cbdc639799ed04e25910a09305ff28
Opcode Fuzzy Hash: 9758017b2794c85cd940502fb2c91709ee75afafbd5bf6aec2042c7373608c2d
Instruction Fuzzy Hash: 333137B1801119EBDF15EFA4CC89EEEBFB8FF09300F100159F914B6162EA395916DB60

Function 007B7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 007B7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007B7B76

Strings

', xrefs: 007B7ACA

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: bd4a7612b120c28306d54c40555aef747c47013e3745d188801be96db25dc751
Instruction ID: 66b06700084c8533edc8e2584ac5da58213ea5d4cb0cae69430b25796d28f333
Opcode Fuzzy Hash: bd4a7612b120c28306d54c40555aef747c47013e3745d188801be96db25dc751
Instruction Fuzzy Hash: 1D41F874A0520ADFDB58CF68C981BEABBB5FF48310F10416AE905EB391D774AA51CF90

Function 007B6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007B6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007B6B53

Strings

static, xrefs: 007B6AB3

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: bb4395bc7edfff3f431939e7cf1e6446976056d50be5cda1eb9ba7ab6c445cce
Instruction ID: 87c3cd243cf77d4741ac45c6eef0a9645c43247a176d28a6c3fcd94ba68da77f
Opcode Fuzzy Hash: bb4395bc7edfff3f431939e7cf1e6446976056d50be5cda1eb9ba7ab6c445cce
Instruction Fuzzy Hash: AA3190B1210604AEEB109F68CC50BFB73B9FF48760F108619FAA9D7190DA79AC51C760

Function 007928A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00792911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0079294C

Strings

0, xrefs: 0079290A

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: ae58ab842fd2d3af7127172602bd50b2bbfdc496771cf003248dfb105c83f2f5
Instruction ID: 749abf731f3d76ad8b0dce0ed6c5e0d2b151e1e4846282f6c1177b5da7281387
Opcode Fuzzy Hash: ae58ab842fd2d3af7127172602bd50b2bbfdc496771cf003248dfb105c83f2f5
Instruction Fuzzy Hash: E531C331600305BBEF24EF58E845BAEBBB8EF45360F144029E985B61A2D778A946CB51

Function 007B66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007B6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007B676C

Strings

Combobox, xrefs: 007B672E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2aada866b9bdda84836ccb94be739d5519668ea043377ccbb8e2e78fa724ab38
Instruction ID: 5da27aac6a06a8d0e12725727922702e6f5ee4a6522c125ceec7679151aa0ecd
Opcode Fuzzy Hash: 2aada866b9bdda84836ccb94be739d5519668ea043377ccbb8e2e78fa724ab38
Instruction Fuzzy Hash: 39118275310208AFEF219F55CC85FFB376AEB48768F114129FA1497290DA7D9C5187A0

Function 007B6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00731D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00731D73
Part of subcall function 00731D35: GetStockObject.GDI32(00000011), ref: 00731D87
Part of subcall function 00731D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00731D91

GetWindowRect.USER32(00000000,?), ref: 007B6C71
GetSysColor.USER32(00000012), ref: 007B6C8B

Strings

static, xrefs: 007B6C4E

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 77433445b5fe2328b3ae4773c1b2d609ea81a66faef96fbef22da0248dd4d34c
Instruction ID: ee9f28906396df6a416858942ee017c324d360d13f364370ab34998e0942bd39
Opcode Fuzzy Hash: 77433445b5fe2328b3ae4773c1b2d609ea81a66faef96fbef22da0248dd4d34c
Instruction Fuzzy Hash: 1521E472610209AFDB14DFA8CC45EFA7BA8FB08714F114A29FE95D2250D639E861DB60

Function 007B6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007B69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007B69B1

Strings

edit, xrefs: 007B6986

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 0fd623b6f6cfe9bf94a9c711ae6e806a3d089149aa344ea6f5b48f42c92aae01
Instruction ID: 35fb74d80b2fb57e3f0d89e7b0a333ecadb8f5cb2df4ee475d7a08eef8168859
Opcode Fuzzy Hash: 0fd623b6f6cfe9bf94a9c711ae6e806a3d089149aa344ea6f5b48f42c92aae01
Instruction Fuzzy Hash: A6116A71110208ABEB108E64DC44FEB37A9EB05378F604728FAA5961E0C77DEC509B60

Function 007929AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00792A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00792A41

