Edit tour

Windows Analysis Report
zAK7HHniGW.exe

Overview

General Information

Sample name:	zAK7HHniGW.exe renamed because original name is a hash value
Original sample name:	22af294596a94c94df1e13966f16af73ab4246c11866a75a7d2a095ae6a91f7e.exe
Analysis ID:	1587690
MD5:	988f9a70417a5ee4f7d4d3e0b3ed71f0
SHA1:	4a1b003b6bd958160d3f27cb362ed8230f83f842
SHA256:	22af294596a94c94df1e13966f16af73ab4246c11866a75a7d2a095ae6a91f7e
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

zAK7HHniGW.exe (PID: 7704 cmdline: "C:\Users\user\Desktop\zAK7HHniGW.exe" MD5: 988F9A70417A5EE4F7D4D3E0B3ED71F0)

RegSvcs.exe (PID: 7788 cmdline: "C:\Users\user\Desktop\zAK7HHniGW.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7249279970:AAEcJhrnjOjEPF0_qNK65RAY0sYYfNqc0Sg/sendMessage?chat_id=7365454061", "Token": "7249279970:AAEcJhrnjOjEPF0_qNK65RAY0sYYfNqc0Sg", "Chat_id": "7365454061", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3788352885.0000000003294000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148d1:$a1: get_encryptedPassword 0x14bbd:$a2: get_encryptedUsername 0x146dd:$a3: get_timePasswordChanged 0x147d8:$a4: get_passwordField 0x148e7:$a5: set_encryptedPassword 0x15f62:$a7: get_logins 0x15ec5:$a10: KeyLoggerEventArgs 0x15b30:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1985c:$x1: $%SMTPDV$ 0x18240:$x2: $#TheHashHere%& 0x19804:$x3: %FTPDV$ 0x181e0:$x4: $%TelegramDv$ 0x15b30:$x5: KeyLoggerEventArgs 0x15ec5:$x5: KeyLoggerEventArgs 0x19828:$m2: Clipboard Logs ID 0x19a66:$m2: Screenshot Logs ID 0x19b76:$m2: keystroke Logs ID 0x19e50:$m3: SnakePW 0x19a3e:$m4: \SnakeKeylogger\
00000002.00000002.3788352885.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ad1:$a1: get_encryptedPassword 0x14dbd:$a2: get_encryptedUsername 0x148dd:$a3: get_timePasswordChanged 0x149d8:$a4: get_passwordField 0x14ae7:$a5: set_encryptedPassword 0x16162:$a7: get_logins 0x160c5:$a10: KeyLoggerEventArgs 0x15d30:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c412:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b644:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba77:$a4: \Orbitum\User Data\Default\Login Data 0x1cab6:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156ac:$s1: UnHook 0x156b3:$s2: SetHook 0x156bb:$s3: CallNextHook 0x156c8:$s4: _hook
00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a5c:$x1: $%SMTPDV$ 0x18440:$x2: $#TheHashHere%& 0x19a04:$x3: %FTPDV$ 0x183e0:$x4: $%TelegramDv$ 0x15d30:$x5: KeyLoggerEventArgs 0x160c5:$x5: KeyLoggerEventArgs 0x19a28:$m2: Clipboard Logs ID 0x19c66:$m2: Screenshot Logs ID 0x19d76:$m2: keystroke Logs ID 0x1a050:$m3: SnakePW 0x19c3e:$m4: \SnakeKeylogger\
Process Memory Space: zAK7HHniGW.exe PID: 7704	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: zAK7HHniGW.exe PID: 7704	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: zAK7HHniGW.exe PID: 7704	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x129c18d:$a1: get_encryptedPassword 0x129c46f:$a2: get_encryptedUsername 0x129bfa3:$a3: get_timePasswordChanged 0x129c09e:$a4: get_passwordField 0x129c1a3:$a5: set_encryptedPassword 0x129e67a:$a7: get_logins 0x129e5dd:$a10: KeyLoggerEventArgs 0x129e248:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: zAK7HHniGW.exe PID: 7704	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x129e248:$x5: KeyLoggerEventArgs 0x129e5dd:$x5: KeyLoggerEventArgs 0x129eee4:$x5: KeyLoggerEventArgs 0x129f245:$x5: KeyLoggerEventArgs 0x12a0808:$m2: Clipboard Logs ID 0x12a090e:$m2: Screenshot Logs ID 0x12a0964:$m2: keystroke Logs ID 0x12a0a99:$m3: SnakePW 0x12a08fa:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 7788	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7788	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7788	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x494de:$a1: get_encryptedPassword 0x497c0:$a2: get_encryptedUsername 0x492f4:$a3: get_timePasswordChanged 0x493ef:$a4: get_passwordField 0x494f4:$a5: set_encryptedPassword 0x4b9cb:$a7: get_logins 0x4b92e:$a10: KeyLoggerEventArgs 0x4b599:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7788	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4b599:$x5: KeyLoggerEventArgs 0x4b92e:$x5: KeyLoggerEventArgs 0x4c235:$x5: KeyLoggerEventArgs 0x4c596:$x5: KeyLoggerEventArgs 0x4db59:$m2: Clipboard Logs ID 0x4dc5f:$m2: Screenshot Logs ID 0x4dcb5:$m2: keystroke Logs ID 0x4ddea:$m3: SnakePW 0x4dc4b:$m4: \SnakeKeylogger\
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.zAK7HHniGW.exe.3350000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.zAK7HHniGW.exe.3350000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.zAK7HHniGW.exe.3350000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.zAK7HHniGW.exe.3350000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ad1:$a1: get_encryptedPassword 0x14dbd:$a2: get_encryptedUsername 0x148dd:$a3: get_timePasswordChanged 0x149d8:$a4: get_passwordField 0x14ae7:$a5: set_encryptedPassword 0x16162:$a7: get_logins 0x160c5:$a10: KeyLoggerEventArgs 0x15d30:$a11: KeyLoggerEventArgsEventHandler
0.2.zAK7HHniGW.exe.3350000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c412:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b644:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba77:$a4: \Orbitum\User Data\Default\Login Data 0x1cab6:$a5: \Kometa\User Data\Default\Login Data
0.2.zAK7HHniGW.exe.3350000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156ac:$s1: UnHook 0x156b3:$s2: SetHook 0x156bb:$s3: CallNextHook 0x156c8:$s4: _hook
0.2.zAK7HHniGW.exe.3350000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a5c:$x1: $%SMTPDV$ 0x18440:$x2: $#TheHashHere%& 0x19a04:$x3: %FTPDV$ 0x183e0:$x4: $%TelegramDv$ 0x15d30:$x5: KeyLoggerEventArgs 0x160c5:$x5: KeyLoggerEventArgs 0x19a28:$m2: Clipboard Logs ID 0x19c66:$m2: Screenshot Logs ID 0x19d76:$m2: keystroke Logs ID 0x1a050:$m3: SnakePW 0x19c3e:$m4: \SnakeKeylogger\
0.2.zAK7HHniGW.exe.3350000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.zAK7HHniGW.exe.3350000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.zAK7HHniGW.exe.3350000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cd1:$a1: get_encryptedPassword 0x12fbd:$a2: get_encryptedUsername 0x12add:$a3: get_timePasswordChanged 0x12bd8:$a4: get_passwordField 0x12ce7:$a5: set_encryptedPassword 0x14362:$a7: get_logins 0x142c5:$a10: KeyLoggerEventArgs 0x13f30:$a11: KeyLoggerEventArgsEventHandler
0.2.zAK7HHniGW.exe.3350000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a612:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19844:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c77:$a4: \Orbitum\User Data\Default\Login Data 0x1acb6:$a5: \Kometa\User Data\Default\Login Data
0.2.zAK7HHniGW.exe.3350000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138ac:$s1: UnHook 0x138b3:$s2: SetHook 0x138bb:$s3: CallNextHook 0x138c8:$s4: _hook
0.2.zAK7HHniGW.exe.3350000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c5c:$x1: $%SMTPDV$ 0x16640:$x2: $#TheHashHere%& 0x17c04:$x3: %FTPDV$ 0x165e0:$x4: $%TelegramDv$ 0x13f30:$x5: KeyLoggerEventArgs 0x142c5:$x5: KeyLoggerEventArgs 0x17c28:$m2: Clipboard Logs ID 0x17e66:$m2: Screenshot Logs ID 0x17f76:$m2: keystroke Logs ID 0x18250:$m3: SnakePW 0x17e3e:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ad1:$a1: get_encryptedPassword 0x14dbd:$a2: get_encryptedUsername 0x148dd:$a3: get_timePasswordChanged 0x149d8:$a4: get_passwordField 0x14ae7:$a5: set_encryptedPassword 0x16162:$a7: get_logins 0x160c5:$a10: KeyLoggerEventArgs 0x15d30:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c412:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b644:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba77:$a4: \Orbitum\User Data\Default\Login Data 0x1cab6:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156ac:$s1: UnHook 0x156b3:$s2: SetHook 0x156bb:$s3: CallNextHook 0x156c8:$s4: _hook
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a5c:$x1: $%SMTPDV$ 0x18440:$x2: $#TheHashHere%& 0x19a04:$x3: %FTPDV$ 0x183e0:$x4: $%TelegramDv$ 0x15d30:$x5: KeyLoggerEventArgs 0x160c5:$x5: KeyLoggerEventArgs 0x19a28:$m2: Clipboard Logs ID 0x19c66:$m2: Screenshot Logs ID 0x19d76:$m2: keystroke Logs ID 0x1a050:$m3: SnakePW 0x19c3e:$m4: \SnakeKeylogger\
Click to see the 15 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:04:29.222975+0100	2803305	3	Unknown Traffic	192.168.2.9	49748	104.21.112.1	443	TCP
2025-01-10T17:04:30.553410+0100	2803305	3	Unknown Traffic	192.168.2.9	49756	104.21.112.1	443	TCP
2025-01-10T17:04:31.658786+0100	2803305	3	Unknown Traffic	192.168.2.9	49766	104.21.112.1	443	TCP
2025-01-10T17:04:32.748104+0100	2803305	3	Unknown Traffic	192.168.2.9	49772	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T17:04:27.780937+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49735	193.122.130.0	80	TCP
2025-01-10T17:04:28.624671+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49735	193.122.130.0	80	TCP
2025-01-10T17:04:29.968422+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49753	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3788352885.00000000030C1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7249279970:AAEcJhrnjOjEPF0_qNK65RAY0sYYfNqc0Sg/sendMessage?chat_id=7365454061", "Token": "7249279970:AAEcJhrnjOjEPF0_qNK65RAY0sYYfNqc0Sg", "Chat_id": "7365454061", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: zAK7HHniGW.exe	Virustotal: Detection: 60%			Perma Link
Source: zAK7HHniGW.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: zAK7HHniGW.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: zAK7HHniGW.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.9:49741 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: zAK7HHniGW.exe, 00000000.00000003.1352918563.0000000003970000.00000004.00001000.00020000.00000000.sdmp, zAK7HHniGW.exe, 00000000.00000003.1355443476.0000000003800000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: zAK7HHniGW.exe, 00000000.00000003.1352918563.0000000003970000.00000004.00001000.00020000.00000000.sdmp, zAK7HHniGW.exe, 00000000.00000003.1355443476.0000000003800000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0058DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0058DBBE
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0055C2A2 FindFirstFileExW,	0_2_0055C2A2
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_005968EE FindFirstFileW,FindClose,	0_2_005968EE
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0059698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0059698F
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0058D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0058D076
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0058D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0058D3A9
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00599642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00599642
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0059979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0059979D
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00599B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00599B2B
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00595C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00595C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 016DF1F6h	2_2_016DF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 016DFB80h	2_2_016DF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_016DE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_016DEB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_016DED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBDEA9h	2_2_05CBDC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBC041h	2_2_05CBBD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CB1011h	2_2_05CB0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBF009h	2_2_05CBED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBB791h	2_2_05CBB4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CB0751h	2_2_05CB04A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBE759h	2_2_05CBE4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBDA51h	2_2_05CBD7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBD1A1h	2_2_05CBCEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBC8F1h	2_2_05CBC648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBF8B9h	2_2_05CBF610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CB1A38h	2_2_05CB1610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CB1A38h	2_2_05CB1620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CB1471h	2_2_05CB11C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBC499h	2_2_05CBC1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBF461h	2_2_05CBF1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBBBE9h	2_2_05CBB940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CB1A38h	2_2_05CB1966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBEBB1h	2_2_05CBE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CB0BB1h	2_2_05CB0900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CB02F1h	2_2_05CB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBE301h	2_2_05CBE058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBD5F9h	2_2_05CBD350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBCD49h	2_2_05CBCAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05CBFD11h	2_2_05CBFA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD8945h	2_2_06AD8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD6171h	2_2_06AD5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD58C1h	2_2_06AD5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD5D19h	2_2_06AD5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06AD33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06AD33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD6E79h	2_2_06AD6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD65C9h	2_2_06AD6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD6A21h	2_2_06AD6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD7751h	2_2_06AD74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD0741h	2_2_06AD0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD0B99h	2_2_06AD08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD02E9h	2_2_06AD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD72FAh	2_2_06AD7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD8459h	2_2_06AD81B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD5441h	2_2_06AD5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD7BA9h	2_2_06AD7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD0FF1h	2_2_06AD0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06AD8001h	2_2_06AD7D58

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.zAK7HHniGW.exe.3350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49753 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49735 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49766 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49772 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49756 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49748 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.9:49741 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_0059CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0059CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.3788352885.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000322E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003286000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000324A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003277000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.3788352885.000000000317B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003258000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000322E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003286000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000324A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003277000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.3788352885.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: zAK7HHniGW.exe, 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.3788352885.000000000322E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003286000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000324A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003277000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.3788352885.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3788352885.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000322E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003286000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000324A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003277000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: zAK7HHniGW.exe, 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.3788352885.0000000003277000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000002.00000002.3788352885.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000322E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003286000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000324A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003277000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_0059EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0059EAFF

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_0059ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0059ED6A

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

0_2_0059EAFF

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_0058AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0058AA57

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_005B9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_005B9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.zAK7HHniGW.exe.3350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.zAK7HHniGW.exe.3350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.zAK7HHniGW.exe.3350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.zAK7HHniGW.exe.3350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.zAK7HHniGW.exe.3350000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.zAK7HHniGW.exe.3350000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.zAK7HHniGW.exe.3350000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.zAK7HHniGW.exe.3350000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: zAK7HHniGW.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: zAK7HHniGW.exe PID: 7704, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7788, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7788, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: zAK7HHniGW.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: zAK7HHniGW.exe, 00000000.00000000.1316862882.00000000005E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0fb41d2f-3
Source: zAK7HHniGW.exe, 00000000.00000000.1316862882.00000000005E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_100899a6-7
Source: zAK7HHniGW.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ff0b065e-8
Source: zAK7HHniGW.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c066c0fb-2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_0058D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0058D5EB

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_00581201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00581201

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_0058E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0058E8F6

Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0052BF40	0_2_0052BF40
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00592046	0_2_00592046
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00528060	0_2_00528060
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00588298	0_2_00588298
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0055E4FF	0_2_0055E4FF
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0055676B	0_2_0055676B
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_005B4873	0_2_005B4873
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0052CAF0	0_2_0052CAF0
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0054CAA0	0_2_0054CAA0
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0053CC39	0_2_0053CC39
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00556DD9	0_2_00556DD9
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0053B119	0_2_0053B119
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_005291C0	0_2_005291C0
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00541394	0_2_00541394
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00541706	0_2_00541706
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0054781B	0_2_0054781B
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0053997D	0_2_0053997D
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00527920	0_2_00527920
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_005419B0	0_2_005419B0
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00547A4A	0_2_00547A4A
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00541C77	0_2_00541C77
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00547CA7	0_2_00547CA7
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_005ABE44	0_2_005ABE44
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00559EEE	0_2_00559EEE
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00541F32	0_2_00541F32
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_010D45E0	0_2_010D45E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016D6108	2_2_016D6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016DC190	2_2_016DC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016DF007	2_2_016DF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016DB328	2_2_016DB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016DC470	2_2_016DC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016DC752	2_2_016DC752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016D9858	2_2_016D9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016D6880	2_2_016D6880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016DBBD2	2_2_016DBBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016DCA32	2_2_016DCA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016D4AD9	2_2_016D4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016DBEB0	2_2_016DBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016D3572	2_2_016D3572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016DE528	2_2_016DE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016DE517	2_2_016DE517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB7D90	2_2_05CB7D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB8460	2_2_05CB8460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBDC00	2_2_05CBDC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB3870	2_2_05CB3870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBBD88	2_2_05CBBD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBBD98	2_2_05CBBD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB0D51	2_2_05CB0D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBED50	2_2_05CBED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB0D60	2_2_05CB0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBED60	2_2_05CBED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBB4D7	2_2_05CBB4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBB4E8	2_2_05CBB4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB0490	2_2_05CB0490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB04A0	2_2_05CB04A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBE4A0	2_2_05CBE4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBE4B0	2_2_05CBE4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBD798	2_2_05CBD798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBD7A8	2_2_05CBD7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBCEEB	2_2_05CBCEEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBCEF8	2_2_05CBCEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBC648	2_2_05CBC648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBF600	2_2_05CBF600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBF610	2_2_05CBF610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBC638	2_2_05CBC638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB11C0	2_2_05CB11C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBC1E0	2_2_05CBC1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBC1F0	2_2_05CBC1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBF1A9	2_2_05CBF1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBF1B8	2_2_05CBF1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB11B0	2_2_05CB11B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBB940	2_2_05CBB940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBE908	2_2_05CBE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB0900	2_2_05CB0900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBB930	2_2_05CBB930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBE8F8	2_2_05CBE8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB08F0	2_2_05CB08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBE04B	2_2_05CBE04B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB0040	2_2_05CB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBE058	2_2_05CBE058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB3860	2_2_05CB3860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB0007	2_2_05CB0007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB73E8	2_2_05CB73E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBDBF1	2_2_05CBDBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBD340	2_2_05CBD340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBD350	2_2_05CBD350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBCAA0	2_2_05CBCAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBFA59	2_2_05CBFA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBFA68	2_2_05CBFA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADB6E8	2_2_06ADB6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD8608	2_2_06AD8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADD670	2_2_06ADD670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADAA58	2_2_06ADAA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD8B8C	2_2_06AD8B8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADC388	2_2_06ADC388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADB0A0	2_2_06ADB0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADD028	2_2_06ADD028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADA408	2_2_06ADA408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD11A0	2_2_06AD11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADC9D8	2_2_06ADC9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADBD38	2_2_06ADBD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD5EB8	2_2_06AD5EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD5EC8	2_2_06AD5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADB6D9	2_2_06ADB6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD560B	2_2_06AD560B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD8603	2_2_06AD8603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD5618	2_2_06AD5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD5A60	2_2_06AD5A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADD662	2_2_06ADD662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD5A70	2_2_06AD5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADAA52	2_2_06ADAA52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD33A8	2_2_06AD33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD33B8	2_2_06AD33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD8BED	2_2_06AD8BED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADA3F8	2_2_06ADA3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD6BC1	2_2_06AD6BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD6BD0	2_2_06AD6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD6320	2_2_06AD6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD3730	2_2_06AD3730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD6313	2_2_06AD6313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD676B	2_2_06AD676B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD6778	2_2_06AD6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADC378	2_2_06ADC378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD74A8	2_2_06AD74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADB08F	2_2_06ADB08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD0488	2_2_06AD0488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD0498	2_2_06AD0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD7497	2_2_06AD7497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD08E0	2_2_06AD08E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD08F0	2_2_06AD08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD78F0	2_2_06AD78F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD4430	2_2_06AD4430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD2807	2_2_06AD2807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD2818	2_2_06AD2818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADD018	2_2_06ADD018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD0013	2_2_06AD0013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD7049	2_2_06AD7049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD0040	2_2_06AD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD7050	2_2_06AD7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD81A0	2_2_06AD81A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD81B0	2_2_06AD81B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD518F	2_2_06AD518F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD5198	2_2_06AD5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD1191	2_2_06AD1191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADC9C8	2_2_06ADC9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADBD28	2_2_06ADBD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD0D39	2_2_06AD0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD7900	2_2_06AD7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD0D48	2_2_06AD0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD7D48	2_2_06AD7D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AD7D58	2_2_06AD7D58

Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: String function: 00529CB3 appears 31 times
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: String function: 00540A30 appears 46 times
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: String function: 00544963 appears 31 times
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: String function: 0053F9F2 appears 40 times

Source: zAK7HHniGW.exe, 00000000.00000003.1353678369.00000000038F3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs zAK7HHniGW.exe
Source: zAK7HHniGW.exe, 00000000.00000003.1354691112.0000000003ACD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs zAK7HHniGW.exe
Source: zAK7HHniGW.exe, 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs zAK7HHniGW.exe

Source: zAK7HHniGW.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.zAK7HHniGW.exe.3350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.zAK7HHniGW.exe.3350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.zAK7HHniGW.exe.3350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.zAK7HHniGW.exe.3350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.zAK7HHniGW.exe.3350000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.zAK7HHniGW.exe.3350000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.zAK7HHniGW.exe.3350000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.zAK7HHniGW.exe.3350000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: zAK7HHniGW.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: zAK7HHniGW.exe PID: 7704, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 7788, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7788, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_005937B5 GetLastError,FormatMessageW,

0_2_005937B5

Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_005810BF AdjustTokenPrivileges,CloseHandle,		0_2_005810BF
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_005816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005816C3

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_005951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005951CD

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_005AA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_005AA67C

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_0059648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0059648E

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_005242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005242A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

File created: C:\Users\user\AppData\Local\Temp\aut136E.tmp

Jump to behavior

Source: zAK7HHniGW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3788352885.0000000003349000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003322000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003356000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003313000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3789616644.0000000004152000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003304000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: zAK7HHniGW.exe	Virustotal: Detection: 60%
Source: zAK7HHniGW.exe	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\zAK7HHniGW.exe "C:\Users\user\Desktop\zAK7HHniGW.exe"
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\zAK7HHniGW.exe"
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\zAK7HHniGW.exe"	Jump to behavior

Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: zAK7HHniGW.exe

Static file information: File size 1069056 > 1048576

Source: zAK7HHniGW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: zAK7HHniGW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: zAK7HHniGW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: zAK7HHniGW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: zAK7HHniGW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: zAK7HHniGW.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: zAK7HHniGW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: zAK7HHniGW.exe, 00000000.00000003.1352918563.0000000003970000.00000004.00001000.00020000.00000000.sdmp, zAK7HHniGW.exe, 00000000.00000003.1355443476.0000000003800000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: zAK7HHniGW.exe, 00000000.00000003.1352918563.0000000003970000.00000004.00001000.00020000.00000000.sdmp, zAK7HHniGW.exe, 00000000.00000003.1355443476.0000000003800000.00000004.00001000.00020000.00000000.sdmp

Source: zAK7HHniGW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: zAK7HHniGW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: zAK7HHniGW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: zAK7HHniGW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: zAK7HHniGW.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_005242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005242DE

Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00540A76 push ecx; ret	0_2_00540A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBAD43 pushfd ; retf	2_2_05CBAD56
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CBAC7F push FFFFFF85h; retf	2_2_05CBAC86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB2E78 push esp; iretd	2_2_05CB2E79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB708B pushad ; retf	2_2_05CB7092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB2840 push esp; retf	2_2_05CB2AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB705F push ebx; retf	2_2_05CB706A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05CB705D push eax; retf	2_2_05CB705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06ADA07F push ecx; retf 0005h	2_2_06ADA08A

Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0053F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0053F98E
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_005B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_005B1C41

Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97977

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

API/Special instruction interceptor: Address: 10D4204

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598897	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598591	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596496	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594370	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594250	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7640			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2208			Jump to behavior

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

API coverage: 4.2 %

Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0058DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0058DBBE
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0055C2A2 FindFirstFileExW,	0_2_0055C2A2
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_005968EE FindFirstFileW,FindClose,	0_2_005968EE
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0059698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0059698F
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0058D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0058D076
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0058D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0058D3A9
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00599642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00599642
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0059979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0059979D
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00599B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00599B2B
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00595C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00595C97

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_005242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005242DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598897	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598591	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596496	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594370	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594250	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3787822335.0000000001509000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_05CB7D90 LdrInitializeThunk,

2_2_05CB7D90

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_0059EAA2 BlockInput,

0_2_0059EAA2

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_00552622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00552622

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_005242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005242DE

Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00544CE8 mov eax, dword ptr fs:[00000030h]	0_2_00544CE8
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_010D4470 mov eax, dword ptr fs:[00000030h]	0_2_010D4470
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_010D44D0 mov eax, dword ptr fs:[00000030h]	0_2_010D44D0
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_010D2E80 mov eax, dword ptr fs:[00000030h]	0_2_010D2E80

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_00580B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00580B62

Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00552622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00552622
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_0054083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0054083F
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_005409D5 SetUnhandledExceptionFilter,	0_2_005409D5
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_00540C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00540C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F90008

Jump to behavior

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

0_2_00581201

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_00562BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00562BA5

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_0058B226 SendInput,keybd_event,

0_2_0058B226

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_005A22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005A22DA

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\zAK7HHniGW.exe"

Jump to behavior

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

0_2_00580B62

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_00581663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00581663

Source: zAK7HHniGW.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: zAK7HHniGW.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_00540698 cpuid

0_2_00540698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_00598195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00598195

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_0057D27A GetUserNameW,

0_2_0057D27A

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_0055B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0055B952

Source: C:\Users\user\Desktop\zAK7HHniGW.exe

Code function: 0_2_005242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005242DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: zAK7HHniGW.exe, 00000000.00000003.1317769021.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, zAK7HHniGW.exe, 00000000.00000002.1356747438.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, zAK7HHniGW.exe, 00000000.00000003.1317642183.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msmpeng.exe
Source: zAK7HHniGW.exe, 00000000.00000003.1317769021.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, zAK7HHniGW.exe, 00000000.00000002.1356747438.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, zAK7HHniGW.exe, 00000000.00000003.1317642183.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcupdate.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.zAK7HHniGW.exe.3350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zAK7HHniGW.exe.3350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3788352885.0000000003294000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3788352885.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zAK7HHniGW.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7788, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: zAK7HHniGW.exe	Binary or memory string: WIN_81
Source: zAK7HHniGW.exe	Binary or memory string: WIN_XP
Source: zAK7HHniGW.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: zAK7HHniGW.exe	Binary or memory string: WIN_XPe
Source: zAK7HHniGW.exe	Binary or memory string: WIN_VISTA
Source: zAK7HHniGW.exe	Binary or memory string: WIN_7
Source: zAK7HHniGW.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.zAK7HHniGW.exe.3350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zAK7HHniGW.exe.3350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zAK7HHniGW.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7788, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.zAK7HHniGW.exe.3350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zAK7HHniGW.exe.3350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3788352885.0000000003294000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3788352885.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zAK7HHniGW.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7788, type: MEMORYSTR

Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_005A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_005A1204
Source: C:\Users\user\Desktop\zAK7HHniGW.exe	Code function: 0_2_005A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_005A1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Virtualization/Sandbox Evasion	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zAK7HHniGW.exe	60%	Virustotal		Browse
zAK7HHniGW.exe	71%	ReversingLabs	Win32.Trojan.AutoitInject
zAK7HHniGW.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
reallyfreegeoip.org	104.21.112.1	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.3788352885.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000322E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003286000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000324A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003277000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.3788352885.000000000317B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003258000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000322E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003286000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000324A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003277000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.3788352885.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000322E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003286000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000324A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003277000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3788352885.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	zAK7HHniGW.exe, 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000002.00000002.3788352885.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000322E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003286000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000324A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003277000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.3788352885.000000000322E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003286000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003221000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000324A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.0000000003277000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	zAK7HHniGW.exe, 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3788352885.000000000318E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.112.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587690
Start date and time:	2025-01-10 17:03:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zAK7HHniGW.exe renamed because original name is a hash value
Original Sample Name:	22af294596a94c94df1e13966f16af73ab4246c11866a75a7d2a095ae6a91f7e.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 50 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:04:27	API Interceptor	11139143x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/
193.122.130.0	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	lExtvSjBgq.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Axvn7Hegxc.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	13.107.246.45
	raq4ttncJF.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	WF2DL1l7E8.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Play_VM-NowTingrammAudiowav011.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	launcher.exe.bin.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	13.107.246.45
	FGTFTj8GLM.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	30562134305434372.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
checkip.dyndns.com	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
CLOUDFLARENETUS	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	https://cjerichmond.jimdosite.com/	Get hash	malicious	Unknown	Browse	162.159.128.70
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	4iDzhJBJVv.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	ln5S7fIBkY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1

Process:	C:\Users\user\Desktop\zAK7HHniGW.exe
File Type:	data
Category:	dropped
Size (bytes):	87932
Entropy (8bit):	7.922993382899389
Encrypted:	false
SSDEEP:	1536:2LuVdtg6BqYmNfdBSFGbIseJWNRTJwM5EIDXRxreHO3QeKe7XYYBQ7VRhgw:GMdi6q1RiFGxksRSM5Nqu3QeKe7xyVnx
MD5:	910947D3238C70BB65FF67D7CAF5C3D0
SHA1:	5C87F7A2C1176EA75EEDC826CCDA09DFDF80E43D
SHA-256:	A6B6CF2CF2DF556846263F22157471A136BA42C78F51F9271773853A486D02CE
SHA-512:	680514DCBCE9BF77308EBAE97EC11770D1342EA5558B1C305EF858CF030C5B01A73DCF62F9A3919CC1042AABA7A1822FE59D9EC4AE4F7E52B620E4C2D960BE88
Malicious:	false
Reputation:	low
Preview:	EA06.....[..Z%6oW.Uf.>.6gK...p..q..P..)..j..........)5,mfq..8....g...K."O_.P.u.]ZO+..wz..!1.."r....E.Uy.V.=..m..y.D&.;..aK.Z.R...t.t..6.....s......R.7........<.Qh....0...%.I...N.5.Q.)q2..6.:\..E....Y..@.[.....5J=.....(3.............?..h......j,<.......9...<:..e..<64jl.......Z...A.....Et....s.....<\|.!.63%..k....~.i....x.L.%....g.....P.....Lis.6..L....Y...x.Mh.;..mW.....J.......S....{.I..i4....u+.-............^.<, ...,..%....j.ZV@.....Z.<$`...Ll`)E6........q3...z=6{..+(.8..?....9$r.0..&3:\.k`..@..=.(.<.....3...:\.S\|...\..0.J,1:5..w...UX.a1..tj-r........m...tZ=.?..UgSy..gI......&u}..C..M....G.+.:.0.M..[e.s_.W/..LJ. ..hV.=.+)..C...f.7.T@!..J..F)q.$.M...uX..%..-.[mNk......fS5._+t.=R..P....kL...z......@...U........2.L)SZe..N.Xg.Y..iO..<...6k,..%..L.3.Q.....].F. .e..>....=.......}.bJ..L......A.......2.I..j...7.Zi.Y...;..a.Yt...:.f.J4.B.Z.s).:M5.Pm...Vw(...nL.=Pi{...[.J/p...Ei4.`..@.....l..f........E#....gR...fh.I...x.YfT....@.M..M7...%.......