Strings

0, xrefs: 00792A18

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 632f668c548e5cd3205ad99bf4b640fc45fda6b80a8dfa25510964d35e4014d5
Instruction ID: ef6c92b632c94a063c034204230c7abd9de0d9961481e77712a24baf5d20a69c
Opcode Fuzzy Hash: 632f668c548e5cd3205ad99bf4b640fc45fda6b80a8dfa25510964d35e4014d5
Instruction Fuzzy Hash: 9B11AF33901114BACF30EA58E844FAE77B8EB46310F048021ED55A72A2D778AD0BC795

Function 007A21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007A222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007A2255

Strings

<local>, xrefs: 007A221D

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ffd6e4d156bf1745d2cc18a76a3d97da5c50d20ffa57a9e7733f59dce284787f
Instruction ID: 204f6a4f9efa336f2aacf032dd64f7d75b272576298341330b649b3759247e42
Opcode Fuzzy Hash: ffd6e4d156bf1745d2cc18a76a3d97da5c50d20ffa57a9e7733f59dce284787f
Instruction Fuzzy Hash: 26110270501225BADB248F19CC88FBBFBA8FF87751F10832AFA0446081D2789882D6F0

Function 00788E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

Part of subcall function 0078AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0078AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00788E73

Strings

ListBox, xrefs: 00788E3D
ComboBox, xrefs: 00788E12

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: eff12e843f57fd9c88bfd5b84777170233aafab9bc6ec1a522a6f427b9e6fae7
Instruction ID: 92e5fdd9425e28c865309f9047f0218e84e7faed19087f05278990e4203ec27d
Opcode Fuzzy Hash: eff12e843f57fd9c88bfd5b84777170233aafab9bc6ec1a522a6f427b9e6fae7
Instruction Fuzzy Hash: D001F5B1641218EB9B18FBA0CC49DFE7368EF05320B440619F831672D2DE395808C751

Function 00788CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

Part of subcall function 0078AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0078AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00788D6B

Strings

ListBox, xrefs: 00788D35
ComboBox, xrefs: 00788D0A

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 7a5b42c6195362d5e4027c926929622e4985509a69c19be413f3e0f5d6c67442
Instruction ID: c27d9cf419cb9a77e5cbdbeb925def1f2ce28fed3ee8c2739737a33f029aa064
Opcode Fuzzy Hash: 7a5b42c6195362d5e4027c926929622e4985509a69c19be413f3e0f5d6c67442
Instruction Fuzzy Hash: 8E01B5B1781108EBDB18F7A0CD5AEFE73A89F19300F540015B80163192DE185A08D372

Function 00788D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00737DE1: _memmove.LIBCMT ref: 00737E22

Part of subcall function 0078AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0078AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00788DEE

Strings

ListBox, xrefs: 00788DBA
ComboBox, xrefs: 00788D8F

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 005e3ab4ed776640aac624ad9b345d4d8ecf6371655a01f8455bdcc13231165e
Instruction ID: e1f091dee556067370e3e9df797ea05edf9ca6509c3c65a5d11eeb80a42468b3
Opcode Fuzzy Hash: 005e3ab4ed776640aac624ad9b345d4d8ecf6371655a01f8455bdcc13231165e
Instruction Fuzzy Hash: 5A0184B1B81109F7EB19F6A4CD4AEFE77A89B15300F544016B80563292DA1D5E08D372

Function 0078C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0078C534

Part of subcall function 0078C816: _memmove.LIBCMT ref: 0078C860
Part of subcall function 0078C816: VariantInit.OLEAUT32(00000000), ref: 0078C882
Part of subcall function 0078C816: VariantCopy.OLEAUT32(00000000,?), ref: 0078C88C

VariantClear.OLEAUT32(?), ref: 0078C556

Strings

d}~, xrefs: 0078C517

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}~
API String ID: 2932060187-2645811566
Opcode ID: 697fa1864a5fbc0e7906c88fdd8668794a08993f6818f2e964c55b9b8b52dc7a
Instruction ID: 40317f3eaef356967a1054d9af35406a7f3e4f12f31c0e069910e79ab0d618f8
Opcode Fuzzy Hash: 697fa1864a5fbc0e7906c88fdd8668794a08993f6818f2e964c55b9b8b52dc7a
Instruction Fuzzy Hash: 41110CB19007089FC710DFAAD88499BF7F8FF08710B50862EE58AD7611E775AA45CF90

Function 00756B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00756B93
__calloc_crt.LIBCMT ref: 00756BAC