C:\Users\user\AppData\Local\Temp\spado

Download File

Process:	C:\Users\user\Desktop\zAK7HHniGW.exe
File Type:	data
Category:	dropped
Size (bytes):	133632
Entropy (8bit):	6.961641560803927
Encrypted:	false
SSDEEP:	3072:keUjs/TCQKhEycKisHiECHjLDJaJ/AkdeIoNsdTVw6:BKsrC+EiEC/Na2kdCNmVw6
MD5:	8EFD6AFC25E10E363FC2881D1FE8A81C
SHA1:	6779B97C689C604C10EAEA95DB8B49F45069AD5B
SHA-256:	C403DDCA53D1984EE7BBB1A0ACA330B1D52FE88D814E6B8FE75F8CE853A7094D
SHA-512:	7792670C56E182984CCFE2CB3BB4F142261E9F1B61FFB136F58DFC090DCA6C452A8E87D0D90F21D387095014E701B8ECBF07D5DF5695D207B0AC0DC619F76222
Malicious:	false
Reputation:	low
Preview:	.o.EDM7W<U0C..3K.FEGM7W8.0C023K5FEGM7W8U0C023K5FEGM7W8U0C023.5FEIR.Y8.9...2..g./$DwH'_$BS^kV'+)"CwZ0.1E\."[f....:W1Um=?9o5FEGM7Wh.0C\|30K.k.!M7W8U0C0.3I4MD.M7.9U0W023K5F[TO7W.U0C.03K5.EGm7W8W0C423K5FEGI7W8U0C02SI5FGGM7W8U2Cp.3K%FEWM7W8E0C 23K5FEWM7W8U0C023K.TGG.7W8U.A0.#K5FEGM7W8U0C023K5FE.O7[8U0C023K5FEGM7W8U0C023K5FEGM7W8U0C023K5FEGM7W8U0C023k5FMGM7W8U0C023C.FE.M7W8U0C023K.2 ?97W8q.B02.K5F.FM7U8U0C023K5FEGM7w8UPmBAA(5FE.]7W8u2C0 3K5.DGM7W8U0C023K5.EG..%]9_ 02?K5FE.O7W:U0C803K5FEGM7W8U0Cp23.5FEGM7W8U0C023K5FVEM7W8UxC021K0F.fL7..U0@023.5FC.l6W.U0C023K5FEGM7W8U0C023K5FEGM7W8U0C023K5FEGM7.E.?..Z8..EGM7W8T2@44;C5FEGM7W8+0C0t3K5.EGM.W8U.C02^K5FaGM7)8U0=023/5FE5M7WYU0Cw23KZFEG#7W8+0C0,1c.FEMg.W:}.C083a.5gGM=.9U0GC.3K?.GGM3$.U0I.13K15`GM=.<U0GC.3K?.@GM3}bU3.&43K.)\|GM=W;.%E02(a.FGow7W2U.e01.^3FE\g.W:.9C06..F[EGK..8U:7923I.LEGI.I:}tC08.iKVEGI.W.wNR027`5lg9_7W<~0i.L K5BnGg.),U0G.2.U7.QGM3}.+%C06.K.d;QM7S.U.aN%3K1mEmS5./U0G.4.)54\|[MGTW.0C6..K5Lm'M7Q8..CN.3K1D*.M7]..nC2.0J5LEENJa8U4A4O.K5Bo.M5,.U

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.909764146143945
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zAK7HHniGW.exe
File size:	1'069'056 bytes
MD5:	988f9a70417a5ee4f7d4d3e0b3ed71f0
SHA1:	4a1b003b6bd958160d3f27cb362ed8230f83f842
SHA256:	22af294596a94c94df1e13966f16af73ab4246c11866a75a7d2a095ae6a91f7e
SHA512:	d087b8f4d40fc9ea89eb6720274c8d6b39bf861710c0c939b24aa3f0f5c8bd78b3c7866acd5712cb130a5369b10524ed3666b85072ea57af389ca4146e531701
SSDEEP:	24576:lqDEvCTbMWu7rQYlBQcBiT6rprG8aAouMe:lTvC/MTQYxsWR7aA
TLSH:	0A35AE0273D180A2FF9B91330F56F71146BCAA260123AD1F17981DB9BE705B1563E7AB
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	74ecccdcd4ccccf0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67636124 [Wed Dec 18 23:56:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F7CA8C3D263h
jmp 00007F7CA8C3CB6Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7CA8C3CD4Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7CA8C3CD1Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F7CA8C3F90Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F7CA8C3F958h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F7CA8C3F941h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x2e5f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x103000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x2e5f0	0x2e600	7431d9176918b7e4e575ba1d6ab219d0	False	0.8746736017520216	data	7.751881814775477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x103000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd44e8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4610	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4738	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4860	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.24379432624113476
RT_ICON	0xd4cc8	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	Great Britain	0.12226775956284153
RT_ICON	0xd5df0	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	Great Britain	0.07017900732302686
RT_ICON	0xd8458	0x194d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.7549791570171376
RT_MENU	0xd9da8	0x50	data	English	Great Britain	0.9
RT_STRING	0xd9df8	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xda38c	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdaa18	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdaea8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdb4a4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdbb00	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdbf68	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc0c0	0x25fe7	data			1.0003598439819308
RT_GROUP_ICON	0x1020a8	0x3e	data	English	Great Britain	0.8548387096774194
RT_GROUP_ICON	0x1020e8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1020fc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x102110	0x14	data	English	Great Britain	1.25
RT_VERSION	0x102124	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x102200	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T17:04:27.780937+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49735	193.122.130.0	80	TCP
2025-01-10T17:04:28.624671+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49735	193.122.130.0	80	TCP
2025-01-10T17:04:29.222975+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49748	104.21.112.1	443	TCP
2025-01-10T17:04:29.968422+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49753	193.122.130.0	80	TCP
2025-01-10T17:04:30.553410+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49756	104.21.112.1	443	TCP
2025-01-10T17:04:31.658786+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49766	104.21.112.1	443	TCP
2025-01-10T17:04:32.748104+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49772	104.21.112.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:04:26.631709099 CET	49735	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:26.637305021 CET	80	49735	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:26.637381077 CET	49735	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:26.637660027 CET	49735	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:26.643466949 CET	80	49735	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:27.116947889 CET	80	49735	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:27.171585083 CET	49735	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:27.258011103 CET	49735	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:27.262887001 CET	80	49735	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:27.733673096 CET	80	49735	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:27.780936956 CET	49735	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:27.785794973 CET	49741	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:27.785831928 CET	443	49741	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:27.785888910 CET	49741	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:27.794805050 CET	49741	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:27.794836044 CET	443	49741	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:28.279231071 CET	443	49741	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:28.279309034 CET	49741	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:28.284389973 CET	49741	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:28.284404993 CET	443	49741	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:28.284743071 CET	443	49741	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:28.327784061 CET	49741	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:28.336862087 CET	49741	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:28.383327961 CET	443	49741	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:28.468964100 CET	443	49741	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:28.469022036 CET	443	49741	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:28.469063997 CET	49741	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:28.475250959 CET	49741	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:28.478529930 CET	49735	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:28.483412981 CET	80	49735	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:28.582117081 CET	80	49735	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:28.585139036 CET	49748	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:28.585167885 CET	443	49748	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:28.585243940 CET	49748	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:28.585535049 CET	49748	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:28.585546017 CET	443	49748	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:28.624670982 CET	49735	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:29.074373007 CET	443	49748	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:29.077344894 CET	49748	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:29.077368975 CET	443	49748	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:29.223020077 CET	443	49748	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:29.223083019 CET	443	49748	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:29.223206043 CET	49748	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:29.223558903 CET	49748	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:29.226761103 CET	49735	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:29.228060007 CET	49753	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:29.231825113 CET	80	49735	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:29.231920958 CET	49735	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:29.232981920 CET	80	49753	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:29.233128071 CET	49753	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:29.233211040 CET	49753	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:29.238107920 CET	80	49753	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:29.918024063 CET	80	49753	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:29.930075884 CET	49756	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:29.930126905 CET	443	49756	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:29.930198908 CET	49756	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:29.934197903 CET	49756	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:29.934210062 CET	443	49756	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:29.968421936 CET	49753	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:30.396203995 CET	443	49756	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:30.402403116 CET	49756	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:30.402446032 CET	443	49756	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:30.553322077 CET	443	49756	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:30.553391933 CET	443	49756	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:30.553513050 CET	49756	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:30.553904057 CET	49756	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:30.558820963 CET	49761	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:30.563756943 CET	80	49761	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:30.563858986 CET	49761	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:30.563961029 CET	49761	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:30.568720102 CET	80	49761	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:31.046442986 CET	80	49761	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:31.047739983 CET	49766	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:31.047766924 CET	443	49766	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:31.047933102 CET	49766	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:31.048197031 CET	49766	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:31.048211098 CET	443	49766	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:31.093426943 CET	49761	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:31.510819912 CET	443	49766	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:31.514612913 CET	49766	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:31.514659882 CET	443	49766	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:31.658781052 CET	443	49766	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:31.658947945 CET	443	49766	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:31.659041882 CET	49766	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:31.659384966 CET	49766	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:31.662764072 CET	49761	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:31.663769960 CET	49768	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:31.667651892 CET	80	49761	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:31.667732954 CET	49761	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:31.668591022 CET	80	49768	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:31.668689013 CET	49768	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:31.668812990 CET	49768	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:31.673588037 CET	80	49768	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:32.124469042 CET	80	49768	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:32.141421080 CET	49772	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:32.141477108 CET	443	49772	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:32.141556978 CET	49772	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:32.142539978 CET	49772	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:32.142569065 CET	443	49772	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:32.171551943 CET	49768	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:32.615679026 CET	443	49772	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:32.617448092 CET	49772	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:32.617495060 CET	443	49772	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:32.748143911 CET	443	49772	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:32.748296976 CET	443	49772	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:32.748420954 CET	49772	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:32.748963118 CET	49772	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:32.752533913 CET	49768	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:32.753715038 CET	49777	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:32.757549047 CET	80	49768	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:32.757627964 CET	49768	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:32.758533001 CET	80	49777	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:32.758624077 CET	49777	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:32.758790016 CET	49777	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:32.763611078 CET	80	49777	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:33.224638939 CET	80	49777	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:33.225987911 CET	49780	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:33.226038933 CET	443	49780	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:33.226118088 CET	49780	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:33.226404905 CET	49780	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:33.226425886 CET	443	49780	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:33.265361071 CET	49777	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:33.703695059 CET	443	49780	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:33.705398083 CET	49780	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:33.705440998 CET	443	49780	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:33.847472906 CET	443	49780	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:33.847543955 CET	443	49780	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:33.847703934 CET	49780	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:33.855281115 CET	49780	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:33.858541965 CET	49777	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:33.859761000 CET	49783	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:33.863599062 CET	80	49777	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:33.863693953 CET	49777	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:33.864654064 CET	80	49783	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:33.864722967 CET	49783	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:33.864818096 CET	49783	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:33.869786978 CET	80	49783	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:34.320070982 CET	80	49783	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:34.321491003 CET	49788	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:34.321556091 CET	443	49788	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:34.321731091 CET	49788	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:34.322041988 CET	49788	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:34.322056055 CET	443	49788	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:34.374661922 CET	49783	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:34.794040918 CET	443	49788	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:34.795555115 CET	49788	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:34.795589924 CET	443	49788	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:34.945545912 CET	443	49788	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:34.945611000 CET	443	49788	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:34.945686102 CET	49788	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:34.946201086 CET	49788	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:34.949358940 CET	49783	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:34.950544119 CET	49793	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:34.956245899 CET	80	49793	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:34.956342936 CET	49793	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:34.956373930 CET	80	49783	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:34.956417084 CET	49783	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:34.956515074 CET	49793	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:34.961211920 CET	80	49793	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:35.411181927 CET	80	49793	193.122.130.0	192.168.2.9
Jan 10, 2025 17:04:35.412372112 CET	49795	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:35.412408113 CET	443	49795	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:35.412473917 CET	49795	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:35.412677050 CET	49795	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:35.412693977 CET	443	49795	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:35.452795029 CET	49793	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:04:35.886167049 CET	443	49795	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:35.887932062 CET	49795	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:35.887955904 CET	443	49795	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:36.031189919 CET	443	49795	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:36.031256914 CET	443	49795	104.21.112.1	192.168.2.9
Jan 10, 2025 17:04:36.031357050 CET	49795	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:04:36.031907082 CET	49795	443	192.168.2.9	104.21.112.1
Jan 10, 2025 17:05:34.918045044 CET	80	49753	193.122.130.0	192.168.2.9
Jan 10, 2025 17:05:34.918148041 CET	49753	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:05:40.411310911 CET	80	49793	193.122.130.0	192.168.2.9
Jan 10, 2025 17:05:40.411370039 CET	49793	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:06:15.421912909 CET	49793	80	192.168.2.9	193.122.130.0
Jan 10, 2025 17:06:15.428380966 CET	80	49793	193.122.130.0	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:04:26.596820116 CET	55546	53	192.168.2.9	1.1.1.1
Jan 10, 2025 17:04:26.603605032 CET	53	55546	1.1.1.1	192.168.2.9
Jan 10, 2025 17:04:27.776371956 CET	58970	53	192.168.2.9	1.1.1.1
Jan 10, 2025 17:04:27.785064936 CET	53	58970	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 17:04:26.596820116 CET	192.168.2.9	1.1.1.1	0x7ae5	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:27.776371956 CET	192.168.2.9	1.1.1.1	0x4a65	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 17:04:20.821851969 CET	1.1.1.1	192.168.2.9	0xb779	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 17:04:20.821851969 CET	1.1.1.1	192.168.2.9	0xb779	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:26.603605032 CET	1.1.1.1	192.168.2.9	0x7ae5	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 17:04:26.603605032 CET	1.1.1.1	192.168.2.9	0x7ae5	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:26.603605032 CET	1.1.1.1	192.168.2.9	0x7ae5	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:26.603605032 CET	1.1.1.1	192.168.2.9	0x7ae5	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:26.603605032 CET	1.1.1.1	192.168.2.9	0x7ae5	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:26.603605032 CET	1.1.1.1	192.168.2.9	0x7ae5	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:27.785064936 CET	1.1.1.1	192.168.2.9	0x4a65	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:27.785064936 CET	1.1.1.1	192.168.2.9	0x4a65	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:27.785064936 CET	1.1.1.1	192.168.2.9	0x4a65	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:27.785064936 CET	1.1.1.1	192.168.2.9	0x4a65	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:27.785064936 CET	1.1.1.1	192.168.2.9	0x4a65	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:27.785064936 CET	1.1.1.1	192.168.2.9	0x4a65	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:04:27.785064936 CET	1.1.1.1	192.168.2.9	0x4a65	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49735	193.122.130.0	80	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:04:26.637660027 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:04:27.116947889 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a487de03080aea7a95cefb96f005a91e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 17:04:27.258011103 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 17:04:27.733673096 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 12546155d3159b11d31da580830b58f6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 17:04:28.478529930 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 17:04:28.582117081 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8aca46c3b45c89ed1d09f62c136bd54e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49753	193.122.130.0	80	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:04:29.233211040 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 17:04:29.918024063 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c1a522752b93761fac4a4a3af97c672a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49761	193.122.130.0	80	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:04:30.563961029 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:04:31.046442986 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6ca1f1ce757a8e50a107be01d39f0810 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49768	193.122.130.0	80	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:04:31.668812990 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:04:32.124469042 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee7b25462d47df3ad61ff7aad5e15a92 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49777	193.122.130.0	80	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:04:32.758790016 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:04:33.224638939 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4c767b74eeb8e2e56da7967ea0fe276c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49783	193.122.130.0	80	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:04:33.864818096 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:04:34.320070982 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3f6f1d33a9001fb5ea25403321864a68 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49793	193.122.130.0	80	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 17:04:34.956515074 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 17:04:35.411181927 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5022c6faaf2a1a026feb7da09ed1b838 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49741	104.21.112.1	443	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:04:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:04:28 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839857 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pOLzf3wNmZivPADOsetTlMlHfH7jJ%2FlitmvS8lZADj27Mr8wco%2BeeA9pMxAmCIOeNKYDNt8m0301xOFqokb0cohHQnfvYzidYgyJogdb3Iccp5yZJopTSo3UYT9VAYVtc22LxBBI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde72d7b75729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2071&min_rtt=2045&rtt_var=785&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1427872&cwnd=169&unsent_bytes=0&cid=9d48f87ae66bb7fa&ts=221&x=0"
2025-01-10 16:04:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49748	104.21.112.1	443	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:04:29 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:04:29 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839858 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hAmb6r44c62aU6rBvhpmRmFduK2d5b6T5xLCpR6FCx3EaTDEDTcpDdCD49hPaOSWt0UZiZtAxHQ%2BFlPT%2Bhw1jfesebDNvmzrJsdOJv%2FayNuzt8DyIThS62E2Fd2B2IqXjFg%2FMhtz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde7322bee424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1680&min_rtt=1642&rtt_var=643&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1778319&cwnd=248&unsent_bytes=0&cid=e3eacbdd4543f7a8&ts=155&x=0"
2025-01-10 16:04:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49756	104.21.112.1	443	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:04:30 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:04:30 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839859 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NPtiL8bMQQvm%2FnGnDtwsS%2BJo500BREAwaH4bgt49FEnXBjD1QNtazt7%2FBA%2FBcnfhKQP%2BJ%2Bj9SdbhUvSCa3EpfX1YsOQEC9DkSBDGtDWreGBY4cDbDxJzErHYtrvxsijbshokTYxn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde73a8c2243b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1610&min_rtt=1580&rtt_var=652&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1604395&cwnd=203&unsent_bytes=0&cid=112a4a221d605468&ts=165&x=0"
2025-01-10 16:04:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49766	104.21.112.1	443	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:04:31 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:04:31 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839860 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FqQldSE2UfuoTIG1hXoeb5P%2BfbZewU1UtpRsQ6OrPzHzIlebrb%2BVcMpASbmG4XxJk46pKeDUOAHc8tRwnGJ%2BUtFL4kxNJhS7hhA6QmI1TsU6k4%2BYsJCz8SHE%2BOY9t7vHmsqNyrFo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde7418c9d43b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1550&rtt_var=600&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1794714&cwnd=203&unsent_bytes=0&cid=87dc3655c587f532&ts=151&x=0"
2025-01-10 16:04:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49772	104.21.112.1	443	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:04:32 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 16:04:32 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839861 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qIA3fiLlaT93taN%2FuzWU2s0yz76uoFSQHbVNxZw81k2mAwE6WqaQcROMdIJeojr9Ks5KkzybAqboYW79SrPS1zxe0YzQm6bqwog9%2Bj3vtydpSbcLq6ArzrDn2%2FgwkuCG5TpZTC2X"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde7485cdf43b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1568&rtt_var=626&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1862244&cwnd=203&unsent_bytes=0&cid=8300b1d1071f82fa&ts=134&x=0"
2025-01-10 16:04:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49780	104.21.112.1	443	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:04:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:04:33 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839862 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UfHDwkWEbWhkO1gb4jNpyrrNZvXNfGgRtnP8R3RL3QTz4Ty5o2eyFH%2BWjP92O7aRYc5KJ65VlywoL6%2FTfPT%2BFw6MAyARZHoKclMVGW5ZpkGCnfNMaTREmmGxi4pcHek0yOrcJ%2F5W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde74f2a0cc34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1506&min_rtt=1493&rtt_var=569&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1955793&cwnd=181&unsent_bytes=0&cid=658794d191c2c9c3&ts=150&x=0"
2025-01-10 16:04:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49788	104.21.112.1	443	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:04:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:04:34 UTC	852	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839864 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yT3ux1QTa1IxPhyLxhRfbaP1uSWQph2zBHxefi0uwUtaIujQv7S1qAmfyJpVMWO32f2ehVJ0vr7s7v7zb9vnfj6xG%2BENeOTZ9h7XMfxfjgn%2FRbJqsTwWGs3bNs3cl7ICZcVkGN3K"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde755ff4f424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1754&min_rtt=1570&rtt_var=957&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=959579&cwnd=248&unsent_bytes=0&cid=ee6e076767adf8fc&ts=156&x=0"
2025-01-10 16:04:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49795	104.21.112.1	443	7788	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 16:04:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 16:04:36 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 16:04:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1839865 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=reN6rH0oUO%2B8Eqz2I1lcfTHu1R0vDeGvGQj%2Bpc%2Fv40iWOgJZ8vfdTRhvQyRra0Gx87M9xekL6H0uVYu1j6W5vyGXC6z5JRpwZM7RdgAh2TnojBANwRG9C44Nwik%2FTUCXu8WeHNfF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffde75cdc7c729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2005&min_rtt=1987&rtt_var=782&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1368322&cwnd=169&unsent_bytes=0&cid=2d89439105c118dd&ts=148&x=0"
2025-01-10 16:04:36 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	11:04:21
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\zAK7HHniGW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zAK7HHniGW.exe"
Imagebase:	0x520000
File size:	1'069'056 bytes
MD5 hash:	988F9A70417A5EE4F7D4D3E0B3ED71F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1357540512.0000000003350000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:04:25
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zAK7HHniGW.exe"
Imagebase:	0xd80000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3788352885.0000000003294000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.3787235335.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3788352885.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	4.7%
Total number of Nodes:	1996
Total number of Limit Nodes:	55

Executed Functions

Function 005242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0052430D

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

GetCurrentProcess.KERNEL32(?,005BCB64,00000000,?,?), ref: 00524422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00524429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00524454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00524466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00524474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0052447B
GetSystemInfo.KERNEL32(?,?,?), ref: 005244A0

Strings

GetNativeSystemInfo, xrefs: 00524460
kernel32.dll, xrefs: 0052444F
|O, xrefs: 005636F8

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8e154fcb1ff7ee2c0bcb183b8ee54448b5862f56fb0a3eb2ce12d5340cc3991e
Instruction ID: 634ed63fd6c5471e90315c75f9be1f648740376b7fbd3a86bef8235f9387a102
Opcode Fuzzy Hash: 8e154fcb1ff7ee2c0bcb183b8ee54448b5862f56fb0a3eb2ce12d5340cc3991e
Instruction Fuzzy Hash: E3A1A26690AAD4DFCB11E76DBC411B97FE4BB36340B184C99D081D3AE6D228460CEF6D

Function 005242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005250AA,?,?,00000000,00000000), ref: 005242B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005250AA,?,?,00000000,00000000), ref: 005242C9
LoadResource.KERNEL32(?,00000000,?,?,005250AA,?,?,00000000,00000000,?,?,?,?,?,?,00524F20), ref: 005635BE
SizeofResource.KERNEL32(?,00000000,?,?,005250AA,?,?,00000000,00000000,?,?,?,?,?,?,00524F20), ref: 005635D3
LockResource.KERNEL32(005250AA,?,?,005250AA,?,?,00000000,00000000,?,?,?,?,?,?,00524F20,?), ref: 005635E6

Strings

SCRIPT, xrefs: 005242BF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 984a5ec4e9443c2e1392755e9bd256fd9dfbeb6647bef2bb558f0b30612d8bf4
Instruction ID: cf57b36ddd241ce4f313d1e890833911f8b5d62459f0f1f7c47683d91796638f
Opcode Fuzzy Hash: 984a5ec4e9443c2e1392755e9bd256fd9dfbeb6647bef2bb558f0b30612d8bf4
Instruction Fuzzy Hash: 16115A78200600EFDB218B66EC48F67BFB9FFD6B51F108269B44296290DB71E8049A20

Function 00562BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00522B6B

Part of subcall function 00523A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005F1418,?,00522E7F,?,?,?,00000000), ref: 00523A78

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,005E2224), ref: 00562C10
ShellExecuteW.SHELL32(00000000,?,?,005E2224), ref: 00562C17

Strings

runas, xrefs: 00562C0B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: affce54f58fa3d1f4154807db7203de740157b441d55c28b37c7a591ddcafefe
Instruction ID: 50afc52c83a98d087688158ab3ad58d41bab04da321c367117db7baa0e6d619e
Opcode Fuzzy Hash: affce54f58fa3d1f4154807db7203de740157b441d55c28b37c7a591ddcafefe
Instruction Fuzzy Hash: 0D11A231108256AACB04FF60F8599BE7FA4BFE6340F44182DF182571E2DF298A09D752

Function 0058DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00565222), ref: 0058DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0058DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0058DBEE
FindClose.KERNEL32(00000000), ref: 0058DBFA

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 1542d740702297aa0fd6ed599dac4f2788d7d0ff33f7a2a7183d08b05ed658fc
Instruction ID: 0d100c176026180ae9169d207f860f692a4ec0a39326730937d9c59cf095ce66
Opcode Fuzzy Hash: 1542d740702297aa0fd6ed599dac4f2788d7d0ff33f7a2a7183d08b05ed658fc
Instruction Fuzzy Hash: BDF0A030810910578220BB7CAC0D8AA7FBCAF41334B104702F876E20E0EBB06D58DAA9

Function 0052BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#_, xrefs: 005707CE

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#_
API String ID: 3964851224-4006447686
Opcode ID: 1c07cd664d5928c827518e3fc79faf1561e77cea0d4023e55a38ffa7843db885
Instruction ID: 706464093d12163307a1e896a542573f299b05a194d66d98bf5eb139727bc6c1
Opcode Fuzzy Hash: 1c07cd664d5928c827518e3fc79faf1561e77cea0d4023e55a38ffa7843db885
Instruction Fuzzy Hash: F6A24771608311CFD724CF18D484B2ABFE1BF8A304F14896DE99A9B392D771E845DB92

Function 0052D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0052D807
timeGetTime.WINMM ref: 0052DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0052DB28
TranslateMessage.USER32(?), ref: 0052DB7B
DispatchMessageW.USER32(?), ref: 0052DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0052DB9F
Sleep.KERNEL32(0000000A), ref: 0052DBB1

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: cdf1efadc00d8f32033b574e37911debb4ed6c063f89fa6d16a3f66d1756027a
Instruction ID: 0bbfc8ece7826f931c6011413caaac85cc881b3e3e12e83f22d8ff573ab3d69a
Opcode Fuzzy Hash: cdf1efadc00d8f32033b574e37911debb4ed6c063f89fa6d16a3f66d1756027a
Instruction Fuzzy Hash: 6542E170604652DFD729CF24E848BAABFF4BF96300F148A19F459872D1D774E884DBA2

Function 00522CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00522D07
RegisterClassExW.USER32(00000030), ref: 00522D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00522D42
InitCommonControlsEx.COMCTL32(?), ref: 00522D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00522D6F
LoadIconW.USER32(000000A9), ref: 00522D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00522D94

Strings

+, xrefs: 00522CF0
AutoIt v3 GUI, xrefs: 00522D23
0, xrefs: 00522CE9
TaskbarCreated, xrefs: 00522D37

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 27be53318bdbaa4914c7be955449a8919a6111ab3933a76580a60c12e5288d5a
Instruction ID: 20fb9f7c750fe6cbf190dcaa84e2b3bb68d4fae14c14c2740285eca30142741a
Opcode Fuzzy Hash: 27be53318bdbaa4914c7be955449a8919a6111ab3933a76580a60c12e5288d5a
Instruction Fuzzy Hash: 9F21E5B5901208EFDB40DFA4E949BEDBFB4FB18700F00421AF511E62A0D7B51548DF98

Function 00558D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.T, xrefs: 0055903A, 00558FD0, 00558FF2

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID: .T
API String ID: 0-3315649315
Opcode ID: f565283d504b8f236ecb72fc2f8528d766978208883732dac3c95be69474bdf8
Instruction ID: 249f21ae292bf7ced5e2cd6e6f1f3ab0a040504fe1d2b38457f2f2865cf77918
Opcode Fuzzy Hash: f565283d504b8f236ecb72fc2f8528d766978208883732dac3c95be69474bdf8
Instruction Fuzzy Hash: B7C1F274904249EFCF11DFA8C859BBDBFB0BF59311F08449AE814A72E2C7349949CB60

Function 0056065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0056039A: CreateFileW.KERNELBASE(00000000,00000000,?,00560704,?,?,00000000,?,00560704,00000000,0000000C), ref: 005603B7

GetLastError.KERNEL32 ref: 0056076F
__dosmaperr.LIBCMT ref: 00560776
GetFileType.KERNELBASE(00000000), ref: 00560782
GetLastError.KERNEL32 ref: 0056078C
__dosmaperr.LIBCMT ref: 00560795
CloseHandle.KERNEL32(00000000), ref: 005607B5
CloseHandle.KERNEL32(?), ref: 005608FF
GetLastError.KERNEL32 ref: 00560931
__dosmaperr.LIBCMT ref: 00560938

Strings

H, xrefs: 005608BD

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 0b1a583e2a46ad6d7a309eaa09e28163f89b21ed74a6747e9a85e64f9dc1ad66
Instruction ID: 651cbd961bf203190336d93fac3c473bb87be9b74fe957eea7b13a6f9716312c
Opcode Fuzzy Hash: 0b1a583e2a46ad6d7a309eaa09e28163f89b21ed74a6747e9a85e64f9dc1ad66
Instruction Fuzzy Hash: 89A14132A141098FDF19EF68DC55BAE3FA0FB46320F281159F811EB2D2DB349816CB91

Function 0052344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00523A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005F1418,?,00522E7F,?,?,?,00000000), ref: 00523A78

Part of subcall function 00523357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00523379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0052356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0056318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005631CE
RegCloseKey.ADVAPI32(?), ref: 00563210
_wcslen.LIBCMT ref: 00563277
_wcslen.LIBCMT ref: 00563286

Strings

Include, xrefs: 00563184, 005631C5
\Include\, xrefs: 00523527
\, xrefs: 0056328C
Software\AutoIt v3\AutoIt, xrefs: 00523560

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: db0a7c0b86b7162a89aeab8f9c1b911f32b35ec91aa9c64265b86c329076e762
Instruction ID: d45a17d35de52009ed60591f3ac61506b3ad71738606f3543b2afa048855b8e5
Opcode Fuzzy Hash: db0a7c0b86b7162a89aeab8f9c1b911f32b35ec91aa9c64265b86c329076e762
Instruction Fuzzy Hash: FB715AB14043169FC314EF65E8859ABBFE8BFA5740F50082EF545D71A0EB389A48DB61

Function 00522B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00522B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00522B9D
LoadIconW.USER32(00000063), ref: 00522BB3
LoadIconW.USER32(000000A4), ref: 00522BC5
LoadIconW.USER32(000000A2), ref: 00522BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00522BEF
RegisterClassExW.USER32(?), ref: 00522C40

Part of subcall function 00522CD4: GetSysColorBrush.USER32(0000000F), ref: 00522D07
Part of subcall function 00522CD4: RegisterClassExW.USER32(00000030), ref: 00522D31
Part of subcall function 00522CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00522D42
Part of subcall function 00522CD4: InitCommonControlsEx.COMCTL32(?), ref: 00522D5F
Part of subcall function 00522CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00522D6F
Part of subcall function 00522CD4: LoadIconW.USER32(000000A9), ref: 00522D85
Part of subcall function 00522CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00522D94

Strings

0, xrefs: 00522C0F
#, xrefs: 00522C16
AutoIt v3, xrefs: 00522C2F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 53ee402d4383ad269ed17ac0352bfcab3177d29efb4cb261552c9207c6c04923
Instruction ID: ddff06a5016a9c62746d2f87b2fcc58f80842705598c62cce29e524154f0c940
Opcode Fuzzy Hash: 53ee402d4383ad269ed17ac0352bfcab3177d29efb4cb261552c9207c6c04923
Instruction Fuzzy Hash: 72214C70E00715EBDB109FA6EC49AA97FB4FB68B50F00041AF500E66E0D7B91548EF9C

Function 00523170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0052316A,?,?), ref: 005231D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0052316A,?,?), ref: 00523204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00523227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0052316A,?,?), ref: 00523232
CreatePopupMenu.USER32 ref: 00523246
PostQuitMessage.USER32(00000000), ref: 00523267

Strings

TaskbarCreated, xrefs: 0052322D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 44a32153cf747f757afad99f6c76aefe73c5c3358d456602a9b3d617f3fdc999
Instruction ID: 520b3f19fa92a91a6d217f660f4c0f3c8d59bf3ca854b7b79e965da6877a659c
Opcode Fuzzy Hash: 44a32153cf747f757afad99f6c76aefe73c5c3358d456602a9b3d617f3fdc999
Instruction Fuzzy Hash: 2D412335200A29E7DB141B68ED0EB7D3E69FF57300F040529F942D61E2CB6E9A04E7A9

Function 0052DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%_D%_, xrefs: 0052E27E
Variable must be of type 'Object'., xrefs: 005732B7
D%_, xrefs: 0057302D
D%_, xrefs: 0052E4B1
D%_, xrefs: 00572FDA
D%_, xrefs: 0052E1E0

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID: D%_$D%_$D%_$D%_$D%_D%_$Variable must be of type 'Object'.
API String ID: 0-126804711
Opcode ID: c426bc5a6811df0221978cfabdb7afe0f30c27878f2ae24b00b92b29a6ad237b
Instruction ID: b293bab60583567c1ad4c1c7fbc7874eb7079506c63c5537be910997d5f46704
Opcode Fuzzy Hash: c426bc5a6811df0221978cfabdb7afe0f30c27878f2ae24b00b92b29a6ad237b
Instruction Fuzzy Hash: 7DC2D271E00225CFCB14CF54E886AADBBB1FF5A310F248969E905AB391D335ED41DB51

Function 010D35C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010D3691
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010D38B7

Memory Dump Source

Source File: 00000000.00000002.1356932515.00000000010D1000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d1000_zAK7HHniGW.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
Instruction ID: 719419e92a30ef0edc1185794ddc487cb1b185e1636102eecf890afe60d70816
Opcode Fuzzy Hash: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
Instruction Fuzzy Hash: 36A118B4E00309EBDB54CFA4C895BEEBBB5BF48304F208599E641BB280D7759A41CF95

Function 00522C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00522C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00522CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00521CAD,?), ref: 00522CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00521CAD,?), ref: 00522CCF

Strings

AutoIt v3, xrefs: 00522C89, 00522C8E, 00522C8F
edit, xrefs: 00522CAC

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f6eff5ac3bb35c33b76b9e101b8cce6578a4694a5eef364587836bdb6ae976de
Instruction ID: 5959e8ad3d42663b9fe8ee38c9a735e1a34374e644cda8a7e845e4181fc53ed8
Opcode Fuzzy Hash: f6eff5ac3bb35c33b76b9e101b8cce6578a4694a5eef364587836bdb6ae976de
Instruction Fuzzy Hash: 38F0D076540690BAE73117176C08E772EBDD7D7F60B00045DF900D65A0CA652858EA78

Function 010D33C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010D32B0: Sleep.KERNELBASE(000001F4), ref: 010D32C1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010D34B9

Strings

K5FEGM7W8U0C023, xrefs: 010D351C, 010D351F

Memory Dump Source

Source File: 00000000.00000002.1356932515.00000000010D1000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d1000_zAK7HHniGW.jbxd

Similarity

API ID: CreateFileSleep
String ID: K5FEGM7W8U0C023
API String ID: 2694422964-1090601024
Opcode ID: 54c78afe53fcba1ac90f11c30c94483c7ac7e74d08701e04557641ae3e2e1444
Instruction ID: 511ca53136359e70872ad104969999816818190c917fe2d3f1ee9d9271ea6217
Opcode Fuzzy Hash: 54c78afe53fcba1ac90f11c30c94483c7ac7e74d08701e04557641ae3e2e1444
Instruction Fuzzy Hash: 6F516271D04349DAEF11DBA4C819BEEBBB8AF14300F004199E2497B2C0DBB91B45CBA6

Function 00592947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00592C05
DeleteFileW.KERNEL32(?), ref: 00592C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00592C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00592CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00592CC0

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: a75d37860721beca85ceebc31faa9b066e0784287e64504f4786baba02c81429
Instruction ID: f68160179dfd5e0d00b272aee2c39330fe315a401bfffc3f658aa815485eeb86
Opcode Fuzzy Hash: a75d37860721beca85ceebc31faa9b066e0784287e64504f4786baba02c81429
Instruction Fuzzy Hash: 6FB11C72D0012ABBDF25DBA4CC89EDEBBBDFF49354F1040A6F509E6151EA309E448B61

Function 00555AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JOR, xrefs: 00555BA8, 00555C6C

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID: JOR
API String ID: 0-1892200982
Opcode ID: 01578baeb9acbd259be534570c9f0bdbaa9ee8f22c577aeb96ccf12c1b238b95
Instruction ID: f1d7dd6b21ecbe12e6e06401dd4c3928565127a6e32b9963cc0831c4d3fa049e
Opcode Fuzzy Hash: 01578baeb9acbd259be534570c9f0bdbaa9ee8f22c577aeb96ccf12c1b238b95
Instruction Fuzzy Hash: 5051D175D0060A9BCB119FA8C879EEE7FB4BF45326F14005BF801A7291E6719E09DB61

Function 00523B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00523B0F,SwapMouseButtons,00000004,?), ref: 00523B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00523B0F,SwapMouseButtons,00000004,?), ref: 00523B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00523B0F,SwapMouseButtons,00000004,?), ref: 00523B83

Strings

Control Panel\Mouse, xrefs: 00523B3E

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 10a7567818f093dcd66623e3d3a63fc4b19ddaf6bc8730c3e2288cc76b6df1e7
Instruction ID: 17d2950c5dcdef0d18312b527db4b03a00c12065a01d8853448e78923d71572d
Opcode Fuzzy Hash: 10a7567818f093dcd66623e3d3a63fc4b19ddaf6bc8730c3e2288cc76b6df1e7
Instruction Fuzzy Hash: 58112AB5511218FFDB208FA5EC88AAEBBB8FF05744B104959B805D7150E235AE44AB64

Function 010D22B0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 010D2ADD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010D2B01
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010D2B23

Memory Dump Source

Source File: 00000000.00000002.1356932515.00000000010D1000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d1000_zAK7HHniGW.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction ID: a5d674e57996f3144baf57c0db979b3f24f391286c56fe4a83c63b443bfc414d
Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction Fuzzy Hash: 4C62FA30A14258DBEB24DFA4C850BDEB776EF58300F1091A9D24DEB390E7799E81CB59

Function 00523923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005633A2

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00523A04

Strings

Line: , xrefs: 005633EB

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 3fd77a7a9d4b643fe4056c95434ef55b162c799325b8e8920614011a274cad2a
Instruction ID: dd508f9a9ba7dc7e70929b0177568218288de0039df7a60a8b253b693ab2c7ef
Opcode Fuzzy Hash: 3fd77a7a9d4b643fe4056c95434ef55b162c799325b8e8920614011a274cad2a
Instruction Fuzzy Hash: FA31E471508325AAC725EB10EC49BEB7BD8BF92310F100D2AF599831D1EB789648CBC6

Function 00522DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00562C8C

Part of subcall function 00523AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00523A97,?,?,00522E7F,?,?,?,00000000), ref: 00523AC2

Part of subcall function 00522DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00522DC4

Strings

`e^, xrefs: 00562C85
X, xrefs: 00562C5A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e^
API String ID: 779396738-1033855823
Opcode ID: cbdad7de7b1f777ffd1827e5174b73486487b826829948cdf34e7e591c0b2b47
Instruction ID: e0126f0dab516e1dfc13f83c5a06ca196514e0cdb13210d0815b8e3ff99e036c
Opcode Fuzzy Hash: cbdad7de7b1f777ffd1827e5174b73486487b826829948cdf34e7e591c0b2b47
Instruction Fuzzy Hash: B9219971A00258AFDF05DF94D8497EE7FFCBF99314F004059E445A7281DBB859498FA1

Function 0053FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00540668

Part of subcall function 005432A4: RaiseException.KERNEL32(?,?,?,0054068A,?,005F1444,?,?,?,?,?,?,0054068A,00521129,005E8738,00521129), ref: 00543304

__CxxThrowException@8.LIBVCRUNTIME ref: 00540685

Strings

Unknown exception, xrefs: 00540692

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 854e6c948e193178969af3de7e60698a17473a17837d4ed8d35824c88d356300
Instruction ID: 778426b57a9426b50fb839311504533861ca9ad8db2614c1e37fca7ac8083943
Opcode Fuzzy Hash: 854e6c948e193178969af3de7e60698a17473a17837d4ed8d35824c88d356300
Instruction Fuzzy Hash: 06F0C83490020E778F04B665D84ECDD7F6CBE80318B704931B914965E1EF71DA25CA80

Function 00593017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0059302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00593044

Strings

aut, xrefs: 00593038

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b9b49d1bd36b8f7ee07a0ee45cf80b3b0e3acd270222351c272dd264a23e0745
Instruction ID: 07490903c561b8773ea497d0df2f5a71b4f9f95295514ce91bfc9f8ffda609c6
Opcode Fuzzy Hash: b9b49d1bd36b8f7ee07a0ee45cf80b3b0e3acd270222351c272dd264a23e0745
Instruction Fuzzy Hash: A7D05B7550031467DA6097959C0DFC77E6CD704750F0002E17795D2091DAB0A544CBD4

Function 005A7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 005A82F5
TerminateProcess.KERNEL32(00000000), ref: 005A82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 005A84DD

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: ef62f3c9288aa4bbcafa08df503fe55c86c21ec7d0feeb510f07db0257349318
Instruction ID: 7cfa00bd8fd7a8a4bae5b8bd521f7395cb8505e64fb6479b9c5e142e30de083d
Opcode Fuzzy Hash: ef62f3c9288aa4bbcafa08df503fe55c86c21ec7d0feeb510f07db0257349318
Instruction Fuzzy Hash: 84125B719083519FC714DF28C484B6EBBE5BF8A318F04895DE8998B392DB31ED45CB92

Function 005210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00521BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00521BF4
Part of subcall function 00521BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00521BFC
Part of subcall function 00521BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00521C07
Part of subcall function 00521BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00521C12
Part of subcall function 00521BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00521C1A
Part of subcall function 00521BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00521C22

Part of subcall function 00521B4A: RegisterWindowMessageW.USER32(00000004,?,005212C4), ref: 00521BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0052136A
OleInitialize.OLE32 ref: 00521388
CloseHandle.KERNEL32(00000000,00000000), ref: 005624AB

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4a53237c94d7ae17146a2c7628e50b53988c956d8fceca1cdfbea2607e21b497
Instruction ID: e843846c92ae1cca355f3f65d471cd7ab6026f6ca7d0bc4ff8137418436d2d7f
Opcode Fuzzy Hash: 4a53237c94d7ae17146a2c7628e50b53988c956d8fceca1cdfbea2607e21b497
Instruction Fuzzy Hash: 2D71D0B4901A05CFC784EF7AA9496753EE1FBF9384704452AD00ADB2A1EB39540CEF4C

Function 0058C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00523923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00523A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0058C259
KillTimer.USER32(?,00000001,?,?), ref: 0058C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0058C270

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: e82e1776d4f432ddecbf51eb044e7140c7231e7af82ccd6f13e5cd8e38b71cd4
Instruction ID: c451568079bd3e8285aa61c0c7a657fc5042b66f60742215bc013de2421be312
Opcode Fuzzy Hash: e82e1776d4f432ddecbf51eb044e7140c7231e7af82ccd6f13e5cd8e38b71cd4
Instruction Fuzzy Hash: 3B31B674904354AFEB629F648855BE6BFECAB16304F00049DD5DAA7181C7746A88CB61

Function 005586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,005585CC,?,005E8CC8,0000000C), ref: 00558704
GetLastError.KERNEL32(?,005585CC,?,005E8CC8,0000000C), ref: 0055870E
__dosmaperr.LIBCMT ref: 00558739

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: b172a2c0e234f7ee37b16458b108c6e4c7c8a47203fe001e6d853e8295fab210
Instruction ID: 638c7209d39285b16bcece34b1415fe27f823e37e31315501c9feebb30ba382a
Opcode Fuzzy Hash: b172a2c0e234f7ee37b16458b108c6e4c7c8a47203fe001e6d853e8295fab210
Instruction Fuzzy Hash: 15016B32A1522017D7606634A87977E2F49AFE1776F3A061BFC08AB1D2EEA18C8DC150

Function 0052DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0052DB7B
DispatchMessageW.USER32(?), ref: 0052DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0052DB9F
Sleep.KERNEL32(0000000A), ref: 0052DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00571CC9

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: d54572a7198659e955e4c4dc0c522a03fe6deb7e4d23deb91c29190e061aeacf
Instruction ID: 0c57bdd89b2177e23cc279640442a0e78013dda284a2da849d55b8af49c792ca
Opcode Fuzzy Hash: d54572a7198659e955e4c4dc0c522a03fe6deb7e4d23deb91c29190e061aeacf
Instruction Fuzzy Hash: 26F05E306443449BEB70CBA09C59FEA7BBCFF95350F104A18E64AC30C0DB34A448EB29

Function 00592FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00592CD4,?,?,?,00000004,00000001), ref: 00592FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00592CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00593006
CloseHandle.KERNEL32(00000000,?,00592CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0059300D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 533720753fd11afbc8653a38afe91a1883049f490a99b0123f92191be4db0214
Instruction ID: 1f99097566225b922b608ef8f9cc3ad019cd0fbb6281670c070aed9f517cbf95
Opcode Fuzzy Hash: 533720753fd11afbc8653a38afe91a1883049f490a99b0123f92191be4db0214
Instruction Fuzzy Hash: 8CE0863228061077D6701759BC0EF8B3E5CD786B71F104320F759760D046A0250592AC

Function 00531310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005317F6

Strings

CALL, xrefs: 005317C6

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: dec8c289d30b5936d9d80601d384dd8960fe17f97867d22f6ebbfe0d88dbf57c
Instruction ID: 88093ce61c1b2cf18c336408d0888e3af9484511b3da8fc527768ec66267b9b6
Opcode Fuzzy Hash: dec8c289d30b5936d9d80601d384dd8960fe17f97867d22f6ebbfe0d88dbf57c
Instruction Fuzzy Hash: 73228B706086029FC714DF24D485A2ABFF1BF89314F18896DF49A8B3A2D731E845DF96

Function 00596EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00596F6B

Part of subcall function 00524ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00596F5A, 00596F63

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: ad7b3edf4f2bab66c44f8d6b7962681849a3fa42dd5ee75efaf639fe28e156a2
Instruction ID: ce92a2ee78e0ded7dd802dd64da1f8f4d5afe7838443540d6a8d94c4346edfcb
Opcode Fuzzy Hash: ad7b3edf4f2bab66c44f8d6b7962681849a3fa42dd5ee75efaf639fe28e156a2
Instruction Fuzzy Hash: 1DB182311182168FCB14EF24D4959AEBBE5BFD9300F04496DF496972A2EB30ED49CB92

Function 00592557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00592587

Strings

EA06, xrefs: 005925B9

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: cdbccafb7b3f13d61204e7a40c0b0df53017e9c16007aa2cc8e3b463c08861d2
Instruction ID: eb196910d1d08840cb65b1f9bc07196638188038f2c73919005584b9f9aa7124
Opcode Fuzzy Hash: cdbccafb7b3f13d61204e7a40c0b0df53017e9c16007aa2cc8e3b463c08861d2
Instruction Fuzzy Hash: F701B5729042587EDF18C7A8C85AEEEBFF8AB15305F00459EE192D61C1E5B4E618CB60

Function 00523837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00523908

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 90e0b21ff82b8a3b49c0f0124ade2af91f8f514decb5066aca806e5484ce0de1
Instruction ID: d82c56289210cbb60891888f3f1e23f2d810cb8e1b190fc62ca9222b3b00c05b
Opcode Fuzzy Hash: 90e0b21ff82b8a3b49c0f0124ade2af91f8f514decb5066aca806e5484ce0de1
Instruction Fuzzy Hash: 30318D70605711CFD720DF24D8857A7BBE4FF5A308F00092EF59997280E775AA48DB56

Function 010D22AD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 010D2ADD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010D2B01
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010D2B23

Memory Dump Source

Source File: 00000000.00000002.1356932515.00000000010D1000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d1000_zAK7HHniGW.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction ID: e1bb354ade014df302d044d0cb60e32fc50296732998add18672e8500ae04ef3
Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction Fuzzy Hash: CA12CE24E24658C6EB24DF64D8507DEB272FF68300F1090E9910DEB7A5E77A4F81CB5A

Function 0053FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0053FD1F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 10defbe766ebd456f9e1e907ddac04d0b153cdc9a0287904e84ba33657c1e029
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8C31E174A0410A9BC718CF59D484969FBB2FF49300F249AA5E80ACF656DB31EDC1CBD0

Function 00524ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00524E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00524EDD,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524E9C
Part of subcall function 00524E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00524EAE
Part of subcall function 00524E90: FreeLibrary.KERNEL32(00000000,?,?,00524EDD,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524EFD

Part of subcall function 00524E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00563CDE,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524E62
Part of subcall function 00524E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00524E74
Part of subcall function 00524E59: FreeLibrary.KERNEL32(00000000,?,?,00563CDE,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524E87

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 27a7df09a7c9956de086bf54e3ccd6d071b016869a9d4fc9a0ec56decd4f19b2
Instruction ID: 73a860ce978a574a42a8edb7a3a78d911cf6315594de8b9ae1dfadbb5265f6c8
Opcode Fuzzy Hash: 27a7df09a7c9956de086bf54e3ccd6d071b016869a9d4fc9a0ec56decd4f19b2
Instruction Fuzzy Hash: CC112731600216AADF24AB60ED0AFED7FA4BFD1710F10442DF542A62C1EE709E049F50

Function 00558402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00558440

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8d267d4f6414a340bde614df07fc48e0d9bcfe424d5f8b379c80c15a0c5ae5ff
Instruction ID: 70afacacd3a20fc7b22d1fa087a1ff7e90d6aaa394bba8a954839d992116ec06
Opcode Fuzzy Hash: 8d267d4f6414a340bde614df07fc48e0d9bcfe424d5f8b379c80c15a0c5ae5ff
Instruction Fuzzy Hash: 1911367190410AAFCF05DF58E9409AA7BF9FF48304F14445AFC09AB312DA30DA15CBA4

Function 00555000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00554C7D: RtlAllocateHeap.NTDLL(00000008,00521129,00000000,?,00552E29,00000001,00000364,?,?,?,0054F2DE,00553863,005F1444,?,0053FDF5,?), ref: 00554CBE

_free.LIBCMT ref: 0055506C

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 1eb54372ca6f326e78206fcd251960e38803e41c700b9bd8ae404d41ed582db4
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: F7012B722047059BE3218E55D85995AFFE8FBC5371F65051EE984932C0E6306809C774

Function 0054E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d929fa189da14bc73dda6f967e1f828fc7c3e8532cfcf214278737a57574ff27
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C4F0F932510A1196C7313A79AC1EBD73F9CBFD3339F110B16F825931D1CB7498058AA5

Function 00529CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00529CBD

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: daa1ec522d7e5d217855691e78f7439a1b365263ee3c5ae7c9657e0e4f3ea7de
Instruction ID: 06759249058034a2b5399eec42fafab0c446d6a5ab107900c5dddd42fc4c124f
Opcode Fuzzy Hash: daa1ec522d7e5d217855691e78f7439a1b365263ee3c5ae7c9657e0e4f3ea7de
Instruction Fuzzy Hash: 88F0C8B36006116ED7149F29D80ABA7BF98FF84760F10852AF619CB2D1DB31E5109BA0

Function 00554C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00521129,00000000,?,00552E29,00000001,00000364,?,?,?,0054F2DE,00553863,005F1444,?,0053FDF5,?), ref: 00554CBE

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e81dedb40f859857c452c60578f03ee2fea4f20601f4b2de2a5c4d563e25ad97
Instruction ID: a57a0eb50cbf30d3968c749f5a4e65d40bf26bb0a55df9671e7d2d3275698b26
Opcode Fuzzy Hash: e81dedb40f859857c452c60578f03ee2fea4f20601f4b2de2a5c4d563e25ad97
Instruction Fuzzy Hash: 88F0E93161622567DB215F769C19B9A3F88BFD17AEB144123BC15E7281CA70DC489EE0

Function 00553820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,005F1444,?,0053FDF5,?,?,0052A976,00000010,005F1440,005213FC,?,005213C6,?,00521129), ref: 00553852

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f7e92245e35af8116e65b7d556f6d8d3b6508f285aebe6560c9d2fcbb060215e
Instruction ID: 864618f5f8f1b19b81483d5689b5d00bd280df64d24e29d3528ed98c749f8b0c
Opcode Fuzzy Hash: f7e92245e35af8116e65b7d556f6d8d3b6508f285aebe6560c9d2fcbb060215e
Instruction Fuzzy Hash: FDE0E531102225A6D73526769C24BDA3E48BB827F6F050123BC1CA3580CB51DD0986E1

Function 00524F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524F6D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: beff238a291541083ff9051fc231f2fab32f50e972baebd35441161981a21578
Instruction ID: 65124cd8997748f8e44e6e97020e4ab3193f975df4e97e38ca37e9fbf17ec8df
Opcode Fuzzy Hash: beff238a291541083ff9051fc231f2fab32f50e972baebd35441161981a21578
Instruction Fuzzy Hash: 29F03071105762CFDB349F64E594812BFE4FF553197108D7EE1EA82651C7319844DF10

Function 00522DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00522DC4

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 516b7a5c161ae9f672d38edc0643d4eddc8744e3c879c5a736771451fb957513
Instruction ID: 9271567be64fdd4b46b4f5eea9e0c09fefbefeef6a109bb2c2c656bfb2914076
Opcode Fuzzy Hash: 516b7a5c161ae9f672d38edc0643d4eddc8744e3c879c5a736771451fb957513
Instruction Fuzzy Hash: 8BE0CD766001245BC7209258DC09FEABBDDEFC8790F040171FD49D7248D960AD848554

Function 00592693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 005926B5

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 2b53e34e73eb6af1289c7f12f3c780b40377616c56aebbe5bffa126ca075ce41
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 16E048B06097005FDF395E28E8517F67BE4AF49300F10045EF69F92652E5726845864D

Function 00522B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00523837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00523908

Part of subcall function 0052D730: GetInputState.USER32 ref: 0052D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00522B6B

Part of subcall function 005230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0052314E

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2ae62c85ceab10a9db33ec406a18fa48e65ce6528db43ce84fcb11bcec50dad6
Instruction ID: 6f672225d0d469cb57b14b417b7ee7600d7ef2fb15a8184fdb04c045e284b9da
Opcode Fuzzy Hash: 2ae62c85ceab10a9db33ec406a18fa48e65ce6528db43ce84fcb11bcec50dad6
Instruction Fuzzy Hash: 7DE0262130022A02CB08BB34B81E5BDAF99FFE3351F40053EF142831E2CE2D46498261

Function 0056039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00560704,?,?,00000000,?,00560704,00000000,0000000C), ref: 005603B7

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 328031fb24ecfd9e6dd6d26c144e67db2df1e4a2dee0fdab891d2dd26d3b0dd2
Instruction ID: 6e2fc4586c862c9532894bc04ea94dfe61e5ebdc99610de2b9bf650625aa78d9
Opcode Fuzzy Hash: 328031fb24ecfd9e6dd6d26c144e67db2df1e4a2dee0fdab891d2dd26d3b0dd2
Instruction Fuzzy Hash: 0AD06C3204010DBBDF028F84DD06EDA3FAAFB48714F014100BE1866020C732E821EB94

Function 00521CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00521CBC

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: c9ac89450a85772bd694e50039e24bac42d50e94cd46ffee9f53bff597319c5e
Instruction ID: 0497e169268d9c5bc48108bc674d0615fe4c133f5ae5c2e8461cf896320716fb
Opcode Fuzzy Hash: c9ac89450a85772bd694e50039e24bac42d50e94cd46ffee9f53bff597319c5e
Instruction Fuzzy Hash: E8C09236280705EFF2248B80BC4AF207B65A368B01F048401F609E95E3C3A62828FA68

Function 010D32B0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 010D32C1

Memory Dump Source

Source File: 00000000.00000002.1356932515.00000000010D1000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d1000_zAK7HHniGW.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 5c89a044f960a082b4a11f4fa5b5ff5d940909ad20891b00ffeb2626baf502da
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 13E0BF7494020D9FDB00EFA4D5496AE7BB4EF04301F100161FD0192281D63099508A62

Non-executed Functions

Function 005B9576 Relevance: 75.9, APIs: 39, Strings: 4, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005B961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005B965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 005B969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005B96C9
SendMessageW.USER32 ref: 005B96F2
GetKeyState.USER32(00000011), ref: 005B978B
GetKeyState.USER32(00000009), ref: 005B9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005B97AE
GetKeyState.USER32(00000010), ref: 005B97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005B97E9
SendMessageW.USER32 ref: 005B9810
SendMessageW.USER32(?,00001030,?,005B7E95), ref: 005B9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005B992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005B9941
SetCapture.USER32(?), ref: 005B994A
ClientToScreen.USER32(?,?), ref: 005B99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005B99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005B99D6
ReleaseCapture.USER32 ref: 005B99E1
GetCursorPos.USER32(?), ref: 005B9A19
ScreenToClient.USER32(?,?), ref: 005B9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 005B9A80
SendMessageW.USER32 ref: 005B9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 005B9AEB
SendMessageW.USER32 ref: 005B9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005B9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 005B9B4A
GetCursorPos.USER32(?), ref: 005B9B68
ScreenToClient.USER32(?,?), ref: 005B9B75
GetParent.USER32(?), ref: 005B9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 005B9BFA
SendMessageW.USER32 ref: 005B9C2B
ClientToScreen.USER32(?,?), ref: 005B9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005B9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 005B9CDE
SendMessageW.USER32 ref: 005B9D01
ClientToScreen.USER32(?,?), ref: 005B9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005B9D82

Part of subcall function 00539944: GetWindowLongW.USER32(?,000000EB), ref: 00539952

GetWindowLongW.USER32(?,000000F0), ref: 005B9E05

Strings

p#_, xrefs: 005B9990
@U=u, xrefs: 005B965B, 005B96C9, 005B96F2, 005B97AE, 005B97E9, 005B9810, 005B9918, 005B9A80, 005B9AAE, 005B9AEB, 005B9B1A, 005B9BFA, 005B9C2B, 005B9CDE, 005B9D01
F, xrefs: 005B9D07
@GUI_DRAGID, xrefs: 005B997D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$@U=u$F$p#_
API String ID: 3429851547-2323773707
Opcode ID: 495fd2d7ec37ca7018cbefe0a2b62c96ed0bc83e8870f5885ba7e89b9905ee21
Instruction ID: 6da1d4e0db5b129cc2b62ca8c70c3d887d685a343fe15627a0c02d93de4b809e
Opcode Fuzzy Hash: 495fd2d7ec37ca7018cbefe0a2b62c96ed0bc83e8870f5885ba7e89b9905ee21
Instruction Fuzzy Hash: 75428A74204241AFDB24CF28CC48EEABFE5FF99310F104A19F6998B2A1D771E854DB95

Function 005B4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005B48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 005B4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 005B4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 005B494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 005B495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 005B497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005B49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005B49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 005B4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005B4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005B4A7E
IsMenu.USER32(?), ref: 005B4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005B4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005B4B20
GetWindowLongW.USER32(?,000000F0), ref: 005B4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 005B4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 005B4C82
wsprintfW.USER32 ref: 005B4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005B4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 005B4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005B4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005B4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 005B4D5A

Strings

%d/%02d/%02d, xrefs: 005B4CA8
@U=u, xrefs: 005B48F3, 005B4908, 005B495C, 005B4A0F, 005B4A56, 005B4A7E, 005B4BE3, 005B4C82, 005B4CC9, 005B4D13, 005B4D33, 005B4E15, 005B4E4E, 005B4EA5, 005B4F10

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$@U=u
API String ID: 4054740463-2764005415
Opcode ID: 4d80807cbcd854f1c60216b1cdea1f2c642c4c48673718b4a39554a993655ea7
Instruction ID: b5cb88d7b07e72fa77dfffb43c51e24a43c82a7cc0778e78b42534eb4a01354e
Opcode Fuzzy Hash: 4d80807cbcd854f1c60216b1cdea1f2c642c4c48673718b4a39554a993655ea7
Instruction Fuzzy Hash: 0312AB71600215ABEB358F28CC49FEE7FB8BB89710F104629F515EB2A2DB74A941DF50

Function 0053F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0053F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0057F474
IsIconic.USER32(00000000), ref: 0057F47D
ShowWindow.USER32(00000000,00000009), ref: 0057F48A
SetForegroundWindow.USER32(00000000), ref: 0057F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0057F4AA
GetCurrentThreadId.KERNEL32 ref: 0057F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0057F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0057F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0057F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0057F4DE
SetForegroundWindow.USER32(00000000), ref: 0057F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0057F4F6
keybd_event.USER32(00000012,00000000), ref: 0057F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0057F50B
keybd_event.USER32(00000012,00000000), ref: 0057F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0057F519
keybd_event.USER32(00000012,00000000), ref: 0057F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0057F528
keybd_event.USER32(00000012,00000000), ref: 0057F52D
SetForegroundWindow.USER32(00000000), ref: 0057F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0057F557

Strings

Shell_TrayWnd, xrefs: 0057F46F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 0a88840bf934210bea556772d66933e28a59d85e62c2be4c08b19369fe26fe7b
Instruction ID: 545ea03317160cd78e1d03d212a2c687e89aee1d4e2b437e35d6af5f81e81896
Opcode Fuzzy Hash: 0a88840bf934210bea556772d66933e28a59d85e62c2be4c08b19369fe26fe7b
Instruction Fuzzy Hash: E2315E71A40218BBEB306BB59C4AFBF7E6CFB44B50F104566FA05E61D1C6B16900BBA4

Function 00581201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0058170D
Part of subcall function 005816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0058173A
Part of subcall function 005816C3: GetLastError.KERNEL32 ref: 0058174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00581286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005812A8
CloseHandle.KERNEL32(?), ref: 005812B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005812D1
GetProcessWindowStation.USER32 ref: 005812EA
SetProcessWindowStation.USER32(00000000), ref: 005812F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00581310

Part of subcall function 005810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005811FC), ref: 005810D4
Part of subcall function 005810BF: CloseHandle.KERNEL32(?,?,005811FC), ref: 005810E9

Strings

default, xrefs: 0058130B
, xrefs: 0058125A
Z^, xrefs: 00581392
winsta0, xrefs: 005812CC

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z^
API String ID: 22674027-2132372335
Opcode ID: 24a2dca6c8b078aa33352562ef07ed5c69bc3774262f4e4d04c29395b2f8412f
Instruction ID: 68d6611442a914855e753c09eb0c833a750ada386097badd27f28c19f665d650
Opcode Fuzzy Hash: 24a2dca6c8b078aa33352562ef07ed5c69bc3774262f4e4d04c29395b2f8412f
Instruction Fuzzy Hash: 5A816871900609ABDF21AFA8DC49BEE7FBDFF04704F144129F911B61A0D731994ADB28

Function 00580B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00581114
Part of subcall function 005810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 00581120
Part of subcall function 005810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 0058112F
Part of subcall function 005810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 00581136
Part of subcall function 005810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0058114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00580BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00580C00
GetLengthSid.ADVAPI32(?), ref: 00580C17
GetAce.ADVAPI32(?,00000000,?), ref: 00580C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00580C6D
GetLengthSid.ADVAPI32(?), ref: 00580C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00580C8C
HeapAlloc.KERNEL32(00000000), ref: 00580C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00580CB4
CopySid.ADVAPI32(00000000), ref: 00580CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00580CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00580D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00580D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00580D45
HeapFree.KERNEL32(00000000), ref: 00580D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00580D55
HeapFree.KERNEL32(00000000), ref: 00580D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00580D65
HeapFree.KERNEL32(00000000), ref: 00580D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00580D78
HeapFree.KERNEL32(00000000), ref: 00580D7F

Part of subcall function 00581193: GetProcessHeap.KERNEL32(00000008,00580BB1,?,00000000,?,00580BB1,?), ref: 005811A1
Part of subcall function 00581193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00580BB1,?), ref: 005811A8
Part of subcall function 00581193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00580BB1,?), ref: 005811B7

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bc6ce303de2d6f3164f7f1b3cd133b26cf5c51c98dbe763e854a3c46b60700d9
Instruction ID: edc451d756cff16e0493f2b45485bd68df5291f9edb96c381f35358683b411d2
Opcode Fuzzy Hash: bc6ce303de2d6f3164f7f1b3cd133b26cf5c51c98dbe763e854a3c46b60700d9
Instruction Fuzzy Hash: BA716A7290120AAFDF90EFA4DC49BAEBFB8BF14300F045615E914B7191D771AA09CB60

Function 0059EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(005BCC08), ref: 0059EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0059EB37
GetClipboardData.USER32(0000000D), ref: 0059EB43
CloseClipboard.USER32 ref: 0059EB4F
GlobalLock.KERNEL32(00000000), ref: 0059EB87
CloseClipboard.USER32 ref: 0059EB91
GlobalUnlock.KERNEL32(00000000), ref: 0059EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0059EBC9
GetClipboardData.USER32(00000001), ref: 0059EBD1
GlobalLock.KERNEL32(00000000), ref: 0059EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0059EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0059EC38
GetClipboardData.USER32(0000000F), ref: 0059EC44
GlobalLock.KERNEL32(00000000), ref: 0059EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0059EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0059EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0059ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0059ECF3
CountClipboardFormats.USER32 ref: 0059ED14
CloseClipboard.USER32 ref: 0059ED59

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 7662738c4fd72e333c60e0ccc0d203bb1e9944b4ec35660c65cd02a371520b9b
Instruction ID: 9eaf41846e94f1fc2f49d82ff86d34a4d4142165beaf2efd7ac8e30d8d3b3eeb
Opcode Fuzzy Hash: 7662738c4fd72e333c60e0ccc0d203bb1e9944b4ec35660c65cd02a371520b9b
Instruction Fuzzy Hash: CF61BE352043029FD700EF24D88AF6ABFA4BF95714F14451DF496972A2DB31ED09DB62

Function 0059698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005969BE
FindClose.KERNEL32(00000000), ref: 00596A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00596A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00596A75

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00596AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00596ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00596B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00596B32
%4d, xrefs: 00596BB1
%02d, xrefs: 00596C00, 00596C0A, 00596C5A, 00596CAA, 00596CFA, 00596D4A
%03d, xrefs: 00596DA2

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 048d148740135fc628fdcadb5bbb90a6305888a140ae4b305e4f4e25a0772db9
Instruction ID: 29ac4727a0f8fab831061985fad2cc4444ceb91cd89122689e8b13ac4405090c
Opcode Fuzzy Hash: 048d148740135fc628fdcadb5bbb90a6305888a140ae4b305e4f4e25a0772db9
Instruction Fuzzy Hash: 50D180B1508311AFC700EBA0D995EAFBBECBF99704F04491DF585D6291EB34DA48CB62

Function 00599642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00599663
GetFileAttributesW.KERNEL32(?), ref: 005996A1
SetFileAttributesW.KERNEL32(?,?), ref: 005996BB
FindNextFileW.KERNEL32(00000000,?), ref: 005996D3
FindClose.KERNEL32(00000000), ref: 005996DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005996FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0059974A
SetCurrentDirectoryW.KERNEL32(005E6B7C), ref: 00599768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00599772
FindClose.KERNEL32(00000000), ref: 0059977F
FindClose.KERNEL32(00000000), ref: 0059978F

Strings

*.*, xrefs: 005996F5

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 63e366f655f45f968fbae92762528caf73ec37d70a280091f24079076c5d3a1e
Instruction ID: af71b93bda00d47972544d39ccb87588ac4b27329449e2350c428fe9611483e6
Opcode Fuzzy Hash: 63e366f655f45f968fbae92762528caf73ec37d70a280091f24079076c5d3a1e
Instruction Fuzzy Hash: 1831E23650021A6BCF14AFF9DC48ADE7FACFF5A360F14425AF955E2090EB30ED448A24

Function 0059979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 005997BE
FindNextFileW.KERNEL32(00000000,?), ref: 00599819
FindClose.KERNEL32(00000000), ref: 00599824
FindFirstFileW.KERNEL32(*.*,?), ref: 00599840
SetCurrentDirectoryW.KERNEL32(?), ref: 00599890
SetCurrentDirectoryW.KERNEL32(005E6B7C), ref: 005998AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005998B8
FindClose.KERNEL32(00000000), ref: 005998C5
FindClose.KERNEL32(00000000), ref: 005998D5

Part of subcall function 0058DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0058DB00

Strings

*.*, xrefs: 0059983B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: f43254dec2c82d959895a90e7a2187c7580acdc95b2315ab26ac06295ff1b3b7
Instruction ID: e52e81020d35964c24cf348f659a5b58c794adf6f46334c64e07920b3cc608a2
Opcode Fuzzy Hash: f43254dec2c82d959895a90e7a2187c7580acdc95b2315ab26ac06295ff1b3b7
Instruction Fuzzy Hash: E631F63250061A6BDF14EFB9DC48ADE7FACBF46360F14415DE850A2090EB70ED45CA64

Function 00598195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00598257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00598267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00598273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00598310
SetCurrentDirectoryW.KERNEL32(?), ref: 00598324
SetCurrentDirectoryW.KERNEL32(?), ref: 00598356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0059838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00598395

Strings

*.*, xrefs: 0059839B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: bec181b856445a9e1d3178571238d748e983cabcfd10a5dd346152dfd1368d40
Instruction ID: 5809cb3e346dc20208f9be8b163a43a1eb8a423dbd4896b057b25540af12e868
Opcode Fuzzy Hash: bec181b856445a9e1d3178571238d748e983cabcfd10a5dd346152dfd1368d40
Instruction Fuzzy Hash: 98616B765043069FCB10EF60D8459AEBBE8FF8A314F04491DF989D7251EB31E949CB92

Function 0058D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00523AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00523A97,?,?,00522E7F,?,?,?,00000000), ref: 00523AC2

Part of subcall function 0058E199: GetFileAttributesW.KERNEL32(?,0058CF95), ref: 0058E19A

FindFirstFileW.KERNEL32(?,?), ref: 0058D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0058D1DD
MoveFileW.KERNEL32(?,?), ref: 0058D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0058D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0058D237

Part of subcall function 0058D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0058D21C,?,?), ref: 0058D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0058D253
FindClose.KERNEL32(00000000), ref: 0058D264

Strings

\*.*, xrefs: 0058D0CD, 0058D0D6, 0058D0EB

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 9c42aafaae3bfb16408341cba04a33cdc5f93a0bf3ffb155929c8946092741f4
Instruction ID: d369d980a58f60ed01cf38416a8947b8dd08ba550a1696f697079b6741279e82
Opcode Fuzzy Hash: 9c42aafaae3bfb16408341cba04a33cdc5f93a0bf3ffb155929c8946092741f4
Instruction Fuzzy Hash: 9A61383580111EAACF05FBA0E99A9EDBFB5BF96300F244165E802771D1EB316F09DB60

Function 0059ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0059ED91
EmptyClipboard.USER32 ref: 0059ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0059EDAC
CloseClipboard.USER32 ref: 0059EEA3

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1cc71ea80e882ab6753e5540dd050e8509ec5e23ecba95f6e1b7c338ede9f4cb
Instruction ID: 747540d70e86a058ab9fe120284dd42ea2bdc44da4696c154228fbf674e0f511
Opcode Fuzzy Hash: 1cc71ea80e882ab6753e5540dd050e8509ec5e23ecba95f6e1b7c338ede9f4cb
Instruction Fuzzy Hash: 7141AB35204612AFEB20CF19E88AF1ABFA5FF55328F148599E4158B6A2C735FC41CB90

Function 0058E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0058170D
Part of subcall function 005816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0058173A
Part of subcall function 005816C3: GetLastError.KERNEL32 ref: 0058174A

ExitWindowsEx.USER32(?,00000000), ref: 0058E932

Strings

SeShutdownPrivilege, xrefs: 0058E902
, xrefs: 0058E920
@, xrefs: 0058E925
, xrefs: 0058E95C

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ebab04642497bfd48653ed06db6407227cf915a627293f090f30111a15866061
Instruction ID: 5524edb452c36f95e3b8618e51ffe52dad80dbc3467d789680e6fa254d31fb53
Opcode Fuzzy Hash: ebab04642497bfd48653ed06db6407227cf915a627293f090f30111a15866061
Instruction Fuzzy Hash: 0B01F232610211ABEB6432B49C8BBBB7A6CB714750F140921FC02F21E2D6E0AC4493A4

Function 005A1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005A1276
WSAGetLastError.WSOCK32 ref: 005A1283
bind.WSOCK32(00000000,?,00000010), ref: 005A12BA
WSAGetLastError.WSOCK32 ref: 005A12C5
closesocket.WSOCK32(00000000), ref: 005A12F4
listen.WSOCK32(00000000,00000005), ref: 005A1303
WSAGetLastError.WSOCK32 ref: 005A130D
closesocket.WSOCK32(00000000), ref: 005A133C

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 854b87973d0db3c7b0c666c80cad9025267c2c14b73f0b3b6f599e138b0ae0c0
Instruction ID: dd42b26c3beceaf0551757666b2d5c20a227711a2bd6c8a6ee33f56b47d88c5f
Opcode Fuzzy Hash: 854b87973d0db3c7b0c666c80cad9025267c2c14b73f0b3b6f599e138b0ae0c0
Instruction Fuzzy Hash: 0B41AE35A005119FD710DF24D488B2ABFE6BF86318F188188E8568F2D2C771EC85CBE4

Function 0055B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0055B9D4
_free.LIBCMT ref: 0055B9F8
_free.LIBCMT ref: 0055BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005C3700), ref: 0055BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,005F121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0055BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,005F1270,000000FF,?,0000003F,00000000,?), ref: 0055BC36
_free.LIBCMT ref: 0055BD4B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 8e24b83008a3a87a0469ad4d9afd655a32004a8bb6566613d7ab136028209326
Instruction ID: a40cb08f02d5552ac02949d56e81f551c5e0d5db5625509b394a1d174af381c9
Opcode Fuzzy Hash: 8e24b83008a3a87a0469ad4d9afd655a32004a8bb6566613d7ab136028209326
Instruction Fuzzy Hash: B8C12571904206AFEB209F69C869BAE7FB8FF81312F14459BEC94D7291E7308E49C750

Function 0058D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00523AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00523A97,?,?,00522E7F,?,?,?,00000000), ref: 00523AC2

Part of subcall function 0058E199: GetFileAttributesW.KERNEL32(?,0058CF95), ref: 0058E19A

FindFirstFileW.KERNEL32(?,?), ref: 0058D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0058D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0058D481
FindClose.KERNEL32(00000000), ref: 0058D498
FindClose.KERNEL32(00000000), ref: 0058D4A1

Strings

\*.*, xrefs: 0058D3F2

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 54f357366184de507e68fb1280c809102e08015f0fdee7875c87e54b589d3ee3
Instruction ID: c144fac0c53bb3324955f3ed78560de4d8225061c92a60f1b6eb298547c50fa1
Opcode Fuzzy Hash: 54f357366184de507e68fb1280c809102e08015f0fdee7875c87e54b589d3ee3
Instruction Fuzzy Hash: 32315E710083569BC704EF64D8558AFBFE8BEE2310F444E1DF8D1521E1EB64AA0DDB62

Function 0055E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0055E645

Strings

1#SNAN, xrefs: 0055F844
1#QNAN, xrefs: 0055F84B
1#IND, xrefs: 0055F83D
1#INF, xrefs: 0055F852

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 270e82af8f719929ccff3af275010a6692b686473ea660f5a612bfbd9f0220e9
Instruction ID: 5b17fbd1502d3c2d0758b6ce0b22298ec9fd4794f34abb869d975b2c37799686
Opcode Fuzzy Hash: 270e82af8f719929ccff3af275010a6692b686473ea660f5a612bfbd9f0220e9
Instruction Fuzzy Hash: 00C25B71D046288FDB29CE28DD557EABBB5FB44306F1445EAD80DE7240E774AE898F40

Function 0059648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005964DC
CoInitialize.OLE32(00000000), ref: 00596639
CoCreateInstance.OLE32(005BFCF8,00000000,00000001,005BFB68,?), ref: 00596650
CoUninitialize.OLE32 ref: 005968D4

Strings

.lnk, xrefs: 005964BA, 00596524, 005965E0

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: e12acf114f3eeda71fec031f1334463b44f8a87fc400fb6d54aab82da69893d8
Instruction ID: 07d2931181623a4a3546ca39d2d6ab80cae032c17fc9a9e76a517a624b6592c2
Opcode Fuzzy Hash: e12acf114f3eeda71fec031f1334463b44f8a87fc400fb6d54aab82da69893d8
Instruction Fuzzy Hash: 25D14871508212AFC704EF24D89596BBBE8FFD9304F40496DF5958B2A1EB70ED09CB92

Function 005A22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005A22E8

Part of subcall function 0059E4EC: GetWindowRect.USER32(?,?), ref: 0059E504

GetDesktopWindow.USER32 ref: 005A2312
GetWindowRect.USER32(00000000), ref: 005A2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 005A2355
GetCursorPos.USER32(?), ref: 005A2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005A23DF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d4ad085e9259bee45e9b7a95f92969a825c6c45d36df401fcc60f7b3848d9465
Instruction ID: 82bb8c495bdf1294c51f8c7c8384fbbcaf6066222db11766094042bb8e10c88e
Opcode Fuzzy Hash: d4ad085e9259bee45e9b7a95f92969a825c6c45d36df401fcc60f7b3848d9465
Instruction Fuzzy Hash: 2B31D072504315AFCB20DF18C84AF5FBBA9FF86310F000A1AF985A7181DB34E908CB92

Function 00599B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00599B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00599C8B

Part of subcall function 00593874: GetInputState.USER32 ref: 005938CB
Part of subcall function 00593874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00593966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00599BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00599C75

Strings

*.*, xrefs: 00599B5D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 32287fcc72507888d31ff9b2ee526c66897f64b7b6521deb9d083b0e1d62e4b5
Instruction ID: 23fc1e6aaf6a3758c0699e7d266a05eebcaa443a4f92c23cd45538de40f03fde
Opcode Fuzzy Hash: 32287fcc72507888d31ff9b2ee526c66897f64b7b6521deb9d083b0e1d62e4b5
Instruction Fuzzy Hash: 8B41817190420A9FCF54DF68DC89AEEBFB8FF55310F24455AE805A2191EB34AE44CF60

Function 0053997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00539A4E
GetSysColor.USER32(0000000F), ref: 00539B23
SetBkColor.GDI32(?,00000000), ref: 00539B36

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 3f200f1af817ad29d608863bfef4d436441d6ffef190891a1334b009263630f4
Instruction ID: d8c331868d1dae48e11aa02b5ac52ba979acd3f6e52fa5bdeae33f168400d2ad
Opcode Fuzzy Hash: 3f200f1af817ad29d608863bfef4d436441d6ffef190891a1334b009263630f4
Instruction Fuzzy Hash: 4DA13BF1108408EEE7299A3DAC9DEBB3F9DFBC6340F154709F102C6695CAA59D01E276

Function 005A1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005A304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005A307A
Part of subcall function 005A304E: _wcslen.LIBCMT ref: 005A309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 005A185D
WSAGetLastError.WSOCK32 ref: 005A1884
bind.WSOCK32(00000000,?,00000010), ref: 005A18DB
WSAGetLastError.WSOCK32 ref: 005A18E6
closesocket.WSOCK32(00000000), ref: 005A1915

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 21e2cb04f8068c5c7ed881454dcbb1f84c6179bc4df259438e3a3e4cd8358b4c
Instruction ID: dbcd311a1f9bf064e5d79897a0cffc6a0edc89682c73e4d6452d029cb232ce47
Opcode Fuzzy Hash: 21e2cb04f8068c5c7ed881454dcbb1f84c6179bc4df259438e3a3e4cd8358b4c
Instruction Fuzzy Hash: C451A175A002119FDB10AF24D88AF2A7FE5BF8A718F148458F9065F3C3D775AD418BA1

Function 00528060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00565DF0
VUUU, xrefs: 005283E8
ERCP, xrefs: 0052813C
VUUU, xrefs: 0052843C
VUUU, xrefs: 005283FA

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 6a98c377d146df82b8d4df7b7aff2916d9be258315c13b6292e4d31a0dff60de
Instruction ID: f84189122a6814540795e612f435b201461c49c04e4ec39bed028e98e7eef327
Opcode Fuzzy Hash: 6a98c377d146df82b8d4df7b7aff2916d9be258315c13b6292e4d31a0dff60de
Instruction Fuzzy Hash: 8EA29F74E0162ACBDF24CF98D8847BDBBB1BF55310F2485AAD815A7385EB709D81CB90

Function 00588298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005882AA

Strings

|, xrefs: 005882DA
(, xrefs: 005882F0
tb^, xrefs: 005884F4

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: lstrlen
String ID: ($tb^$|
API String ID: 1659193697-2919713065
Opcode ID: e6d7400c189849ddfaf701810f19d9e41bf96ca38df6767ac4cebee49bf29014
Instruction ID: a0e797eaacda442ed6052325d63aaedd7f8e3a6496b188f058efb54f25828086
Opcode Fuzzy Hash: e6d7400c189849ddfaf701810f19d9e41bf96ca38df6767ac4cebee49bf29014
Instruction Fuzzy Hash: 0B324874A00605DFC728DF59C48196ABBF0FF48710B55C96EE89AEB3A1EB70E941CB40

Function 005AA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005AA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 005AA6BA

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Process32NextW.KERNEL32(00000000,?), ref: 005AA79C
CloseHandle.KERNEL32(00000000), ref: 005AA7AB

Part of subcall function 0053CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00563303,?), ref: 0053CE8A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 86ef72d2603c013e871e20742ef170a511c06f2894be2004148130529921355d
Instruction ID: 0884d86eb73eb2628b7b2bafda021028d55520ef7fe6417f3e489870932fa895
Opcode Fuzzy Hash: 86ef72d2603c013e871e20742ef170a511c06f2894be2004148130529921355d
Instruction Fuzzy Hash: 7A511A71508311AFD710DF24D88AA6BBBE8FFCA754F00492DF58597291EB30E904CB92

Function 0058AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0058AAAC
SetKeyboardState.USER32(00000080), ref: 0058AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0058AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0058AB88

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4c2cecbf09c7c143cbce8c46db7861497f4dddb77986006488d93a9e904b09fa
Instruction ID: 97f2b8493bccd93bbecfee0a9e361739c94259280e9421e1c2df07416ad5a095
Opcode Fuzzy Hash: 4c2cecbf09c7c143cbce8c46db7861497f4dddb77986006488d93a9e904b09fa
Instruction Fuzzy Hash: 98312A30A40248AEFF35EB64CC05BFA7FAABB44311F04421BF881761D0D7759985D766

Function 0059CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0059CE89
GetLastError.KERNEL32(?,00000000), ref: 0059CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0059CEFE

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: f1f435286af6c1029a418b8a2f6e247a9d7f89d86160c67570c4f98a9300962d
Instruction ID: d93e32231076b748b17edfcdde169a9b4cf2e75910d84ba0c69b3bd540e6d73c
Opcode Fuzzy Hash: f1f435286af6c1029a418b8a2f6e247a9d7f89d86160c67570c4f98a9300962d
Instruction Fuzzy Hash: F521BAB1500705ABEB21CFA5C949BAABFFCFB50358F10482EE546D2151E770EE089B64

Function 00552622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0055271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00552724
UnhandledExceptionFilter.KERNEL32(?), ref: 00552731

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c42933428ec6f2c9e7df692ca5197d86cee94bf5f74b978a3279f54ca43372f2
Instruction ID: 8ceaecbb6f986dff374f0e2de2b60d202fcfa249452cfd93569a063368636637
Opcode Fuzzy Hash: c42933428ec6f2c9e7df692ca5197d86cee94bf5f74b978a3279f54ca43372f2
Instruction Fuzzy Hash: 0931D5749112299BCB21DF64DC88BDCBBB8BF18310F5046EAE80CA7261E7309F858F45

Function 005951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005951DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00595238
SetErrorMode.KERNEL32(00000000), ref: 005952A1

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: b692298865f49fbbdc4f2fe656fb316d2dded051229cf81c645c00ede65f5c04
Instruction ID: 5743c68438eb994fd05d7ec25d7dbb2178ce368ec922a2681aee6184727420f7
Opcode Fuzzy Hash: b692298865f49fbbdc4f2fe656fb316d2dded051229cf81c645c00ede65f5c04
Instruction Fuzzy Hash: 74313075A00519DFDB00DF54D888EADBFB4FF49314F088099E845AB392DB31E859CB90

Function 005816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0053FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00540668
Part of subcall function 0053FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00540685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0058170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0058173A
GetLastError.KERNEL32 ref: 0058174A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 3fde63756b0e981fae907f9d44ccdf3e5f7d7a0f826a17d4ebe1a374ecf91e95
Instruction ID: 48d4276cc81f6d741358fe1912d3e4c138c8983232b36b40f38fbdec5a5707d5
Opcode Fuzzy Hash: 3fde63756b0e981fae907f9d44ccdf3e5f7d7a0f826a17d4ebe1a374ecf91e95
Instruction Fuzzy Hash: 9F11C1B2800309AFD718AF54DC8AD6ABBBDFF44714B20852EF45697241EB70BC428B24

Function 0058D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0058D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0058D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0058D650

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4128b3dc7e5946bbe2c4a266521215dd271ea2ce4da70d1edc817b32bdf82221
Instruction ID: 27463f5c8fbc0ca1a08e2e06f4f330540175e3de79a445e5130624630b9ae9cf
Opcode Fuzzy Hash: 4128b3dc7e5946bbe2c4a266521215dd271ea2ce4da70d1edc817b32bdf82221
Instruction Fuzzy Hash: C7117C75E05228BBDB108F99AC45FAFBFBCEB45B50F108121F904F7290D2705A058BA1

Function 00581663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0058168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005816A1
FreeSid.ADVAPI32(?), ref: 005816B1

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f08ef81f01e0f30bb337a305e26c3cb086f34915cae8c865f3ebfd543075a2c9
Instruction ID: 099d2c6982bcc3866ab4280089988402ccc7ddd7bdec06c0a1820e77c7046214
Opcode Fuzzy Hash: f08ef81f01e0f30bb337a305e26c3cb086f34915cae8c865f3ebfd543075a2c9
Instruction Fuzzy Hash: B9F0F47195030DFBEB00EFE49D89AAEBBBCFB08604F504565E901E2181E774AA489B64

Function 00544CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005528E9,?,00544CBE,005528E9,005E88B8,0000000C,00544E15,005528E9,00000002,00000000,?,005528E9), ref: 00544D09
TerminateProcess.KERNEL32(00000000,?,00544CBE,005528E9,005E88B8,0000000C,00544E15,005528E9,00000002,00000000,?,005528E9), ref: 00544D10
ExitProcess.KERNEL32 ref: 00544D22

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d61d3f07d13f31ac19f38e5403948f44730ae360eff9e533d2c0b6c82957f600
Instruction ID: 09101f74300c55828b291a5f21ab734a84c00d91090503c4b86a725d308386d6
Opcode Fuzzy Hash: d61d3f07d13f31ac19f38e5403948f44730ae360eff9e533d2c0b6c82957f600
Instruction Fuzzy Hash: B1E0B631440149ABCF51AF54DD19A983FA9FB91785B504518FC099B122CB35ED46DE84

Function 0055C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0055C36C

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: ef6700fda639a1833ecb9d0a4a1751f329842f8bbd86ed6b443d93300a4b53aa
Instruction ID: f613d724deb936510384b32ae3f3c9b7f65dc76bd5745008ba0653026a241147
Opcode Fuzzy Hash: ef6700fda639a1833ecb9d0a4a1751f329842f8bbd86ed6b443d93300a4b53aa
Instruction Fuzzy Hash: FF412676500319AFCB209FB9CC59DAB7FB8FB84316F50466AFD05C7180E6709D858B50

Function 0057D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0057D28C

Strings

X64, xrefs: 0057D2A8

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 55a1f7998c889c0e145b9e44322e2e6ea59e07da1280ccb9978184d0d04acd94
Instruction ID: 5b79255bd5d54936a68d8db6b98bd36693e9f0e0e8edb3ba0820c96ecaa7ffd0
Opcode Fuzzy Hash: 55a1f7998c889c0e145b9e44322e2e6ea59e07da1280ccb9978184d0d04acd94
Instruction Fuzzy Hash: 09D0E9B581511DEBCB94DB90EC8CDDDBB7CBB14345F104656F506A2140DB7495499F20

Function 0054CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 298023b276c343e6f763899e538c1dcad4de91f1b049a0b49dd41e346fef65e3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 73021B71E012199BDF54CFA9C8806EDBFF5FF88318F258169D919EB280D731AE418B94

Function 0052CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#_, xrefs: 0052CF7F
Variable is not of type 'Object'., xrefs: 00570C40

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#_
API String ID: 0-2852649800
Opcode ID: 7eece69babbd7c5fe8104ad57fe3ddbcd423295d8bfa063781d699b767dfba41
Instruction ID: c8c53c734ec7038e037ac80836c7239124f725786ebe372e8709ed901d0e41b7
Opcode Fuzzy Hash: 7eece69babbd7c5fe8104ad57fe3ddbcd423295d8bfa063781d699b767dfba41
Instruction Fuzzy Hash: AF32AE70900229DFCF14DF90E985AEDBFB9BF46304F108459E80AAB2C2D775AE45DB60

Function 005968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00596918
FindClose.KERNEL32(00000000), ref: 00596961

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 469148834dc9382723bb107a2b0a79d65ce5fd70e5e413222562c87b2c6aebdc
Instruction ID: 1e2b4b947334c53d22e574b1acfe0486ab57cb3e893953f9b8730f2c6b14bb35
Opcode Fuzzy Hash: 469148834dc9382723bb107a2b0a79d65ce5fd70e5e413222562c87b2c6aebdc
Instruction Fuzzy Hash: E6118E356042119FCB10DF29D488A1ABFE5FF89328F14C699E4698F7A2C730EC09CB91

Function 005937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,005A4891,?,?,00000035,?), ref: 005937E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,005A4891,?,?,00000035,?), ref: 005937F4

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1c09cb82b15eb64d52c97a766180fe0aa921238f476d0dd4a1748807c7f3660c
Instruction ID: a8503a44258d9f25ea16e360f9448f30ba142f3f96d9bfd7ff77a2837039a0c1
Opcode Fuzzy Hash: 1c09cb82b15eb64d52c97a766180fe0aa921238f476d0dd4a1748807c7f3660c
Instruction Fuzzy Hash: 5BF0E5B06042296AEB6057A69C4DFEB7FAEFFC5761F000275F509E2291D9609E08C6B0

Function 0058B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0058B25D
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 0058B270

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d643928a2fcb8f3fb0b5b9965800665e0a90fba68f349bf03904f7e01c9825a7
Instruction ID: ee25af8331d9e113681f61b01e7ab82fccf6657bbdfd78a46aec236d44d9ad39
Opcode Fuzzy Hash: d643928a2fcb8f3fb0b5b9965800665e0a90fba68f349bf03904f7e01c9825a7
Instruction Fuzzy Hash: D9F06D7480424DABEB059FA0C805BEE7FB4FF04305F008009F951A5191C37992059F98

Function 005810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005811FC), ref: 005810D4
CloseHandle.KERNEL32(?,?,005811FC), ref: 005810E9

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2b7439b1b7a542e32705d8f136a697b1f45989b58f9ba93e5adc88e6de1fa866
Instruction ID: 624df70db57487e106c9027de9d5d1f343f993363273f19fe3e389bd8d162fcf
Opcode Fuzzy Hash: 2b7439b1b7a542e32705d8f136a697b1f45989b58f9ba93e5adc88e6de1fa866
Instruction Fuzzy Hash: 4FE01A32408601AFE7652B11FC09E777BA9FB04310F10892DB4A5804B1DA626C90AB14

Function 0055676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00556766,?,?,00000008,?,?,0055FEFE,00000000), ref: 00556998

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: eb3fb4703aff2b4d2db4eab4be3c84e89942e350930c620dd26e3872dd276da1
Instruction ID: be0647259083dfc94fb39e1a660208a531e896f27706b15544469f9e19486d70
Opcode Fuzzy Hash: eb3fb4703aff2b4d2db4eab4be3c84e89942e350930c620dd26e3872dd276da1
Instruction Fuzzy Hash: 70B16931610648CFD714CF28C4AAB647FE0FF45366F698659E899CF2A2C335E989CB40

Function 0053B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0057851F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8d7092839258fdb065e7bc03a16b68e70d91003e84701a08c0ce4cc3c19d5db5
Instruction ID: a360b6c2368668ef327a14b7f3bea1a79f6ceda705ba80197359208c3035dae8
Opcode Fuzzy Hash: 8d7092839258fdb065e7bc03a16b68e70d91003e84701a08c0ce4cc3c19d5db5
Instruction Fuzzy Hash: F8127F759002299FDF24CF58D8846FEBBB5FF48310F14859AE949EB251EB309E81DB90

Function 0059EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0059EABD

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: cd5d9427e47f368023d2b7db4f1f3a20df8993fc76e5ea886ee1bd6a6ab761b2
Instruction ID: bd3c33d94cf1a79872435995327a240dc82bea7900af0011da493ee611484129
Opcode Fuzzy Hash: cd5d9427e47f368023d2b7db4f1f3a20df8993fc76e5ea886ee1bd6a6ab761b2
Instruction Fuzzy Hash: 9BE01A312002159FD710EF59E809E9ABFEDBF99760F048426FC49CB3A1DA70A8418BA0

Function 005409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005403EE), ref: 005409DA

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 72f1158fc07eb1971defa4271aa0591251f17acea7aeb70d35eb1b390729a938
Instruction ID: dc03e6309c38e32813b40e54b278447e0b8018a125b82aa77e8a720caa747d58
Opcode Fuzzy Hash: 72f1158fc07eb1971defa4271aa0591251f17acea7aeb70d35eb1b390729a938
Instruction Fuzzy Hash:

Function 0054781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0054798B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 2982b3aee6f819efad9bb2ced9b726ebd9f251535f2dc336b059c0873ca29312
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: CF51787160C74E6BDB388568885E7FE2F99BB5E34CF180909D882D7282C715DE05D356

Function 00592046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&_, xrefs: 00592053

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID: 0&_
API String ID: 0-3810587587
Opcode ID: 00f6d967899b69f22ba60262181f5b6c20b0547ce6a388906bb23abaa5f4fc89
Instruction ID: a00096c8e15a64b1a1d52556c034d31f393ad23b48284e4ac6825706b9206692
Opcode Fuzzy Hash: 00f6d967899b69f22ba60262181f5b6c20b0547ce6a388906bb23abaa5f4fc89
Instruction Fuzzy Hash: 7F21EB722605118BDB28CF79C81767E77E5B764310F14862EE4A7C33D0DE39A904D780

Function 00556DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d06863634491cb1e68ba55b75149067cc82f3668aa753b43277aa332053c6e
Instruction ID: 2324f523a7959630fb1543e23f0de0fbc41daabcc3fecb5a793f4795f2207e23
Opcode Fuzzy Hash: a0d06863634491cb1e68ba55b75149067cc82f3668aa753b43277aa332053c6e
Instruction Fuzzy Hash: B5321231D29F054ED7239634D8323356A8DAFBB3C6F15D737E81AB59A6EB28C4875100

Function 0053CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e9dd1a8b03e609aa2a575109a9db1c38f3760dbb4c7490d0898de98ab14caa
Instruction ID: 020ab6963242bbee3810b0a2cd9cc19c8f9d8f2c76e0d91ddc28d94e250b512c
Opcode Fuzzy Hash: b3e9dd1a8b03e609aa2a575109a9db1c38f3760dbb4c7490d0898de98ab14caa
Instruction Fuzzy Hash: 0232E431A001598BDF28CE29E4D467D7FA1FB45300F68C56ED8AEAB691D630DD82FB41

Function 00527920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98139c68aeaa94cbc4733870a5c26eaeb3a91a4146e9b4c4c43989419030c0b
Instruction ID: 2812b4b42a969531758c32d3af9f759225ddacead881b4b2cc9c16f4c7f91df1
Opcode Fuzzy Hash: c98139c68aeaa94cbc4733870a5c26eaeb3a91a4146e9b4c4c43989419030c0b
Instruction Fuzzy Hash: 8122C170A0061ADFDF14CF64D885AAEBBF5FF49300F244929E816AB291FB35AD54CB50

Function 005291C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7367dd3caa1cd0b397a637dd44544bb763e356029ca023c8cfcb2241a165f9d7
Instruction ID: 2f13ac7c6ac00a0b3265dbebec7ca7a1eebfd413d83c7a0c415e2f4537489168
Opcode Fuzzy Hash: 7367dd3caa1cd0b397a637dd44544bb763e356029ca023c8cfcb2241a165f9d7
Instruction Fuzzy Hash: 2E02C8B4E00216EFDB04DF54D886AAEBFB5FF54304F108569E8069B391EB319E24DB91

Function 005419B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: f234e420d3a8d22b7616f7688606ab7f66d903221a0966cd85f68b69992e8d80
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 9C9156722098E34ADB2D467A85740BDFFE1AA923A931E079DD4F2CB1C1FE24C5D4D624

Function 00547A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d567c7d8081fdac1fe5f29c6e0ea78303345414c79f9ae39e4341439262b465
Instruction ID: 7fb82730e0bdb3e39c6da4c8e6a99491298fe8288bae887b1373956e7315f270
Opcode Fuzzy Hash: 9d567c7d8081fdac1fe5f29c6e0ea78303345414c79f9ae39e4341439262b465
Instruction Fuzzy Hash: D2617A71208B4E56DE389A288C99BFE3F94FF8D70CF140D19E982DB281E7119E42C355

Function 00541706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 56a562c5ed29c650a1cbe5b54aa76d3862873eb88f84cb65d8c2c598331fde4e
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 6F8185326084E349DB6D423A85340BEFFE1BA923A931A079DD4F2CB1C1FE24C594E624

Function 005A2ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005A2B30
DeleteObject.GDI32(00000000), ref: 005A2B43
DestroyWindow.USER32 ref: 005A2B52
GetDesktopWindow.USER32 ref: 005A2B6D
GetWindowRect.USER32(00000000), ref: 005A2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 005A2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 005A2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2CF8
GetClientRect.USER32(00000000,?), ref: 005A2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 005A2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2D80
GlobalLock.KERNEL32(00000000), ref: 005A2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2D98
GlobalUnlock.KERNEL32(00000000), ref: 005A2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2DA8
GlobalFree.KERNEL32(00000000), ref: 005A2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,005BFC38,00000000), ref: 005A2DDB
GlobalFree.KERNEL32(00000000), ref: 005A2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 005A2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 005A2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005A303F

Strings

DISPLAY, xrefs: 005A2EA2
, xrefs: 005A2FC5
@U=u, xrefs: 005A2E30, 005A2FBF
AutoIt v3, xrefs: 005A2CF2
static, xrefs: 005A2D3A, 005A2E91

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: ce2162083dfa7dc74e2bd0e2034ca7a43e71eead069cf4dc82d25ab8ca4a1458
Instruction ID: 2c3951be3dd0f21bc57b104fc96809edb3c23ace9ad10c020b00858bcd6c1ccb
Opcode Fuzzy Hash: ce2162083dfa7dc74e2bd0e2034ca7a43e71eead069cf4dc82d25ab8ca4a1458
Instruction Fuzzy Hash: D8027C71A00219AFDB14DF68CC89EAE7FB9FF49310F008558F915AB2A1DB34AD05DB64

Function 005B70D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 005B712F
GetSysColorBrush.USER32(0000000F), ref: 005B7160
GetSysColor.USER32(0000000F), ref: 005B716C
SetBkColor.GDI32(?,000000FF), ref: 005B7186
SelectObject.GDI32(?,?), ref: 005B7195
InflateRect.USER32(?,000000FF,000000FF), ref: 005B71C0
GetSysColor.USER32(00000010), ref: 005B71C8
CreateSolidBrush.GDI32(00000000), ref: 005B71CF
FrameRect.USER32(?,?,00000000), ref: 005B71DE
DeleteObject.GDI32(00000000), ref: 005B71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 005B7230
FillRect.USER32(?,?,?), ref: 005B7262
GetWindowLongW.USER32(?,000000F0), ref: 005B7284

Part of subcall function 005B73E8: GetSysColor.USER32(00000012), ref: 005B7421
Part of subcall function 005B73E8: SetTextColor.GDI32(?,?), ref: 005B7425
Part of subcall function 005B73E8: GetSysColorBrush.USER32(0000000F), ref: 005B743B
Part of subcall function 005B73E8: GetSysColor.USER32(0000000F), ref: 005B7446
Part of subcall function 005B73E8: GetSysColor.USER32(00000011), ref: 005B7463
Part of subcall function 005B73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005B7471
Part of subcall function 005B73E8: SelectObject.GDI32(?,00000000), ref: 005B7482
Part of subcall function 005B73E8: SetBkColor.GDI32(?,00000000), ref: 005B748B
Part of subcall function 005B73E8: SelectObject.GDI32(?,?), ref: 005B7498
Part of subcall function 005B73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005B74B7
Part of subcall function 005B73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005B74CE
Part of subcall function 005B73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005B74DB

Strings

@U=u, xrefs: 005B72CC

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: f5d138d0bcfa7f3f59599f9238a249ac0a7f2c8468d6f950ccdf60a9b494cb0f
Instruction ID: dfd72859a4bc2c3b87a1a0bc421368f5ba2c8d214a1fb85b0df507dc4ec7d098
Opcode Fuzzy Hash: f5d138d0bcfa7f3f59599f9238a249ac0a7f2c8468d6f950ccdf60a9b494cb0f
Instruction Fuzzy Hash: CCA1A172008305AFD7509F64DC48E9BBFA9FB98320F100B19F9A2A61E1D771F948DB65

Function 00538D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00538E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00576AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00576AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00576F43

Part of subcall function 00538F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00538BE8,?,00000000,?,?,?,?,00538BBA,00000000,?), ref: 00538FC5

SendMessageW.USER32(?,00001053), ref: 00576F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00576F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00576FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00576FB7

Strings

@U=u, xrefs: 00576AC5, 00576BD6, 00576EBF
0, xrefs: 00576DCF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 2760611726-975001249
Opcode ID: 2e4e11202a0610b3d9dfa06ff83f12cb7a67f4e62f8888e28e9331c38feae646
Instruction ID: a100b8b35626c8abdc515f5f8d1d942347ff85499ed88f18adc301eda9e6295d
Opcode Fuzzy Hash: 2e4e11202a0610b3d9dfa06ff83f12cb7a67f4e62f8888e28e9331c38feae646
Instruction Fuzzy Hash: 1A129B30200A11DFDB29CF24E948BBABFA9FB55300F148569F489CB261CB71EC55EB95

Function 005A2711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 005A273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005A286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005A28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005A28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 005A2900
GetClientRect.USER32(00000000,?), ref: 005A290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 005A2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005A2964
GetStockObject.GDI32(00000011), ref: 005A2974
SelectObject.GDI32(00000000,00000000), ref: 005A2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 005A2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005A2991
DeleteDC.GDI32(00000000), ref: 005A299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005A29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005A29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 005A2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 005A2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 005A2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 005A2A77
GetStockObject.GDI32(00000011), ref: 005A2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005A2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 005A2A97

Strings

DISPLAY, xrefs: 005A295A
msctls_progress32, xrefs: 005A2A13
@U=u, xrefs: 005A29CC
AutoIt v3, xrefs: 005A28F8
static, xrefs: 005A294F, 005A2A71

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: f0d54542eb1fe6ececb123009688fbac67c3ef93c0c6ca177e9d3cabf9e52eba
Instruction ID: a9973679f0b774082835b011bcb2cdfe62a60b78c1806c4bbf7af0b22bd321a8
Opcode Fuzzy Hash: f0d54542eb1fe6ececb123009688fbac67c3ef93c0c6ca177e9d3cabf9e52eba
Instruction Fuzzy Hash: E3B16A71A00219AFEB14DF68DC4AEAE7BA9FF59710F008614F915EB2D0D774AD04CBA4

Function 005B73E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 005B7421
SetTextColor.GDI32(?,?), ref: 005B7425
GetSysColorBrush.USER32(0000000F), ref: 005B743B
GetSysColor.USER32(0000000F), ref: 005B7446
CreateSolidBrush.GDI32(?), ref: 005B744B
GetSysColor.USER32(00000011), ref: 005B7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 005B7471
SelectObject.GDI32(?,00000000), ref: 005B7482
SetBkColor.GDI32(?,00000000), ref: 005B748B
SelectObject.GDI32(?,?), ref: 005B7498
InflateRect.USER32(?,000000FF,000000FF), ref: 005B74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005B74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005B74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005B752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005B7554
InflateRect.USER32(?,000000FD,000000FD), ref: 005B7572
DrawFocusRect.USER32(?,?), ref: 005B757D
GetSysColor.USER32(00000011), ref: 005B758E
SetTextColor.GDI32(?,00000000), ref: 005B7596
DrawTextW.USER32(?,005B70F5,000000FF,?,00000000), ref: 005B75A8
SelectObject.GDI32(?,?), ref: 005B75BF
DeleteObject.GDI32(?), ref: 005B75CA
SelectObject.GDI32(?,?), ref: 005B75D0
DeleteObject.GDI32(?), ref: 005B75D5
SetTextColor.GDI32(?,?), ref: 005B75DB
SetBkColor.GDI32(?,?), ref: 005B75E5

Strings

@U=u, xrefs: 005B752A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: f372431e540242d8d2e270b9cbfbc818568998338eeb8bae645d852b446d54b4
Instruction ID: f076fec701beaeb5971547e490161bbb73e7f2a14006bea10f7103425d2497a9
Opcode Fuzzy Hash: f372431e540242d8d2e270b9cbfbc818568998338eeb8bae645d852b446d54b4
Instruction Fuzzy Hash: 62616C72904218AFDF119FA8DC49EEE7FB9FB48320F104615F911BB2A1D770A940DBA4

Function 00594ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00594AED
GetDriveTypeW.KERNEL32(?,005BCB68,?,\\.\,005BCC08), ref: 00594BCA
SetErrorMode.KERNEL32(00000000,005BCB68,?,\\.\,005BCC08), ref: 00594D36

Strings

RAID, xrefs: 00594CBB
PhysicalDrive, xrefs: 00594B76
Network, xrefs: 00594C02
Fibre, xrefs: 00594CAD
Virtual, xrefs: 00594CE5
\\.\, xrefs: 00594B3F
ATAPI, xrefs: 00594C91
RAMDisk, xrefs: 00594BF4
SSD, xrefs: 00594C4A
MMC, xrefs: 00594CDE
ATA, xrefs: 00594C98
iSCSI, xrefs: 00594CC2
SATA, xrefs: 00594CD0
CDROM, xrefs: 00594BFB
SSA, xrefs: 00594CA6
FileBackedVirtual, xrefs: 00594CEC
Removable, xrefs: 00594C10, 00594C15
1394, xrefs: 00594C9F
SAS, xrefs: 00594CC9
USB, xrefs: 00594CB4
Unknown, xrefs: 00594BED, 00594C83
Fixed, xrefs: 00594C09
SCSI, xrefs: 00594C8A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 940770acb2d7ba15ea253477439b695e61321dcca51cf37cb56349e1ce71088d
Instruction ID: ba51c39b65af41576096fc1b75fb8ba0ddecda04127f5b6daa2c4f8ceb34e212
Opcode Fuzzy Hash: 940770acb2d7ba15ea253477439b695e61321dcca51cf37cb56349e1ce71088d
Instruction Fuzzy Hash: 2661BE3060524A9FCF08DF25CA86D6CBFA1BF59380B248865F846AB291DB31ED42DF51

Function 005B0241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005B02E5
_wcslen.LIBCMT ref: 005B031F
_wcslen.LIBCMT ref: 005B0389
_wcslen.LIBCMT ref: 005B03F1
_wcslen.LIBCMT ref: 005B0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005B04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005B0504

Part of subcall function 0053F9F2: _wcslen.LIBCMT ref: 0053F9FD

Part of subcall function 0058223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00582258
Part of subcall function 0058223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0058228A

Strings

GETSUBITEMCOUNT, xrefs: 005B0384, 005B039F
DESELECT, xrefs: 005B059C
SELECT, xrefs: 005B0548
@U=u, xrefs: 005B04C5, 005B0504
VIEWCHANGE, xrefs: 005B0675
GETITEMCOUNT, xrefs: 005B0316, 005B0337
FINDITEM, xrefs: 005B0627
GETSELECTED, xrefs: 005B05E1
SELECTINVERT, xrefs: 005B057E
SELECTALL, xrefs: 005B0515
GETSELECTEDCOUNT, xrefs: 005B0470, 005B048B
SELECTCLEAR, xrefs: 005B052D
GETTEXT, xrefs: 005B03EC, 005B0407
ISSELECTED, xrefs: 005B04DD

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-1753161424
Opcode ID: fb46f4b8ab9c4159a0d278755d6fd90a6fc02be4de14406f6c90cd67c5109314
Instruction ID: 453b4f79a54f778cfb8f4a119d6963fdd0ad38851d1312f3720eafac3e959745
Opcode Fuzzy Hash: fb46f4b8ab9c4159a0d278755d6fd90a6fc02be4de14406f6c90cd67c5109314
Instruction Fuzzy Hash: B6E1AC312082129FCB14DF24C5559ABBBE6BFC8314F145A6CF896AB2E1DB30ED46CB51

Function 005B0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005B1128
GetDesktopWindow.USER32 ref: 005B113D
GetWindowRect.USER32(00000000), ref: 005B1144
GetWindowLongW.USER32(?,000000F0), ref: 005B1199
DestroyWindow.USER32(?), ref: 005B11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005B11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005B120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005B121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 005B1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 005B1245
IsWindowVisible.USER32(00000000), ref: 005B12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005B12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005B12D0
GetWindowRect.USER32(00000000,?), ref: 005B12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 005B130E
GetMonitorInfoW.USER32(00000000,?), ref: 005B1328
CopyRect.USER32(?,?), ref: 005B133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005B13AA

Strings

tooltips_class32, xrefs: 005B11E6
(, xrefs: 005B131B
0, xrefs: 005B10D3

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 693ae75bde8b9d26c01a42c394a4ff69b6364b28267722287aaddfb53d878005
Instruction ID: ad7a001b89a9d765bfe923ba2a374a46a8dea9575490f6de79989fb334cb6cf4
Opcode Fuzzy Hash: 693ae75bde8b9d26c01a42c394a4ff69b6364b28267722287aaddfb53d878005
Instruction Fuzzy Hash: 81B1AD71608751AFD740DF68C898BAABFE4FF89340F408918F9999B2A1D731E844CB95

Function 00538891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00538968
GetSystemMetrics.USER32(00000007), ref: 00538970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0053899B
GetSystemMetrics.USER32(00000008), ref: 005389A3
GetSystemMetrics.USER32(00000004), ref: 005389C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005389E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005389F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00538A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00538A3C
GetClientRect.USER32(00000000,000000FF), ref: 00538A5A
GetStockObject.GDI32(00000011), ref: 00538A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00538A81

Part of subcall function 0053912D: GetCursorPos.USER32(?), ref: 00539141
Part of subcall function 0053912D: ScreenToClient.USER32(00000000,?), ref: 0053915E
Part of subcall function 0053912D: GetAsyncKeyState.USER32(00000001), ref: 00539183
Part of subcall function 0053912D: GetAsyncKeyState.USER32(00000002), ref: 0053919D

SetTimer.USER32(00000000,00000000,00000028,005390FC), ref: 00538AA8

Strings

AutoIt v3 GUI, xrefs: 00538A20
@U=u, xrefs: 00538A81

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 543de467eccb167a4c5188602a36a71e6377b5b87223f7f54e2aed47ce3de151
Instruction ID: 352198b9ed8420b4fe11306c5ed09fcf0fd691a81a0fcf80c7ac2a617f4870c9
Opcode Fuzzy Hash: 543de467eccb167a4c5188602a36a71e6377b5b87223f7f54e2aed47ce3de151
Instruction Fuzzy Hash: 12B18A71A0020ADFDB18DFA8DD49BAA7FB4FB48314F104229FA15E7290DB74A804DB55

Function 00585A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00585A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00585A40
SetWindowTextW.USER32(?,?), ref: 00585A57
GetDlgItem.USER32(?,000003EA), ref: 00585A6C
SetWindowTextW.USER32(00000000,?), ref: 00585A72
GetDlgItem.USER32(?,000003E9), ref: 00585A82
SetWindowTextW.USER32(00000000,?), ref: 00585A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00585AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00585AC3
GetWindowRect.USER32(?,?), ref: 00585ACC
_wcslen.LIBCMT ref: 00585B33
SetWindowTextW.USER32(?,?), ref: 00585B6F
GetDesktopWindow.USER32 ref: 00585B75
GetWindowRect.USER32(00000000), ref: 00585B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00585BD3
GetClientRect.USER32(?,?), ref: 00585BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00585C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00585C2F

Strings

@U=u, xrefs: 00585A40

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID: @U=u
API String ID: 895679908-2594219639
Opcode ID: cba2bc3cf96a9597907906456712a7b0e2c6aa41433c63d1751c0e17a26d23d9
Instruction ID: fd2cde1c786b715db5320a9a3a25d98738de1649978dd0d8de947eaf4eded576
Opcode Fuzzy Hash: cba2bc3cf96a9597907906456712a7b0e2c6aa41433c63d1751c0e17a26d23d9
Instruction Fuzzy Hash: 1E717E31900B05AFDB20EFA8CD85AAEBFF5FF58705F100A18E582B65A0E775A904CB14

Function 005B091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005B09C6
_wcslen.LIBCMT ref: 005B0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005B0A54
_wcslen.LIBCMT ref: 005B0A8A
_wcslen.LIBCMT ref: 005B0B06
_wcslen.LIBCMT ref: 005B0B81

Part of subcall function 0053F9F2: _wcslen.LIBCMT ref: 0053F9FD

Part of subcall function 00582BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00582BFA

Strings

GETSELECTED, xrefs: 005B0C4E
COLLAPSE, xrefs: 005B0B01, 005B0B1C
SELECT, xrefs: 005B0D11
GETTOTALCOUNT, xrefs: 005B09F2, 005B0A17
CHECK, xrefs: 005B0A85, 005B0AA0
@U=u, xrefs: 005B0A54
ISCHECKED, xrefs: 005B0CE1
EXPAND, xrefs: 005B0BF8
GETITEMCOUNT, xrefs: 005B0C1E
EXISTS, xrefs: 005B0B7C, 005B0B97
UNCHECK, xrefs: 005B0D3E
GETTEXT, xrefs: 005B0C97

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-383632319
Opcode ID: 1d0be9f5eb42bebee51bc21fcf6f470bc7202b5905f6122f3dafdd545122a632
Instruction ID: 5211971806af79e3e071a8c6e0f7fff2a57951369ce346312df32d4e8517dfa3
Opcode Fuzzy Hash: 1d0be9f5eb42bebee51bc21fcf6f470bc7202b5905f6122f3dafdd545122a632
Instruction Fuzzy Hash: C5E167322083529FC714EF25C4509AABFE1BF99314F14895DE896AB3A2DB31FD45CB81

Function 00580D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00581114
Part of subcall function 005810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 00581120
Part of subcall function 005810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 0058112F
Part of subcall function 005810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 00581136
Part of subcall function 005810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0058114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00580DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00580E29
GetLengthSid.ADVAPI32(?), ref: 00580E40
GetAce.ADVAPI32(?,00000000,?), ref: 00580E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00580E96
GetLengthSid.ADVAPI32(?), ref: 00580EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00580EB5
HeapAlloc.KERNEL32(00000000), ref: 00580EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00580EDD
CopySid.ADVAPI32(00000000), ref: 00580EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00580F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00580F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00580F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00580F6E
HeapFree.KERNEL32(00000000), ref: 00580F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00580F7E
HeapFree.KERNEL32(00000000), ref: 00580F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00580F8E
HeapFree.KERNEL32(00000000), ref: 00580F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00580FA1
HeapFree.KERNEL32(00000000), ref: 00580FA8

Part of subcall function 00581193: GetProcessHeap.KERNEL32(00000008,00580BB1,?,00000000,?,00580BB1,?), ref: 005811A1
Part of subcall function 00581193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00580BB1,?), ref: 005811A8
Part of subcall function 00581193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00580BB1,?), ref: 005811B7

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: db11af365062c8685e74e6c21589269d39d390c999fcec63a6aa7b5d5746fb3d
Instruction ID: 49a2cfdd0abf50f395599c9f0b2c30843095be69f42a84f99d392db19d4efe28
Opcode Fuzzy Hash: db11af365062c8685e74e6c21589269d39d390c999fcec63a6aa7b5d5746fb3d
Instruction Fuzzy Hash: 34715E7190020AEBDF60AFA4DC48FAEBFB8BF14340F148215FA19B6191D731A909CB60

Function 005B833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005B835A
_wcslen.LIBCMT ref: 005B836E
_wcslen.LIBCMT ref: 005B8391
_wcslen.LIBCMT ref: 005B83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005B83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,005B361A,?), ref: 005B844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005B8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005B84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005B8501
FreeLibrary.KERNEL32(?), ref: 005B850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005B851D
DestroyIcon.USER32(?), ref: 005B852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005B8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005B8555

Strings

.dll, xrefs: 005B83AB
@U=u, xrefs: 005B8535
.exe, xrefs: 005B8388
.icl, xrefs: 005B8368

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$@U=u
API String ID: 799131459-1639919054
Opcode ID: b6a13dc0bd8bf5802df5a61c7fd99ae66a44ed87dd4d311b9d92e2086b3c65c4
Instruction ID: c164989393829e5048ebf89f464fc8f503c802a6806ef400fd0de65c45d7fb81
Opcode Fuzzy Hash: b6a13dc0bd8bf5802df5a61c7fd99ae66a44ed87dd4d311b9d92e2086b3c65c4
Instruction Fuzzy Hash: 6261CD7154061ABAEB24DF64CC85BFE7FACBB48711F104609F815D61D1EB74A980DBA0

Function 005AC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005AC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,005BCC08,00000000,?,00000000,?,?), ref: 005AC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 005AC5A4
_wcslen.LIBCMT ref: 005AC5F4
_wcslen.LIBCMT ref: 005AC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 005AC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 005AC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 005AC84D
RegCloseKey.ADVAPI32(?), ref: 005AC881
RegCloseKey.ADVAPI32(00000000), ref: 005AC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 005AC960

Strings

REG_EXPAND_SZ, xrefs: 005AC5CD
REG_DWORD, xrefs: 005AC804
REG_QWORD, xrefs: 005AC8C3
REG_BINARY, xrefs: 005AC913
REG_MULTI_SZ, xrefs: 005AC6F5
REG_SZ, xrefs: 005AC644

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 2e5b09fce1a16ef3ab2c6ff3156f4be4fcc8b24e2b288b89d6929b4fa18a21c3
Instruction ID: 63966215606ba9e1b5d251bc80adb1cab06c4611521bfd1f7f59b8729e80008b
Opcode Fuzzy Hash: 2e5b09fce1a16ef3ab2c6ff3156f4be4fcc8b24e2b288b89d6929b4fa18a21c3
Instruction Fuzzy Hash: D31256356042129FDB14DF14D885A2ABFE5FF8A714F04885CF88A9B3A2DB31EC45CB85

Function 005AC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,005AB6AE,?,?), ref: 005AC9B5
_wcslen.LIBCMT ref: 005AC9F1
_wcslen.LIBCMT ref: 005ACA68
_wcslen.LIBCMT ref: 005ACA9E
_wcslen.LIBCMT ref: 005ACAF9
_wcslen.LIBCMT ref: 005ACB2F
_wcslen.LIBCMT ref: 005ACB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 005ACB79, 005ACB7E
HKCU, xrefs: 005ACBCE
HKEY_USERS, xrefs: 005ACBDF
HKEY_CURRENT_USER, xrefs: 005ACBBD
HKCC, xrefs: 005ACBAC
HKEY_LOCAL_MACHINE, xrefs: 005ACA62, 005ACA67
HKCR, xrefs: 005ACB29, 005ACB2E
HKU, xrefs: 005ACBF0
HKLM, xrefs: 005ACA98, 005ACA9D
HKEY_CLASSES_ROOT, xrefs: 005ACAF3, 005ACAF8

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 52c84e28344566e9b5bb71cf4710eb619880887b2a2cda01c8a503b7b526c82d
Instruction ID: 0be6c30190f02a51874b6cc8a2cc55e7aa23a1ab19da7143239e42d455a2f11f
Opcode Fuzzy Hash: 52c84e28344566e9b5bb71cf4710eb619880887b2a2cda01c8a503b7b526c82d
Instruction Fuzzy Hash: F571E433A0016F8BCB20DE7CD9516BE3F91BFA6764F550524F8669B284EA31CD85C7A0

Function 00527778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 005277FF
#OnAutoItStartRegister, xrefs: 00527817
Bad directive syntax error, xrefs: 0056519A
#include-once, xrefs: 0052782F
#comments-start, xrefs: 0052785F, 005278B1
#pragma compile, xrefs: 005277D3
#comments-end, xrefs: 005278D9
#ce, xrefs: 005278ED
Cannot parse #include, xrefs: 00565279
', xrefs: 00565169
#notrayicon, xrefs: 005277E7
#include, xrefs: 00527847
Unterminated group of comments, xrefs: 0056528C
#cs, xrefs: 00527873, 005278C5
", xrefs: 00565153

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 679d633f6d9f7eedc0402ea241f1f51adefc0450af8110ebcd958f07cdf80f77
Instruction ID: 76f2c59f9bad8b050629d835abab51411cbe8a80bb2d48592f833afa63282138
Opcode Fuzzy Hash: 679d633f6d9f7eedc0402ea241f1f51adefc0450af8110ebcd958f07cdf80f77
Instruction Fuzzy Hash: A181D67164461AABDB24AF61DC46FEE3F68FF9A300F044424F905AB1D2EB70D951C791

Function 005B856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 005B8592
GetFileSize.KERNEL32(00000000,00000000), ref: 005B85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 005B85AD
CloseHandle.KERNEL32(00000000), ref: 005B85BA
GlobalLock.KERNEL32(00000000), ref: 005B85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005B85D7
GlobalUnlock.KERNEL32(00000000), ref: 005B85E0
CloseHandle.KERNEL32(00000000), ref: 005B85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 005B85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,005BFC38,?), ref: 005B8611
GlobalFree.KERNEL32(00000000), ref: 005B8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 005B8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 005B8671
DeleteObject.GDI32(00000000), ref: 005B8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005B86AF

Strings

@U=u, xrefs: 005B86AF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 079d1dde11912189af38c55ed5a9c15b951201ea48157f0926924cfa9411a047
Instruction ID: b9d3c6b1398fb4df538e0b6ebec8854ab7efaac396244f4a5e8942896ecfdcb2
Opcode Fuzzy Hash: 079d1dde11912189af38c55ed5a9c15b951201ea48157f0926924cfa9411a047
Instruction Fuzzy Hash: A0411875600209BFDB519FA9CC48EAABFBCFB99711F104158F905E72A0DB30A905DB24

Function 005830F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0058318D
_wcslen.LIBCMT ref: 005831F8

Strings

NAME, xrefs: 00583335, 00583346
[^, xrefs: 0058339A
INSTANCE, xrefs: 00583453
TEXT, xrefs: 0058347C
CLASSNN, xrefs: 005831F3, 00583204
CLASS, xrefs: 00583188, 005831A5
REGEXPCLASS, xrefs: 00583255, 00583266

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[^
API String ID: 176396367-1827482509
Opcode ID: 21d4dec13860e830e166b918f6833d6d22d81acbf34b84fb547fb31d75c78813
Instruction ID: ab4b3a5451981d0745c986fb33c9d8c386e19054b36901730f9042f7bfb42a6e
Opcode Fuzzy Hash: 21d4dec13860e830e166b918f6833d6d22d81acbf34b84fb547fb31d75c78813
Instruction Fuzzy Hash: C1E10532A00516ABCF18AF68C4557EEBFB4BF44B10F548529EC56B7250EF30AE85CB90

Function 005B911E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

DragQueryPoint.SHELL32(?,?), ref: 005B9147

Part of subcall function 005B7674: ClientToScreen.USER32(?,?), ref: 005B769A
Part of subcall function 005B7674: GetWindowRect.USER32(?,?), ref: 005B7710
Part of subcall function 005B7674: PtInRect.USER32(?,?,005B8B89), ref: 005B7720

SendMessageW.USER32(?,000000B0,?,?), ref: 005B91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005B91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005B91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 005B9225
SendMessageW.USER32(?,000000B0,?,?), ref: 005B923E
SendMessageW.USER32(?,000000B1,?,?), ref: 005B9255
SendMessageW.USER32(?,000000B1,?,?), ref: 005B9277
DragFinish.SHELL32(?), ref: 005B927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005B9371

Strings

@GUI_DRAGFILE, xrefs: 005B9320
@U=u, xrefs: 005B91B0, 005B9225, 005B923E, 005B9255, 005B9277
@GUI_DROPID, xrefs: 005B929E
p#_, xrefs: 005B92BB
@GUI_DRAGID, xrefs: 005B92E9

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u$p#_
API String ID: 221274066-21923269
Opcode ID: fca07b8912f383f5f2ce1cbaffefcabb0d707fed0cb15fde52e0a28e35ed61ad
Instruction ID: a76bf8bf10aa50ce71026e87306f5ac17487733a4c6aa5aafbc3ae2667378b84
Opcode Fuzzy Hash: fca07b8912f383f5f2ce1cbaffefcabb0d707fed0cb15fde52e0a28e35ed61ad
Instruction Fuzzy Hash: 90615971108302AFC701DF54D889DAFBFE8FFD9750F000A2DB595962A1DB70AA49CB52

Function 005400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005400C6

Part of subcall function 005400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(005F070C,00000FA0,9F7B071F,?,?,?,?,005623B3,000000FF), ref: 0054011C
Part of subcall function 005400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005623B3,000000FF), ref: 00540127
Part of subcall function 005400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005623B3,000000FF), ref: 00540138
Part of subcall function 005400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0054014E
Part of subcall function 005400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0054015C
Part of subcall function 005400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0054016A
Part of subcall function 005400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00540195
Part of subcall function 005400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005401A0

___scrt_fastfail.LIBCMT ref: 005400E7

Part of subcall function 005400A3: __onexit.LIBCMT ref: 005400A9

Strings

WakeAllConditionVariable, xrefs: 00540162
kernel32.dll, xrefs: 00540133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00540122
InitializeConditionVariable, xrefs: 00540148
SleepConditionVariableCS, xrefs: 00540154

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c287ee41e94982f25675a3ae7e293ce71d55b610a7c2df6c30a3e0e12fe7b60d
Instruction ID: caa8a16a9d47f7d4c60fdd9cd95f93320756fa1b53cf21b8a83a31c8a2143d36
Opcode Fuzzy Hash: c287ee41e94982f25675a3ae7e293ce71d55b610a7c2df6c30a3e0e12fe7b60d
Instruction Fuzzy Hash: 5B214932A417116FD7106B68AC49BAA3F98FB54B64F242225FA01E72D2DB74A800DB94

Function 005944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,005BCC08), ref: 00594527
_wcslen.LIBCMT ref: 0059453B
_wcslen.LIBCMT ref: 00594599
_wcslen.LIBCMT ref: 005945F4
_wcslen.LIBCMT ref: 0059463F
_wcslen.LIBCMT ref: 005946A7

Part of subcall function 0053F9F2: _wcslen.LIBCMT ref: 0053F9FD

GetDriveTypeW.KERNEL32(?,005E6BF0,00000061), ref: 00594743

Strings

unknown, xrefs: 00594708
network, xrefs: 0059469D, 005946A2
cdrom, xrefs: 0059458F, 00594594
ramdisk, xrefs: 005946F1
removable, xrefs: 005945EA, 005945EF
all, xrefs: 00594531, 00594536
fixed, xrefs: 00594635, 0059463A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 3166b0709913c245d02568bcd75a48680ced90b2756a111d774c876c43f6f624
Instruction ID: 73b6e40eb443089a189fd331268c50cbfca13d5cd11cdbfc8bd044c1c3015ecf
Opcode Fuzzy Hash: 3166b0709913c245d02568bcd75a48680ced90b2756a111d774c876c43f6f624
Instruction Fuzzy Hash: FDB1DC716083129BCB14DF28D890E6ABFE5BFA6760F50491DF49687291E730DC46CBA2

Function 005B6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 005B6DEB

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005B6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005B6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005B6E94
DestroyWindow.USER32(?), ref: 005B6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00520000,00000000), ref: 005B6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005B6EFD
GetDesktopWindow.USER32 ref: 005B6F16
GetWindowRect.USER32(00000000), ref: 005B6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005B6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005B6F4D

Part of subcall function 00539944: GetWindowLongW.USER32(?,000000EB), ref: 00539952

Strings

tooltips_class32, xrefs: 005B6E58, 005B6EDD
@U=u, xrefs: 005B6E81, 005B6E94, 005B6EFD, 005B6F27
0, xrefs: 005B6D98

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$@U=u$tooltips_class32
API String ID: 2429346358-1130792468
Opcode ID: c5fdb71e58b1809ec79c718ba2c4049880d1d7b08a9e8451ca34b8096445f2c9
Instruction ID: df2dd869ae27be342da8459332f9959d6adaab1318bfac590141ecd2bd411d94
Opcode Fuzzy Hash: c5fdb71e58b1809ec79c718ba2c4049880d1d7b08a9e8451ca34b8096445f2c9
Instruction Fuzzy Hash: C6716675504244AFDB21CF28DC88EBABFE9FB99304F04091DF9898B261C778E909DB15

Function 005AAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005AB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005AB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005AB1D4
_wcslen.LIBCMT ref: 005AB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005AB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005AB236
_wcslen.LIBCMT ref: 005AB332

Part of subcall function 005905A7: GetStdHandle.KERNEL32(000000F6), ref: 005905C6

_wcslen.LIBCMT ref: 005AB34B
_wcslen.LIBCMT ref: 005AB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005AB3B6
GetLastError.KERNEL32(00000000), ref: 005AB407
CloseHandle.KERNEL32(?), ref: 005AB439
CloseHandle.KERNEL32(00000000), ref: 005AB44A
CloseHandle.KERNEL32(00000000), ref: 005AB45C
CloseHandle.KERNEL32(00000000), ref: 005AB46E
CloseHandle.KERNEL32(?), ref: 005AB4E3

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 9bac9f493054b2333c577a3753c0d21b7bdc37b870b12f036c28f9ae31282d80
Instruction ID: b84e3178c70103e18e0c94d595398b6b6451f032438ed6e33e4ab149dab79991
Opcode Fuzzy Hash: 9bac9f493054b2333c577a3753c0d21b7bdc37b870b12f036c28f9ae31282d80
Instruction Fuzzy Hash: 14F18A316042419FDB14EF24D885B6EBFE5BF8A314F14895DF8859B2A2DB31EC44CB92

Function 0052326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(005F1990), ref: 00562F8D
GetMenuItemCount.USER32(005F1990), ref: 0056303D
GetCursorPos.USER32(?), ref: 00563081
SetForegroundWindow.USER32(00000000), ref: 0056308A
TrackPopupMenuEx.USER32(005F1990,00000000,?,00000000,00000000,00000000), ref: 0056309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005630A9

Strings

0, xrefs: 0052327D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: aa2c36b913e0bf9809a9966857556b57b6ab784ba0d584ac1469c533cbfd520d
Instruction ID: 280cb651e4f26c6e45535760c72d52d79777e9825e73a1de3fa60c091d923d77
Opcode Fuzzy Hash: aa2c36b913e0bf9809a9966857556b57b6ab784ba0d584ac1469c533cbfd520d
Instruction Fuzzy Hash: F0710631640616BEEB219F64DC4AFAAFF69FF05324F204216F524AB1E1C7B1AD14DB90

Function 0059C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0059C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0059C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0059C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0059C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0059C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0059C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0059C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0059C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0059C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0059C5F0
InternetCloseHandle.WININET(00000000), ref: 0059C5FB

Strings

, xrefs: 0059C575

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: b9381f8a2f1cdfa007d7dcdcade7b04004bc2d4341827318b8f25ed959953478
Instruction ID: ee7b8796849c4dbf1697cfe32b0a0d7dad14b59c4488825c1ff8a529145ec048
Opcode Fuzzy Hash: b9381f8a2f1cdfa007d7dcdcade7b04004bc2d4341827318b8f25ed959953478
Instruction Fuzzy Hash: 70514AB1600209BFEF218F65C988AAB7FFCFF59754F004519F94696250EB34E948AB60

Function 005914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00591502
VariantCopy.OLEAUT32(?,?), ref: 0059150B
VariantClear.OLEAUT32(?), ref: 00591517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005915FB
VarR8FromDec.OLEAUT32(?,?), ref: 00591657
VariantInit.OLEAUT32(?), ref: 00591708
SysFreeString.OLEAUT32(?), ref: 0059178C
VariantClear.OLEAUT32(?), ref: 005917D8
VariantClear.OLEAUT32(?), ref: 005917E7
VariantInit.OLEAUT32(00000000), ref: 00591823

Strings

Default, xrefs: 005916AF
%4d%02d%02d%02d%02d%02d, xrefs: 00591625

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 546091795d96031c549c556658f936658031366ee9d912a773221ebd684249d8
Instruction ID: 2a06961bc0d35a6ce3085be820ca9863c11358473af2b3436fc1dc2520dd01d6
Opcode Fuzzy Hash: 546091795d96031c549c556658f936658031366ee9d912a773221ebd684249d8
Instruction Fuzzy Hash: C7D1ED71A00927DBDF009F65E888B79BFB5FF85700F128856E446AB290DB30EC45DB65

Function 005AB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 005AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005AB6AE,?,?), ref: 005AC9B5
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005AC9F1
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA68
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005AB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005AB772
RegDeleteValueW.ADVAPI32(?,?), ref: 005AB80A
RegCloseKey.ADVAPI32(?), ref: 005AB87E
RegCloseKey.ADVAPI32(?), ref: 005AB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 005AB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005AB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 005AB922
FreeLibrary.KERNEL32(00000000), ref: 005AB983
RegCloseKey.ADVAPI32(00000000), ref: 005AB994

Strings

advapi32.dll, xrefs: 005AB8ED
RegDeleteKeyExW, xrefs: 005AB8FE

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 49ac3574f0d8970ec0d4dc21ff56f53fadecca025d456142d1b91f6f11a4b8b0
Instruction ID: 152683b75e46a0e845ad935dd1eff0fea6c645b45c6d15fc6ea9be2f3fc905dd
Opcode Fuzzy Hash: 49ac3574f0d8970ec0d4dc21ff56f53fadecca025d456142d1b91f6f11a4b8b0
Instruction Fuzzy Hash: 56C15A30208242AFE714DF14C499B2ABFE5BF86318F14855CE59A8B2A3CB75ED45CBD1

Function 005B541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005B5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005B5515
CharNextW.USER32(00000158), ref: 005B5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005B5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005B559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005B55AC

Strings

@U=u, xrefs: 005B5504, 005B5515, 005B554A, 005B55C9, 005B562B, 005B5816

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: @U=u
API String ID: 1350042424-2594219639
Opcode ID: d026e734e79d2480dea343ff5cb6ead8dd59475c81b1994019398277904cc0ab
Instruction ID: 08f9365e9e9b9adef9e79d5c1fb2827834a23ba5ae294c9bd8c6cdfd912ba89a
Opcode Fuzzy Hash: d026e734e79d2480dea343ff5cb6ead8dd59475c81b1994019398277904cc0ab
Instruction Fuzzy Hash: 9B61AA30900609EFDF249F64CC85EFE7FB9FB19321F104545F925AA290E774AA84DB60

Function 005A255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005A25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005A25E8
CreateCompatibleDC.GDI32(?), ref: 005A25F4
SelectObject.GDI32(00000000,?), ref: 005A2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 005A266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005A26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005A26D0
SelectObject.GDI32(?,?), ref: 005A26D8
DeleteObject.GDI32(?), ref: 005A26E1
DeleteDC.GDI32(?), ref: 005A26E8
ReleaseDC.USER32(00000000,?), ref: 005A26F3

Strings

(, xrefs: 005A268D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 43a8dcc400c02a909070267b9ddeb406c1cdd3b8392dddc10d54680de7790b97
Instruction ID: bb22def2e1ad619b65b6c2dd035cd96b8033e36b5e61be91424d3345321d4126
Opcode Fuzzy Hash: 43a8dcc400c02a909070267b9ddeb406c1cdd3b8392dddc10d54680de7790b97
Instruction Fuzzy Hash: 1A61E275D00219EFCF04CFA8D989EAEBBB5FF48310F208529E956A7250D770A941DF64

Function 0058E6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0058E6B4

Part of subcall function 0053E551: timeGetTime.WINMM(?,?,0058E6D4), ref: 0053E555

Sleep.KERNEL32(0000000A), ref: 0058E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0058E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0058E727
SetActiveWindow.USER32 ref: 0058E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0058E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0058E773
Sleep.KERNEL32(000000FA), ref: 0058E77E
IsWindow.USER32 ref: 0058E78A
EndDialog.USER32(00000000), ref: 0058E79B

Strings

BUTTON, xrefs: 0058E719
@U=u, xrefs: 0058E754, 0058E773

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 9bb844ad152479ef39ed0ebedc64f0d845e514edc44ed87dd88612b2c6699b41
Instruction ID: c2efd65a86c5b47c0ef031f89bb9ab84daf906273bce0e505a0c3d234f0d82b8
Opcode Fuzzy Hash: 9bb844ad152479ef39ed0ebedc64f0d845e514edc44ed87dd88612b2c6699b41
Instruction Fuzzy Hash: 6E2130B0200245AFEB106F66EC8AE353F69F775749F101525F916E11A1DB65AC08EB28

Function 0055DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0055DAA1

Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D659
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D66B
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D67D
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D68F
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D6A1
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D6B3
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D6C5
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D6D7
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D6E9
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D6FB
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D70D
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D71F
Part of subcall function 0055D63C: _free.LIBCMT ref: 0055D731

_free.LIBCMT ref: 0055DA96

Part of subcall function 005529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000), ref: 005529DE
Part of subcall function 005529C8: GetLastError.KERNEL32(00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000,00000000), ref: 005529F0

_free.LIBCMT ref: 0055DAB8
_free.LIBCMT ref: 0055DACD
_free.LIBCMT ref: 0055DAD8
_free.LIBCMT ref: 0055DAFA
_free.LIBCMT ref: 0055DB0D
_free.LIBCMT ref: 0055DB1B
_free.LIBCMT ref: 0055DB26
_free.LIBCMT ref: 0055DB5E
_free.LIBCMT ref: 0055DB65
_free.LIBCMT ref: 0055DB82
_free.LIBCMT ref: 0055DB9A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9826490c8e885e45d8e2d5619d5371f59cefc3dc67fa1c59e65d7ae46b09b7e4
Instruction ID: aa735865c77749154405dc833d8569d035997dc5d3f6ba4bef31da8b3f3276f7
Opcode Fuzzy Hash: 9826490c8e885e45d8e2d5619d5371f59cefc3dc67fa1c59e65d7ae46b09b7e4
Instruction Fuzzy Hash: 4D313D326046069FDB31AA39D859B967FF9FF41322F15441BE849E7291DA31AC88CB30

Function 0058365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0058369C
_wcslen.LIBCMT ref: 005836A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00583797
GetClassNameW.USER32(?,?,00000400), ref: 0058380C
GetDlgCtrlID.USER32(?), ref: 0058385D
GetWindowRect.USER32(?,?), ref: 00583882
GetParent.USER32(?), ref: 005838A0
ScreenToClient.USER32(00000000), ref: 005838A7
GetClassNameW.USER32(?,?,00000100), ref: 00583921
GetWindowTextW.USER32(?,?,00000400), ref: 0058395D

Strings

%s%u, xrefs: 00583734

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 62ba47f560d9ae25672d03d1c321144837a0959e85b82bf4a7f72a2d3b3a27e9
Instruction ID: 43f15cc7d5334c181772cbd1284b50112fb174f0ff91fc8f3b1d46c931ca93ac
Opcode Fuzzy Hash: 62ba47f560d9ae25672d03d1c321144837a0959e85b82bf4a7f72a2d3b3a27e9
Instruction Fuzzy Hash: C291A471204606AFD719EF24C885FEAFBA8FF44754F004629FD99E2190EB30EA45CB91

Function 00584954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00584994
GetWindowTextW.USER32(?,?,00000400), ref: 005849DA
_wcslen.LIBCMT ref: 005849EB
CharUpperBuffW.USER32(?,00000000), ref: 005849F7
_wcsstr.LIBVCRUNTIME ref: 00584A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00584A64
GetWindowTextW.USER32(?,?,00000400), ref: 00584A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00584AE6
GetClassNameW.USER32(?,?,00000400), ref: 00584B20
GetWindowRect.USER32(?,?), ref: 00584B8B

Strings

ThumbnailClass, xrefs: 00584A6F, 00584AF1

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 33c40159f3498b3380b61d765c1e09c478b9c9302d1a984a74381bb95cdf1322
Instruction ID: e59d52d232a05158bdb05fad38c03a55f9f6e9fe429b0e25da94b177e75ce805
Opcode Fuzzy Hash: 33c40159f3498b3380b61d765c1e09c478b9c9302d1a984a74381bb95cdf1322
Instruction Fuzzy Hash: 74919D311042069BDB08EF14C985BBA7FE9FF84314F04856AFD85AA196EB34ED45CFA1

Function 005B8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005B8D5A
GetFocus.USER32 ref: 005B8D6A
GetDlgCtrlID.USER32(00000000), ref: 005B8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 005B8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 005B8ECF
GetMenuItemCount.USER32(?), ref: 005B8EEC
GetMenuItemID.USER32(?,00000000), ref: 005B8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 005B8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005B8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005B8FA1

Strings

0, xrefs: 005B8E9F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: d7d7c9a67ab8400b8af3834681c9018c854f6658152b5cf35d87a8a1277666d8
Instruction ID: 67de988367bd783215cf407f934aedd0dc0d768ea00b4e0b50b87a77a862f09b
Opcode Fuzzy Hash: d7d7c9a67ab8400b8af3834681c9018c854f6658152b5cf35d87a8a1277666d8
Instruction Fuzzy Hash: 80819F715043019FDB20CF24C889ABBBFEDFB98354F141A19F98597291DB70E905DBA1

Function 005ACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005ACC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 005ACC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005ACD48

Part of subcall function 005ACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 005ACCAA
Part of subcall function 005ACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 005ACCBD
Part of subcall function 005ACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005ACCCF
Part of subcall function 005ACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005ACD05
Part of subcall function 005ACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005ACD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 005ACCF3

Strings

advapi32.dll, xrefs: 005ACCB8
RegDeleteKeyExW, xrefs: 005ACCC9

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 81ddfe7c22faa7cca13003a9855c2399907b3d781683c37b0991b909d932ab4e
Instruction ID: bc651ce95fdeaabc4285f3f299e9c72b2da2bc8486dfb8ef1fcbebcfd4d93ffa
Opcode Fuzzy Hash: 81ddfe7c22faa7cca13003a9855c2399907b3d781683c37b0991b909d932ab4e
Instruction Fuzzy Hash: 0D319A71901128BBDB209B95DC88EFFBF7CEF16750F000165B916E6200DB709E49EAA4

Function 0058E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0058EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0058EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0058EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0058EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0058EAA7

Strings

alias PlayMe, xrefs: 0058EA36
close PlayMe, xrefs: 0058EA6E, 0058EA9B
play PlayMe, xrefs: 0058EAA2
status PlayMe mode, xrefs: 0058EA58
play PlayMe wait, xrefs: 0058EA91
open , xrefs: 0058EA0C

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6b7404cbdd7dd379941106e0cc826da16c716a104b7cea75557a241dad711dfc
Instruction ID: 124b9afcbe326911e816001e5d59b62787237ec12382ca0595d6c69442e6e6ad
Opcode Fuzzy Hash: 6b7404cbdd7dd379941106e0cc826da16c716a104b7cea75557a241dad711dfc
Instruction Fuzzy Hash: 4E11122165026A79D728E766DC4FDFF6E7CFFE2F80F400429B851A20D1DA705945C6B0

Function 00538BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00538F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00538BE8,?,00000000,?,?,?,?,00538BBA,00000000,?), ref: 00538FC5

DestroyWindow.USER32(?), ref: 00538C81
KillTimer.USER32(00000000,?,?,?,?,00538BBA,00000000,?), ref: 00538D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00576973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00538BBA,00000000,?), ref: 005769A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00538BBA,00000000,?), ref: 005769B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00538BBA,00000000), ref: 005769D4
DeleteObject.GDI32(00000000), ref: 005769E6

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 40c4516055f12a3deebd18453a8b0b695c71d44df83c45049b6b4a4a779adad8
Instruction ID: 89a087a2b2e700f6aba75268a8ccf13bbf28433e575e6a64535fd6ba65e53bbc
Opcode Fuzzy Hash: 40c4516055f12a3deebd18453a8b0b695c71d44df83c45049b6b4a4a779adad8
Instruction Fuzzy Hash: 0A618B30502B05DFCB299F25DA48B397FF1FB60312F149918E0469B560CB75AD88EBA8

Function 00539838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00539944: GetWindowLongW.USER32(?,000000EB), ref: 00539952

GetSysColor.USER32(0000000F), ref: 00539862

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1c90466e8c6b4c9e2c82efa7add4d1a3827a9f4da976d0152dc79624fca5e4ad
Instruction ID: e05cc25274b457ef2075a9dd40c8db3e3bf61d992059d17c178a314038d694c0
Opcode Fuzzy Hash: 1c90466e8c6b4c9e2c82efa7add4d1a3827a9f4da976d0152dc79624fca5e4ad
Instruction Fuzzy Hash: 7E41C471104644AFDB205F3CAC88BBA7F65FB96330F144645F9A2972E1D7B19C42EB60

Function 005B50D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 005B5186
ShowWindow.USER32(?,00000000), ref: 005B51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 005B51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 005B51D1

Part of subcall function 005B6FBA: DeleteObject.GDI32(00000000), ref: 005B6FE6

GetWindowLongW.USER32(?,000000F0), ref: 005B520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005B521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005B524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 005B5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 005B5296

Strings

@U=u, xrefs: 005B5186

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: @U=u
API String ID: 3210457359-2594219639
Opcode ID: 571ab649359df7e56f0f3889ae56844e2f215a75edb5e22765d9f3c51a5748a4
Instruction ID: 8aaca50fba14ef5d27fefc7a396dbaa687cb9eeee0820ed3f2705a66bca6bee2
Opcode Fuzzy Hash: 571ab649359df7e56f0f3889ae56844e2f215a75edb5e22765d9f3c51a5748a4
Instruction Fuzzy Hash: 1451D234A42A09FFEF289F28DC4ABD87F65FB45320F144112F6559A2E0E7B5B984DB40

Function 00538B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00576890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005768A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005768B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005768D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005768F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00538874,00000000,00000000,00000000,000000FF,00000000), ref: 00576901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0057691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00538874,00000000,00000000,00000000,000000FF,00000000), ref: 0057692D

Strings

@U=u, xrefs: 005768F2, 0057691E

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: 80cfc127409f4ba3c773efef7f4a5db6b9a1e824c1177da4f6d40dbb5aca2d19
Instruction ID: 0c45a5bfc5d62b294d44b60e0745d52f1f32d4da13cfc547a0c54f49052c7365
Opcode Fuzzy Hash: 80cfc127409f4ba3c773efef7f4a5db6b9a1e824c1177da4f6d40dbb5aca2d19
Instruction Fuzzy Hash: 5B51787060070AEFDB248F24DC65BAABFB5FB58750F104618F956A62A0DBB0A950EB50

Function 005B8B02 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

Part of subcall function 0053912D: GetCursorPos.USER32(?), ref: 00539141
Part of subcall function 0053912D: ScreenToClient.USER32(00000000,?), ref: 0053915E
Part of subcall function 0053912D: GetAsyncKeyState.USER32(00000001), ref: 00539183
Part of subcall function 0053912D: GetAsyncKeyState.USER32(00000002), ref: 0053919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 005B8B6B
ImageList_EndDrag.COMCTL32 ref: 005B8B71
ReleaseCapture.USER32 ref: 005B8B77
SetWindowTextW.USER32(?,00000000), ref: 005B8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005B8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 005B8CFF

Strings

@GUI_DRAGFILE, xrefs: 005B8C9A
p#_, xrefs: 005B8C71
@U=u, xrefs: 005B8C25
@GUI_DROPID, xrefs: 005B8C51

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u$p#_
API String ID: 1924731296-3474493772
Opcode ID: b8e9c73dbb312d1f61fc804ee5132b0a84f77361caad19226d5fe237192d83d5
Instruction ID: 6924af96848f588ebb123e4051e54eb33ddfca6d24e46ed1296483a1efebdeb2
Opcode Fuzzy Hash: b8e9c73dbb312d1f61fc804ee5132b0a84f77361caad19226d5fe237192d83d5
Instruction Fuzzy Hash: E6516C71104205AFD704DF14D959FBA7FE4FB98710F000629F996AB2E1CB75AD08CBA6

Function 005896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0056F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00589717
LoadStringW.USER32(00000000,?,0056F7F8,00000001), ref: 00589720

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0056F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00589742
LoadStringW.USER32(00000000,?,0056F7F8,00000001), ref: 00589745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00589866

Strings

Line %d (File "%s"):, xrefs: 0058978F
Line %d:, xrefs: 005897A0
^ ERROR, xrefs: 005897FB
%s (%d) : ==> %s: %s %s, xrefs: 0058984A
Error: , xrefs: 0058981D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3e2f1b0fa0e20537fa6dd7cba5d7a6c9226d30cd57fca3cdfa97428747d8a1b1
Instruction ID: 3fb0e8be180150c4193c193c924db437e467d13d9360e7e2fc3dc44b2d2ea4e9
Opcode Fuzzy Hash: 3e2f1b0fa0e20537fa6dd7cba5d7a6c9226d30cd57fca3cdfa97428747d8a1b1
Instruction Fuzzy Hash: 3B411E7280021AAACF04FBA0DD9ADFE7B78BFA5340F240465F505721D1EA356F48CB61

Function 005806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005807A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005807BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005807DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00580804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0058082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00580837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0058083C

Strings

SOFTWARE\Classes\, xrefs: 0058070E
\IPC$, xrefs: 00580784
\CLSID, xrefs: 00580724

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 444d2db1e824a7c0210be9d3f0014b2234fcd224910c65366b0757d1aff4895c
Instruction ID: 4469f339ad02d69d2984d81217e7d989688da37e889d66afbdd13aa572b0ec29
Opcode Fuzzy Hash: 444d2db1e824a7c0210be9d3f0014b2234fcd224910c65366b0757d1aff4895c
Instruction Fuzzy Hash: FC41F972C10229ABDF15EBA4DC998EDBB78FF54750F144565E901B31A1EB30AE48CF90

Function 00597A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00597AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00597B8F
SHGetDesktopFolder.SHELL32(?), ref: 00597BA3
CoCreateInstance.OLE32(005BFD08,00000000,00000001,005E6E6C,?), ref: 00597BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00597C74
CoTaskMemFree.OLE32(?,?), ref: 00597CCC
SHBrowseForFolderW.SHELL32(?), ref: 00597D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00597D7A
CoTaskMemFree.OLE32(00000000), ref: 00597D81
CoTaskMemFree.OLE32(00000000), ref: 00597DD6
CoUninitialize.OLE32 ref: 00597DDC

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a95bdac1e3c389d3758b2827a981c99e6d9d1cc1cc211ebd313187199556fbaa
Instruction ID: 1960603a7945a699bb60a0e0ef03ffc271639d865cea41539e265a8eefa6c4a3
Opcode Fuzzy Hash: a95bdac1e3c389d3758b2827a981c99e6d9d1cc1cc211ebd313187199556fbaa
Instruction Fuzzy Hash: 2AC10975A04219AFDB14DF64C888DAEBFB9FF48304F148599F8199B261D730EE45CB90

Function 0057FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0057FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0057FB08
VariantInit.OLEAUT32(?), ref: 0057FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0057FB3A
VariantCopy.OLEAUT32(?,?), ref: 0057FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0057FBA1
VariantClear.OLEAUT32(?), ref: 0057FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0057FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0057FBCC
VariantClear.OLEAUT32(?), ref: 0057FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0057FBE9

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: cdbb3e452b721ba92bc47eaba852f3c7f29ce76153a1d94fc71a6e1050e9feaf
Instruction ID: 2adf097f784b6f62be67dbe893641d5eb8089dcaeadcf10c2d31e7c2978263ad
Opcode Fuzzy Hash: cdbb3e452b721ba92bc47eaba852f3c7f29ce76153a1d94fc71a6e1050e9feaf
Instruction Fuzzy Hash: 33416235A0021ADFCF00DF64D8589AEBFB9FF58345F00C465E959A7261DB30AA45DFA0

Function 005A055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005A05BC
inet_addr.WSOCK32(?), ref: 005A061C
gethostbyname.WSOCK32(?), ref: 005A0628
IcmpCreateFile.IPHLPAPI ref: 005A0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005A06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005A06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005A07B9
WSACleanup.WSOCK32 ref: 005A07BF

Strings

Ping, xrefs: 005A0676

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 13a2b0cbb44c1d9b1cf52cd2381bfb185e6b9bd2502bb17894737a3dcca72cd6
Instruction ID: 96b93e27f119230fc4e416573f52a6769733fec5d302e84e0b43a9fa7d214723
Opcode Fuzzy Hash: 13a2b0cbb44c1d9b1cf52cd2381bfb185e6b9bd2502bb17894737a3dcca72cd6
Instruction Fuzzy Hash: FD917A356142019FD720DF15D489B1ABFE0FF8A318F1489A9E46A9B6A2C730FC45CF91

Function 005A8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 005A8CF3

Part of subcall function 00588E54: _wcslen.LIBCMT ref: 00588E77

_wcslen.LIBCMT ref: 005A8D4E
_wcslen.LIBCMT ref: 005A8D9C
_wcslen.LIBCMT ref: 005A8DDC
_wcslen.LIBCMT ref: 005A8E6E

Strings

cdecl, xrefs: 005A8D48, 005A8D4D
winapi, xrefs: 005A8D96, 005A8D9B
none, xrefs: 005A8E65, 005A8E6A
stdcall, xrefs: 005A8DD6, 005A8DDB

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 98218c3e5622d37b8e3bd5c2fab55034cd6808248ceac60c618e82c3b224bc71
Instruction ID: c39133632e17d08139e04c869623dafced9af0aaa35ee87e22669c06b553ae0f
Opcode Fuzzy Hash: 98218c3e5622d37b8e3bd5c2fab55034cd6808248ceac60c618e82c3b224bc71
Instruction Fuzzy Hash: E5519171A00116DBCF14DF68C9509BEBBA9BF66724B244629E866E72C4EF31DD40C790

Function 005A372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 005A3774
CoUninitialize.OLE32 ref: 005A377F
CoCreateInstance.OLE32(?,00000000,00000017,005BFB78,?), ref: 005A37D9
IIDFromString.OLE32(?,?), ref: 005A384C
VariantInit.OLEAUT32(?), ref: 005A38E4
VariantClear.OLEAUT32(?), ref: 005A3936

Strings

Failed to create object, xrefs: 005A37E4, 005A389A
NULL Pointer assignment, xrefs: 005A381E
Invalid parameter, xrefs: 005A3865

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: fb076fdc010f09ae5f22e2d861da5f60a555a9fd6cecf0d6bb526920ef0f5f9a
Instruction ID: 8f585fce80aafe3888156e854d20ad667704b891bc7eaca5cd430d7cc1d65d42
Opcode Fuzzy Hash: fb076fdc010f09ae5f22e2d861da5f60a555a9fd6cecf0d6bb526920ef0f5f9a
Instruction Fuzzy Hash: 8B616B70608212AFD310DF54D849A6EBFE8FF8A718F100919F9859B291D774EE48CB92

Function 00593388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005933CF

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005933F0

Strings

Line %d (File "%s"):, xrefs: 00593443, 0059345C
^ ERROR , xrefs: 0059349E
Incorrect parameters to object property !, xrefs: 005934AB
Error: , xrefs: 005934D1
"%s" (%d) : ==> %s:, xrefs: 00593522
"%s" (%d) : ==> %s:%s%s, xrefs: 00593504

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: fe679ad528ce59a2887de52f483500609afd231e7a08b91212fa842eef8fcfc0
Instruction ID: 409208b8dcbc2f2cf4b6c51b97510df7473b65186b2a9a5b3eb6d2da833769d1
Opcode Fuzzy Hash: fe679ad528ce59a2887de52f483500609afd231e7a08b91212fa842eef8fcfc0
Instruction Fuzzy Hash: 0751AF7280021AAACF14EBA0DD4AEFEBB78BF65340F244465F405720A1EB352F58DB60

Function 0058B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0058B5FC
_wcslen.LIBCMT ref: 0058B608
_wcslen.LIBCMT ref: 0058B64D
_wcslen.LIBCMT ref: 0058B68C
_wcslen.LIBCMT ref: 0058B6C7

Strings

REMOVE, xrefs: 0058B602, 0058B607
KEYS, xrefs: 0058B647, 0058B64C
APPEND, xrefs: 0058B6C1, 0058B6C6
EXISTS, xrefs: 0058B686, 0058B68B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 4e15f75f856087dc7ab5a1feebb2ba23a8335c5a1afff842ffbab429b1d7eab6
Instruction ID: 98b26785f71271e3a77770a49781de227bb3b2c90d274d125f32a7545042792d
Opcode Fuzzy Hash: 4e15f75f856087dc7ab5a1feebb2ba23a8335c5a1afff842ffbab429b1d7eab6
Instruction Fuzzy Hash: 7841A732A001279ADB107F7E88915BE7FA9FFA1794B254629E861E7284F731CD81C790

Function 00595393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005953A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00595416
GetLastError.KERNEL32 ref: 00595420
SetErrorMode.KERNEL32(00000000,READY), ref: 005954A7

Strings

READY, xrefs: 00595460, 00595468
NOTREADY, xrefs: 0059544B
READONLY, xrefs: 00595452
INVALID, xrefs: 00595459
UNKNOWN, xrefs: 00595444

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 66e9d9ad4078ac2b46944d3c8821bc8b32479a79ea36f43f173bca49d3289ea6
Instruction ID: 61026827549e90a17a57a4c2886960cfccfbeb429fee1e399221b5d22f2bebbc
Opcode Fuzzy Hash: 66e9d9ad4078ac2b46944d3c8821bc8b32479a79ea36f43f173bca49d3289ea6
Instruction Fuzzy Hash: 8631CE35A002059FCF52DF68C888AAABFF4FF55345F548065E409DB292E770ED96CB90

Function 005B2D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005B2D1B
GetDC.USER32(00000000), ref: 005B2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005B2D2E
ReleaseDC.USER32(00000000,00000000), ref: 005B2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005B2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005B2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005B5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 005B2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005B2DE1

Strings

@U=u, xrefs: 005B2D87, 005B2DE1

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: e019e27999ec10ad7f5ca338d94ef86320e408587ef76934dabf91342c98c7ca
Instruction ID: b0f64bcc2daa47dfffa887bb8a4a500a46e4ed7e5b9f80e34b4891ec46c84629
Opcode Fuzzy Hash: e019e27999ec10ad7f5ca338d94ef86320e408587ef76934dabf91342c98c7ca
Instruction Fuzzy Hash: 13317872201214BFEB218F548C8AFEB3FA9FB59711F044155FE089A291C6B5A851CBB4

Function 0058209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005820AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005820C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0058214D

Strings

@U=u, xrefs: 0058214D
largeicons, xrefs: 005820E1
SHELLDLL_DefView, xrefs: 005820CC
smallicons, xrefs: 00582115
details, xrefs: 005820FB
list, xrefs: 0058212F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-1428604138
Opcode ID: eb2e5ad760fa56571dcbaa1e3eb9365410c22c326e9d0dc81209ed3eba734502
Instruction ID: a7eaed66f81bde03b34706bd8cc6a9b6e317117f73247d2a8cc580bfbda92587
Opcode Fuzzy Hash: eb2e5ad760fa56571dcbaa1e3eb9365410c22c326e9d0dc81209ed3eba734502
Instruction Fuzzy Hash: 1111C17A688707BAF60976259C0EDE63F9DFB14328F30011AFB45B90D1FAA168459B18

Function 005B3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005B3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005B3AA0
GetWindowLongW.USER32(?,000000F0), ref: 005B3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005B3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005B3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 005B3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 005B3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 005B3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 005B3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005B3C13

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 852437b29e6cb2a472cf58df3b4955487f49b33bef615478dbf93d2b845f13f0
Instruction ID: 9d4e271c789105e1f57f41f084b10229e554ff92858b6099000d01e6b46995f7
Opcode Fuzzy Hash: 852437b29e6cb2a472cf58df3b4955487f49b33bef615478dbf93d2b845f13f0
Instruction Fuzzy Hash: AE615775900248AFDB10DFA8CD85EEE7BB8FF49700F100199FA15AB2A1C774AE45DB50

Function 0058B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0058B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0058A1E1,?,00000001), ref: 0058B165
GetWindowThreadProcessId.USER32(00000000), ref: 0058B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0058A1E1,?,00000001), ref: 0058B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0058B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0058A1E1,?,00000001), ref: 0058B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0058A1E1,?,00000001), ref: 0058B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0058A1E1,?,00000001), ref: 0058B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0058A1E1,?,00000001), ref: 0058B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0058A1E1,?,00000001), ref: 0058B21D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 30fecc862c3ecd9f12ed7a7972c2de42ded77adae2f7f3113ec5cf3d935e78a2
Instruction ID: d49d6c63b17e3964fe5475ebc40edc060e7131bb62e131465a6232e4a7a87630
Opcode Fuzzy Hash: 30fecc862c3ecd9f12ed7a7972c2de42ded77adae2f7f3113ec5cf3d935e78a2
Instruction Fuzzy Hash: 6F314BB5500204AFFB10AF64DC48B7D7FADBB61311F104156FE05E7190EBB8AA48DB68

Function 00552C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00552C94

Part of subcall function 005529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000), ref: 005529DE
Part of subcall function 005529C8: GetLastError.KERNEL32(00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000,00000000), ref: 005529F0

_free.LIBCMT ref: 00552CA0
_free.LIBCMT ref: 00552CAB
_free.LIBCMT ref: 00552CB6
_free.LIBCMT ref: 00552CC1
_free.LIBCMT ref: 00552CCC
_free.LIBCMT ref: 00552CD7
_free.LIBCMT ref: 00552CE2
_free.LIBCMT ref: 00552CED
_free.LIBCMT ref: 00552CFB

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a8bc8844eb46730b95bcfb815eb9204dc16e596dd6ebb4fdea2a943e79137d81
Instruction ID: f397b0da501c30dfdc929e1b26ddb30d5d2b9fb9411635144a3cf8389b06cc71
Opcode Fuzzy Hash: a8bc8844eb46730b95bcfb815eb9204dc16e596dd6ebb4fdea2a943e79137d81
Instruction Fuzzy Hash: 84119276100109AFCB02EF94D896CDD3FB5FF46351F5144A6FA48AB322DA31EA949B90

Function 00521410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00521459
OleUninitialize.OLE32(?,00000000), ref: 005214F8
UnregisterHotKey.USER32(?), ref: 005216DD
DestroyWindow.USER32(?), ref: 005624B9
FreeLibrary.KERNEL32(?), ref: 0056251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0056254B

Strings

close all, xrefs: 00521454

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7d0640a420216bf8cbb9de01ba5f09850f856efbdd49f8beb83e43e9fcc2d0d4
Instruction ID: 5afa59b49eca3959c08af8838d9195526e11da40b60d428a8e7dc0f4fae505e7
Opcode Fuzzy Hash: 7d0640a420216bf8cbb9de01ba5f09850f856efbdd49f8beb83e43e9fcc2d0d4
Instruction Fuzzy Hash: D7D18F31701623CFDB29EF14D499A69FFA4BF66700F1442ADE44A6B2A1DB30AD12CF54

Function 0059359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005935E4

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

LoadStringW.USER32(005F2390,?,00000FFF,?), ref: 0059360A

Strings

Line %d (File "%s"):, xrefs: 0059366B
^ ERROR, xrefs: 005936C9
Error: , xrefs: 005936EF
"%s" (%d) : ==> %s:, xrefs: 00593742
"%s" (%d) : ==> %s:%s%s, xrefs: 00593724

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 6da722c1f86c3a2f2e98154045e4f68e0120c77947dbc4d0a8bb1fdc02f7d5ee
Instruction ID: de15ad1b4953d8c88fac88465ee64f5c2c56da243cefe1d1ca3468363990ae4d
Opcode Fuzzy Hash: 6da722c1f86c3a2f2e98154045e4f68e0120c77947dbc4d0a8bb1fdc02f7d5ee
Instruction Fuzzy Hash: F5514C7280021AEACF15EBA0DC46EEDBF74FF65340F144525F505721A1DB352B98DB61

Function 005B3886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005B3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005B393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005B3954
_wcslen.LIBCMT ref: 005B3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005B39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005B39F4

Strings

@U=u, xrefs: 005B3925, 005B393A
SysListView32, xrefs: 005B38F7

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: @U=u$SysListView32
API String ID: 2147712094-1908207174
Opcode ID: 26ffa094191cad5a381e4033bc488347b49daacd358adadcbd1df82cfc7f0e6a
Instruction ID: 95dfaa16e3b6a8036130ab477d623906b640c396245926a746eb56866390b98a
Opcode Fuzzy Hash: 26ffa094191cad5a381e4033bc488347b49daacd358adadcbd1df82cfc7f0e6a
Instruction Fuzzy Hash: 3441C231A00219ABEB219F64CC49FEA7FA9FF58350F100526F958F7281D7B1A984CB94

Function 005B2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005B2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 005B2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 005B2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 005B2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005B2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 005B2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005B2F0B

Strings

@U=u, xrefs: 005B2E1C, 005B2EB6, 005B2EE0

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: b3f0a76967e67187c7add5244384f63f8f278208179733cb471e94554ed20932
Instruction ID: 2c190bfd7f7668d31667b3ca0d2727e9ae545ea5e74d12183ef5fd154c7deb73
Opcode Fuzzy Hash: b3f0a76967e67187c7add5244384f63f8f278208179733cb471e94554ed20932
Instruction Fuzzy Hash: D631F230644250AFDB218F59DD84FA53BA9FBAA710F150164F904CF2B1CBB1F844EB65

Function 0059C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0059C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0059C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0059C2CA
GetLastError.KERNEL32 ref: 0059C322
SetEvent.KERNEL32(?), ref: 0059C336
InternetCloseHandle.WININET(00000000), ref: 0059C341

Strings

, xrefs: 0059C2BB

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 48309e4fd4adcb525a8f7135c12cc173b839d142028c201146a9f856a8a4774e
Instruction ID: 7bfbc7774d81b32ea6038c62f309ebdb25cd4ee3b6befa1d8fbb488b9d3bb3c0
Opcode Fuzzy Hash: 48309e4fd4adcb525a8f7135c12cc173b839d142028c201146a9f856a8a4774e
Instruction Fuzzy Hash: BD317CB1600208AFDF219F648D88AAB7FFCFB59744B10891EF48692201DB34ED089B65

Function 0058989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00563AAF,?,?,Bad directive syntax error,005BCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005898BC
LoadStringW.USER32(00000000,?,00563AAF,?), ref: 005898C3

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00589987

Strings

Line %d (File "%s"):, xrefs: 0058992D
%s (%d) : ==> %s.: %s %s, xrefs: 005898F1
., xrefs: 0058996D
Line %d:, xrefs: 00589912
Error: , xrefs: 00589955

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 26e995e8a9f0fd74cbd00c4520ebd43a969501b2b86c12560064c6eef09af53d
Instruction ID: a34f8789996aa47cce1d08d2243159be5dfc72785e6af7e9ada8595dca09bb98
Opcode Fuzzy Hash: 26e995e8a9f0fd74cbd00c4520ebd43a969501b2b86c12560064c6eef09af53d
Instruction Fuzzy Hash: 96217132C0021AABCF15EF90DC5AEED7F35BF69340F084825F515720A1EB75AA18DB10

Function 0055CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0055CEB7
_free.LIBCMT ref: 0055CF22
_free.LIBCMT ref: 0055CF48
_free.LIBCMT ref: 0055CF71
_free.LIBCMT ref: 0055CFA9
_free.LIBCMT ref: 0055CFDA
_free.LIBCMT ref: 0055D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0055D09C
_free.LIBCMT ref: 0055D0B5

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: db36b7524ee3eacf55b7c2d47adfc655f48dbd0d0255debd07251461af77cfaa
Instruction ID: c7afdc306c6def7fad0fa481ec6dfdb526813f4745f96871c5975435cbb959e4
Opcode Fuzzy Hash: db36b7524ee3eacf55b7c2d47adfc655f48dbd0d0255debd07251461af77cfaa
Instruction Fuzzy Hash: 31614572904301AFDB21AFB498A9A7A7FA5BF41312F04016FEC05E7282E6359D4CCB60

Function 0059C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0059C182
GetLastError.KERNEL32 ref: 0059C195
SetEvent.KERNEL32(?), ref: 0059C1A9

Part of subcall function 0059C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0059C272
Part of subcall function 0059C253: GetLastError.KERNEL32 ref: 0059C322
Part of subcall function 0059C253: SetEvent.KERNEL32(?), ref: 0059C336
Part of subcall function 0059C253: InternetCloseHandle.WININET(00000000), ref: 0059C341

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: a33cdd61694bcf6954ebb95bb94f2a945089955182c7d585c9eb95b1643d9a44
Instruction ID: 971893f92ba9f7e8228ac4226c2c4c0083a85b7c4fee432617e0480dab9292ba
Opcode Fuzzy Hash: a33cdd61694bcf6954ebb95bb94f2a945089955182c7d585c9eb95b1643d9a44
Instruction Fuzzy Hash: EA319C75200701AFDF219FA5DC48A66BFF9FF68300B10492DF99686611DB30E818EFA0

Function 005825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00583A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00583A57
Part of subcall function 00583A3D: GetCurrentThreadId.KERNEL32 ref: 00583A5E
Part of subcall function 00583A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005825B3), ref: 00583A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005825BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005825DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005825DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005825E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00582601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00582605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0058260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00582623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00582627

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 29096913d191542b093877ae4147552007fd5598b712f809f2fc586cc7db7666
Instruction ID: dfbafd1219a775115320df16a1c0f776b245d73d63f9ed270a8b204784958e0a
Opcode Fuzzy Hash: 29096913d191542b093877ae4147552007fd5598b712f809f2fc586cc7db7666
Instruction Fuzzy Hash: 9901B170290210BBFB107B699C8EF593F59EB9EB12F100102F758BE0D1C9E22448DA6D

Function 00581803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00581449,?,?,00000000), ref: 0058180C
HeapAlloc.KERNEL32(00000000,?,00581449,?,?,00000000), ref: 00581813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00581449,?,?,00000000), ref: 00581828
GetCurrentProcess.KERNEL32(?,00000000,?,00581449,?,?,00000000), ref: 00581830
DuplicateHandle.KERNEL32(00000000,?,00581449,?,?,00000000), ref: 00581833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00581449,?,?,00000000), ref: 00581843
GetCurrentProcess.KERNEL32(00581449,00000000,?,00581449,?,?,00000000), ref: 0058184B
DuplicateHandle.KERNEL32(00000000,?,00581449,?,?,00000000), ref: 0058184E
CreateThread.KERNEL32(00000000,00000000,00581874,00000000,00000000,00000000), ref: 00581868

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 50faf27764b14f460be20bb997560feb5ccd257e1d999666c3328ca2afff0d69
Instruction ID: 4d9c90a202b8b3bb900db25932a39f0e6b73f3c621b8be9b8f2bb617f0ac9bf8
Opcode Fuzzy Hash: 50faf27764b14f460be20bb997560feb5ccd257e1d999666c3328ca2afff0d69
Instruction Fuzzy Hash: 3001BFB5240304BFE750AFA5DC4DF573FACEB99B11F404511FA05EB191C670A804DB24

Function 005AA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0058D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0058D501
Part of subcall function 0058D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0058D50F
Part of subcall function 0058D4DC: CloseHandle.KERNEL32(00000000), ref: 0058D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 005AA16D
GetLastError.KERNEL32 ref: 005AA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 005AA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 005AA268
GetLastError.KERNEL32(00000000), ref: 005AA273
CloseHandle.KERNEL32(00000000), ref: 005AA2C4

Strings

SeDebugPrivilege, xrefs: 005AA18F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ba814a2e9ae1c63aab1f30d287a56492af502f11c2ab160e66f293837cc10045
Instruction ID: f5f30af732350f4f5e8a98e35426ff0a5bb39745ddf5eb0901a63ceae338a812
Opcode Fuzzy Hash: ba814a2e9ae1c63aab1f30d287a56492af502f11c2ab160e66f293837cc10045
Instruction Fuzzy Hash: 57615B34204242AFD720DF18D498F1ABFA1BF95318F54849CE4564BBA3C772EC49CB92

Function 00542D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00542D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00542D53
_ValidateLocalCookies.LIBCMT ref: 00542DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00542E0C
_ValidateLocalCookies.LIBCMT ref: 00542E61

Strings

csm, xrefs: 00542DF6
&HT, xrefs: 00542DFE, 00542E07, 00542E18

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HT$csm
API String ID: 1170836740-2742057123
Opcode ID: bcef93e26af8d85bde232a66d32648663b459eca41ea480fdffab8a5445cccd8
Instruction ID: 62b47809bbaaf8d3647640c1b3234d30d0abcd38e34f3d03756b580f5b7f6e28
Opcode Fuzzy Hash: bcef93e26af8d85bde232a66d32648663b459eca41ea480fdffab8a5445cccd8
Instruction Fuzzy Hash: 43419434E01219EBCF14DF68C849ADEBFB5BF44328F548155F815AB392D7319A16CB90

Function 005B81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0057F3AB,00000000,?,?,00000000,?,0057682C,00000004,00000000,00000000), ref: 005B824C
EnableWindow.USER32(00000000,00000000), ref: 005B8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005B82D1
ShowWindow.USER32(00000000,00000004), ref: 005B82E5
EnableWindow.USER32(00000000,00000001), ref: 005B830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005B832F

Strings

@U=u, xrefs: 005B832F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: 2bcca94f0e7ab720a48aec0c5fe82532fc7dda9cc01a632bde06cd51760e5955
Instruction ID: 4a4dc0db33f297d003a1c40cda4ff265672bcf6635711f296766341dc453feec
Opcode Fuzzy Hash: 2bcca94f0e7ab720a48aec0c5fe82532fc7dda9cc01a632bde06cd51760e5955
Instruction Fuzzy Hash: 7A41A138601A40EFDB11CF14CD99BF4BFE4BB1AB14F1822A8E5088F262CB71B845DB54

Function 00584C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00584C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00584CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00584CEA
_wcslen.LIBCMT ref: 00584D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00584D10
_wcsstr.LIBVCRUNTIME ref: 00584D1A

Strings

@U=u, xrefs: 00584CB2, 00584CEA

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID: @U=u
API String ID: 72514467-2594219639
Opcode ID: 49ce8320763de39aea868aad0da0ba13894081e9422400b28bc29424a00c4ad3
Instruction ID: 2ae198a13bff307323f1e0c7cd1d9c8d88fdf1538d11364e1f4e36217b6172c4
Opcode Fuzzy Hash: 49ce8320763de39aea868aad0da0ba13894081e9422400b28bc29424a00c4ad3
Instruction Fuzzy Hash: B4212932605202BBEB556B39DC09E7B7F9CEF45750F104029FC05DE191EA61DC009BA0

Function 0058C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0058C913

Strings

stop, xrefs: 0058C8E4
question, xrefs: 0058C8CC
info, xrefs: 0058C8B4
blank, xrefs: 0058C895
warning, xrefs: 0058C8FC

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 06d0643cf1c206327f258302a4e26077ec00529117972e0e7e3c59d612b933dd
Instruction ID: a5f2b2dac1e4f94d8056c930c66748f0a85e75c91c5e1b49c32e27e49ceaefa2
Opcode Fuzzy Hash: 06d0643cf1c206327f258302a4e26077ec00529117972e0e7e3c59d612b933dd
Instruction Fuzzy Hash: D2112E316C9707BBA70477159C82DDA2F9CFF25794B10006BF900B5282E7747D405775

Function 00577439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00577452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00577469
GetWindowDC.USER32(?), ref: 00577475
GetPixel.GDI32(00000000,?,?), ref: 00577484
ReleaseDC.USER32(?,00000000), ref: 00577496
GetSysColor.USER32(00000005), ref: 005774B0

Strings

@U=u, xrefs: 00577469

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID: @U=u
API String ID: 272304278-2594219639
Opcode ID: c50556ad5d7697494c66b3772012cebe4fddaf3c78e7ae0cd9c0667a29447c7d
Instruction ID: 0e889c0c77f7d253007fb4504f5d24222ba26fc799ba1877419ad10144191433
Opcode Fuzzy Hash: c50556ad5d7697494c66b3772012cebe4fddaf3c78e7ae0cd9c0667a29447c7d
Instruction Fuzzy Hash: 2B018B31400209EFDB905F68EC08FAA7FB6FB18311F6146A4F91AA20A0CB312E45FB14

Function 0058ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0058ED2A
_wcslen.LIBCMT ref: 0058ED3B
_wcslen.LIBCMT ref: 0058ED79
_wcslen.LIBCMT ref: 0058EDAF
_wcslen.LIBCMT ref: 0058EDDF
_wcslen.LIBCMT ref: 0058EDEF
_wcslen.LIBCMT ref: 0058EE2B
_wcslen.LIBCMT ref: 0058EE5A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d75113f6b34f60c4c5ad7808cc275076c4ba714a1b0cdd3a96eaa3885d77b6ad
Instruction ID: 9f1510a82ed0683864286780e9b0ff3159962111d8703ea9a1891cadedef9eb2
Opcode Fuzzy Hash: d75113f6b34f60c4c5ad7808cc275076c4ba714a1b0cdd3a96eaa3885d77b6ad
Instruction Fuzzy Hash: 52417F79C1021975CB11FBB4888BACFBBB8BF85710F508566E914F3122EB34E255C7A6

Function 0053F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0057682C,00000004,00000000,00000000), ref: 0053F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0057682C,00000004,00000000,00000000), ref: 0057F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0057682C,00000004,00000000,00000000), ref: 0057F454

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 49a97ac856548f50c46fdecbd6f13e9c549d8263f5be31c377053ebc92db2c33
Instruction ID: b574392ec28c1ab0c97f725b84b4aac8e615b789969f8e050562226b02b93765
Opcode Fuzzy Hash: 49a97ac856548f50c46fdecbd6f13e9c549d8263f5be31c377053ebc92db2c33
Instruction Fuzzy Hash: 89411D32A08640BFC739CB2DD98877A7F92BF96324F14893CE04B56660D676A884E711

Function 00585622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00585637
_memcmp.LIBVCRUNTIME ref: 00585659
_memcmp.LIBVCRUNTIME ref: 00585671
_memcmp.LIBVCRUNTIME ref: 00585684
_memcmp.LIBVCRUNTIME ref: 0058569E
_memcmp.LIBVCRUNTIME ref: 005856B1
_memcmp.LIBVCRUNTIME ref: 005856C9
_memcmp.LIBVCRUNTIME ref: 005856E4

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d1cd6a74d5cce4b4a880aca098ebb9651dd3dd329d9d2377f101a4bc5c6bcd3a
Instruction ID: 353c62cf5f81015f0a4621693d798531d5f9f297834fb4db0b28c4e73d007f24
Opcode Fuzzy Hash: d1cd6a74d5cce4b4a880aca098ebb9651dd3dd329d9d2377f101a4bc5c6bcd3a
Instruction Fuzzy Hash: 4821D471644E0A7BD6157A228E86FFA3F5CBF60388F444420FD06AA681F720FD5083A9

Function 005A4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 005A5007
NULL Pointer assignment, xrefs: 005A502E, 005A5383

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 9d670931fdeec04d70d7ec23e9bad96cb7190bd9cce062c9649197846ce8e450
Instruction ID: 6b61f601e9cd95373e9bbcb76be92577a21217a69844ab6a556b8e91d417532c
Opcode Fuzzy Hash: 9d670931fdeec04d70d7ec23e9bad96cb7190bd9cce062c9649197846ce8e450
Instruction Fuzzy Hash: 87D1C475A0060AAFDF10CFA8C885FAEBBB5FF89344F148469E915AB281E770DD45CB50

Function 00561522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,005617FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 005615CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00561651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,005617FB,?,005617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005616E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005616FB

Part of subcall function 00553820: RtlAllocateHeap.NTDLL(00000000,?,005F1444,?,0053FDF5,?,?,0052A976,00000010,005F1440,005213FC,?,005213C6,?,00521129), ref: 00553852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,005617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00561777
__freea.LIBCMT ref: 005617A2
__freea.LIBCMT ref: 005617AE

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d6fc38ac81c65d14c4eba41d259f15fcce4ac9bfdaee98f69547e995018f35b7
Instruction ID: f881b5c19ef3c64ece64d7ef93bbee3dbd9da6522acc7f626461f551148c2384
Opcode Fuzzy Hash: d6fc38ac81c65d14c4eba41d259f15fcce4ac9bfdaee98f69547e995018f35b7
Instruction Fuzzy Hash: E691E371E00A169ADB208E74C895AFEBFB5FF99310F1C4619E802E7191DB35DD44CBA8

Function 005A4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005A4648
VariantInit.OLEAUT32(?), ref: 005A4749
VariantClear.OLEAUT32(?), ref: 005A4753
VariantClear.OLEAUT32(?), ref: 005A47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 005A45D8, 005A4706, 005A47BE
Incorrect Object type in FOR..IN loop, xrefs: 005A472C

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: b241cfd2af3ce8839889c09cb013fdb29bec9985fde5ebe493d2d35b7e940473
Instruction ID: 1d292e4943562156aec5812e0fa994e789638b604ca94112e1ea38c8a5683407
Opcode Fuzzy Hash: b241cfd2af3ce8839889c09cb013fdb29bec9985fde5ebe493d2d35b7e940473
Instruction Fuzzy Hash: F2919171A00219ABDF24CFA5D848FAEBFB8FF86714F108559F505AB281D7B09945CFA0

Function 00591187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0059125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00591284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005912A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005912D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0059135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005913C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00591430

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 607cd77c0a0974bbc4bd353d70122c6c62c7069326eb090328078e2fa668760e
Instruction ID: 22a21a8aecc9697a5e98c46df9c9e2879d406ab53706950cef8bb05448b24823
Opcode Fuzzy Hash: 607cd77c0a0974bbc4bd353d70122c6c62c7069326eb090328078e2fa668760e
Instruction Fuzzy Hash: CC91F475A0062AAFDF00DF94C889BBEBFB5FF85315F104429E904EB291D774A941CB98

Function 0053948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b1361ef08584bfe508e15c1367ddc686bbb6b1ad2c3f01f46cee490ec6d95467
Instruction ID: 344c3880771174298b0ee11630ad98bff7042d23d5bed20b6d0739787abc735c
Opcode Fuzzy Hash: b1361ef08584bfe508e15c1367ddc686bbb6b1ad2c3f01f46cee490ec6d95467
Instruction Fuzzy Hash: 9A9116B1D0021AEFCB10CFA9C888AEEBFB8FF49320F148555E515B7251D374A981DB60

Function 005A3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005A396B
CharUpperBuffW.USER32(?,?), ref: 005A3A7A
_wcslen.LIBCMT ref: 005A3A8A
VariantClear.OLEAUT32(?), ref: 005A3C1F

Part of subcall function 00590CDF: VariantInit.OLEAUT32(00000000), ref: 00590D1F
Part of subcall function 00590CDF: VariantCopy.OLEAUT32(?,?), ref: 00590D28
Part of subcall function 00590CDF: VariantClear.OLEAUT32(?), ref: 00590D34

Strings

AUTOIT.ERROR, xrefs: 005A3A80, 005A3A85
Incorrect Parameter format, xrefs: 005A39A6, 005A3BA1

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 7ecc0ae5f29ab42ce139321050fbc54ca7a1cac60c24ffa752e7631f8108c3e3
Instruction ID: be3020a7c06f599ac59fb2decd4f4b94c508c44780cdb9ccdb85343d668f48f6
Opcode Fuzzy Hash: 7ecc0ae5f29ab42ce139321050fbc54ca7a1cac60c24ffa752e7631f8108c3e3
Instruction Fuzzy Hash: C29136756083469FC704DF24C48596EBBE5BF8A318F14896DF88A9B351DB30EE05CB92

Function 005A4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0058000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?,?,0058035E), ref: 0058002B
Part of subcall function 0058000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?), ref: 00580046
Part of subcall function 0058000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?), ref: 00580054
Part of subcall function 0058000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?), ref: 00580064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 005A4C51
_wcslen.LIBCMT ref: 005A4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 005A4DCF
CoTaskMemFree.OLE32(?), ref: 005A4DDA

Strings

NULL Pointer assignment, xrefs: 005A4E23, 005A4E52

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: f7a2249d91edfd11de6f30fd0e7ac0b8e53472d8c2384f6edc1b94ae4d75cf8a
Instruction ID: 88dbdb0bba9bf7fe4d3ca3477c30f560e9e241c1514f140c9703dc52b30a704c
Opcode Fuzzy Hash: f7a2249d91edfd11de6f30fd0e7ac0b8e53472d8c2384f6edc1b94ae4d75cf8a
Instruction Fuzzy Hash: 28913771D0022DAFDF14DFE4D895AEEBBB8BF89310F104569E915A7281EB709A44CF60

Function 005B20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005B2183
GetMenuItemCount.USER32(00000000), ref: 005B21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005B21DD
_wcslen.LIBCMT ref: 005B2213
GetMenuItemID.USER32(?,?), ref: 005B224D
GetSubMenu.USER32(?,?), ref: 005B225B

Part of subcall function 00583A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00583A57
Part of subcall function 00583A3D: GetCurrentThreadId.KERNEL32 ref: 00583A5E
Part of subcall function 00583A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005825B3), ref: 00583A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005B22E3

Part of subcall function 0058E97B: Sleep.KERNEL32 ref: 0058E9F3

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: ede1ed47265b25fe895373aca4f0302ba18d2718b98c166411c06892085520d2
Instruction ID: de558c69b5863119943a65cd6472418e0f8fb83b13f4c83958067931c92eaef2
Opcode Fuzzy Hash: ede1ed47265b25fe895373aca4f0302ba18d2718b98c166411c06892085520d2
Instruction Fuzzy Hash: BC714D75A00215AFCB14DF68C845AEEBFF5FF89310F148859E916EB351D734B9418BA0

Function 0058AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0058AEF9
GetKeyboardState.USER32(?), ref: 0058AF0E
SetKeyboardState.USER32(?), ref: 0058AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0058AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0058AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0058AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0058B020

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 202acfd4800427c3d12b2b9e0438a6f9c18f8b5a1aa08e43f127b31d5f9d4fab
Instruction ID: 48b274b9a6f05fff526cdf9c64552325ad1a6a2c1de9f71908afb883b594c7cf
Opcode Fuzzy Hash: 202acfd4800427c3d12b2b9e0438a6f9c18f8b5a1aa08e43f127b31d5f9d4fab
Instruction Fuzzy Hash: 4C5106A06043D13DFB3662348C49BBABFE97B06304F08858AEAD5654C3D3D8ACC8D751

Function 0058ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0058AD19
GetKeyboardState.USER32(?), ref: 0058AD2E
SetKeyboardState.USER32(?), ref: 0058AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0058ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0058ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0058AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0058AE38

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: de79d2b1f96b618a64a44c4d52af285d3c3e678b9da6c475a6123d1839ee0b45
Instruction ID: c71a333ed8ca3870be8d278f630f571ce0ce25b0d5c6e9b2f979b97e651facbe
Opcode Fuzzy Hash: de79d2b1f96b618a64a44c4d52af285d3c3e678b9da6c475a6123d1839ee0b45
Instruction Fuzzy Hash: E15118A15047D53DFB33A3348C45B7ABE9C7B45301F08898AE9D5A68C2D394EC88D752

Function 0055542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00563CD6,?,?,?,?,?,?,?,?,00555BA3,?,?,00563CD6,?,?), ref: 00555470
__fassign.LIBCMT ref: 005554EB
__fassign.LIBCMT ref: 00555506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00563CD6,00000005,00000000,00000000), ref: 0055552C
WriteFile.KERNEL32(?,00563CD6,00000000,00555BA3,00000000,?,?,?,?,?,?,?,?,?,00555BA3,?), ref: 0055554B
WriteFile.KERNEL32(?,?,00000001,00555BA3,00000000,?,?,?,?,?,?,?,?,?,00555BA3,?), ref: 00555584

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 15d18f0e252f8c2f06b2477bd986378414cfb380bc654f7abe4a10d6c4815b5a
Instruction ID: 3a52cbf05fc0df4c7054e81c179037051cacf3e7b2c2eff28cfd89f48adb6b68
Opcode Fuzzy Hash: 15d18f0e252f8c2f06b2477bd986378414cfb380bc654f7abe4a10d6c4815b5a
Instruction Fuzzy Hash: 3A51C2709006499FDB10CFA8D865AEEBFF9FF09301F14451BF955E7292E630AA49CB60

Function 005B6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 005B6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 005B6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005B6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0059AB79,00000000,00000000), ref: 005B6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005B6CC7

Strings

@U=u, xrefs: 005B6C73

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: @U=u
API String ID: 3688381893-2594219639
Opcode ID: 7d2790eebb934caeb00984c96562b0b6d6d91ac9d9341343c1be6b9ac15b1f79
Instruction ID: fc70ba754df253b1cdf725e5b8b0e80050413dbd33124c1c93fa552def57e54a
Opcode Fuzzy Hash: 7d2790eebb934caeb00984c96562b0b6d6d91ac9d9341343c1be6b9ac15b1f79
Instruction Fuzzy Hash: BB41AD35A04104AFDB24CF28CD58FE97FA5FB09360F140668E999AB2E0C379FD41DA90

Function 005A10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005A304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005A307A
Part of subcall function 005A304E: _wcslen.LIBCMT ref: 005A309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005A1112
WSAGetLastError.WSOCK32 ref: 005A1121
WSAGetLastError.WSOCK32 ref: 005A11C9
closesocket.WSOCK32(00000000), ref: 005A11F9

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 6747597b76bb266c38213ac35289e2fb7d4c3954039cbed296e4348f1958b23a
Instruction ID: dc46b1156e4587e573ee0c8642a4a219a66d4bf29a462903b849c18a1350b465
Opcode Fuzzy Hash: 6747597b76bb266c38213ac35289e2fb7d4c3954039cbed296e4348f1958b23a
Instruction Fuzzy Hash: 02411431600615AFDB109F14C888BADBFE9FF86324F148159F9069B292D770ED45CBE4

Function 0058CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0058DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0058CF22,?), ref: 0058DDFD

Part of subcall function 0058DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0058CF22,?), ref: 0058DE16

lstrcmpiW.KERNEL32(?,?), ref: 0058CF45
MoveFileW.KERNEL32(?,?), ref: 0058CF7F
_wcslen.LIBCMT ref: 0058D005
_wcslen.LIBCMT ref: 0058D01B
SHFileOperationW.SHELL32(?), ref: 0058D061

Strings

\*.*, xrefs: 0058CFF3

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: a0aee0701a9be1f2e289246b7ac90d91870022107b62e2809644018a66149ca1
Instruction ID: e8f84fc9935612b2ca3926b427b3e49cf600aea81ef0098124c1a4aaf624aa80
Opcode Fuzzy Hash: a0aee0701a9be1f2e289246b7ac90d91870022107b62e2809644018a66149ca1
Instruction Fuzzy Hash: C04144719452195EDF12FBA4D985ADEBFB8BF54380F0000A6A645FB141EA34A648CF60

Function 00587726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00587769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0058778F
SysAllocString.OLEAUT32(00000000), ref: 00587792
SysAllocString.OLEAUT32(?), ref: 005877B0
SysFreeString.OLEAUT32(?), ref: 005877B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005877DE
SysAllocString.OLEAUT32(?), ref: 005877EC

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1c63a73785e534332ddfd9d14f358bcc146505b9d1777a4ad9173e88cd32d10e
Instruction ID: 6c87a612b4e385c2462340dc1a2f16279107d8805f18ea96755529f8e1b69af3
Opcode Fuzzy Hash: 1c63a73785e534332ddfd9d14f358bcc146505b9d1777a4ad9173e88cd32d10e
Instruction Fuzzy Hash: 1C21BC36608209AFDF00EFA8CC88CBA7BACFB08364B108525BE14EB250D670ED45C764

Function 005877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00587842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00587868
SysAllocString.OLEAUT32(00000000), ref: 0058786B
SysAllocString.OLEAUT32 ref: 0058788C
SysFreeString.OLEAUT32 ref: 00587895
StringFromGUID2.OLE32(?,?,00000028), ref: 005878AF
SysAllocString.OLEAUT32(?), ref: 005878BD

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 254bea1bc265427e3bbc655a4aa89126d1633d5c1d1a3bde3e3d9f1b62481cbd
Instruction ID: 30334fe37c149904596df1050ff7c76efd836946e517a403e9cc19a201809ac6
Opcode Fuzzy Hash: 254bea1bc265427e3bbc655a4aa89126d1633d5c1d1a3bde3e3d9f1b62481cbd
Instruction Fuzzy Hash: 32218331608108AF9F50ABA8DC88DAA7BACFB5C3607108125B915DB2A1D670EC45DF64

Function 005B5706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 005B5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 005B579D
_wcslen.LIBCMT ref: 005B57AF
_wcslen.