Strings

~, xrefs: 00756BD1

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: __calloc_crt
String ID: ~
API String ID: 3494438863-2703998100
Opcode ID: 12d205667c5604b8dc3177fd0380041b8400442b28a87740338f2ff346b3264a
Instruction ID: bf4a10a7bb512637178e38d8e6d74e7487159a292fa47a1e87796414c55b0843
Opcode Fuzzy Hash: 12d205667c5604b8dc3177fd0380041b8400442b28a87740338f2ff346b3264a
Instruction Fuzzy Hash: A2F0A4F1209A128BF7648F55FC51BE22B94F704731BB0452AEA00DF185EBBC88498688

Function 00794F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00794F46
_wcscmp.LIBCMT ref: 00794F58

Strings

#32770, xrefs: 00794F52

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 5951bc004b613644a2ee84baaefab6f04b77b874753652627b4ba18f15cc9a26
Instruction ID: 24c40125398abdfc5f9c447d5f3d4ee62786a0b2828a490574f2f3b381a2020b
Opcode Fuzzy Hash: 5951bc004b613644a2ee84baaefab6f04b77b874753652627b4ba18f15cc9a26
Instruction Fuzzy Hash: 1AE06832A0032C2BE720ABA9AC09FB7F7ACEB44B70F000067FC04D3050E9649A15C7E1

Function 0076B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0076B314: _memset.LIBCMT ref: 0076B321

Part of subcall function 00750940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0076B2F0,?,?,?,0073100A), ref: 00750945

IsDebuggerPresent.KERNEL32(?,?,?,0073100A), ref: 0076B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0073100A), ref: 0076B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0076B2FE

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 309a1bad2188defd7dc55977952f07fbe31c7390e1a1e53b093e747dd23c780a
Instruction ID: a6917a37dc0cda83179acd7de2a5a62677594bef86e60ce5fc308a0c0e155126
Opcode Fuzzy Hash: 309a1bad2188defd7dc55977952f07fbe31c7390e1a1e53b093e747dd23c780a
Instruction Fuzzy Hash: 22E0C9B06007118AD7219F29D9087467BE4FF55714F008A6DE856C7752E7BCA445CBA1

Function 00771935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00771775

Part of subcall function 007ABFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0077195E,?), ref: 007ABFFE
Part of subcall function 007ABFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007AC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0077196D

Strings

WIN_XPe, xrefs: 00771788

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 1dec5e7e9174805ef6aa197b34de39c1fa1ac3251d8f6d6a218626870426e577
Instruction ID: 3f71a86aea3b930866ed074c318ed2674258bd1e694aeb0d8d36a63464de89c0
Opcode Fuzzy Hash: 1dec5e7e9174805ef6aa197b34de39c1fa1ac3251d8f6d6a218626870426e577
Instruction Fuzzy Hash: 7AF03970800008DFDF19DBA8CD88BECBBF8AB18340F948095E006A20A1C7394F84CFA4

Function 007B5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007B596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007B5981

Part of subcall function 00795244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007952BC

Strings

Shell_TrayWnd, xrefs: 007B5967

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: dd1cf8c7deccce213fdd0dcc904fd97912577844c3ad3f7ee18e3986a887473c
Instruction ID: 104972ac292e0983b3ddc197b5734394af571ab7b5eb0edbc454134a371a87bf
Opcode Fuzzy Hash: dd1cf8c7deccce213fdd0dcc904fd97912577844c3ad3f7ee18e3986a887473c
Instruction Fuzzy Hash: BDD0C971784711B6E6A4AB74AC0FFA66A14BF04B50F004925F649AA1D0C9E89810C668

Function 007B5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007B59AE
PostMessageW.USER32(00000000), ref: 007B59B5

Part of subcall function 00795244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007952BC

Strings

Shell_TrayWnd, xrefs: 007B59A7

Memory Dump Source

Source File: 00000000.00000002.1333377432.0000000000731000.00000020.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1333355303.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333464475.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333540664.00000000007EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333570358.00000000007F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_ql8KpEHT7y.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 69c3878b2ba85bd507d516c5d3ee2b7960d8670b3ca0fed5527f7998371ba602
Instruction ID: d04c09649c788a2195ea7fa33ed2aee8c1759245b4dbde1775184e920a12fe3d
Opcode Fuzzy Hash: 69c3878b2ba85bd507d516c5d3ee2b7960d8670b3ca0fed5527f7998371ba602
Instruction Fuzzy Hash: A6D0C971781711BAE6A4AB74AC0FF966614BB08B50F004925F649AA1D0C9E8A810C668

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ql8KpEHT7y.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Temp\Clinton

C:\Users\user\AppData\Local\Temp\aut2938.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
ql8KpEHT7y.exe

Function 00733B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 007349A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00734E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00799155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0073301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00733041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0073708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00733633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00733A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00733766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 01538318 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 007339D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 015380F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Function 0073407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 0075541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre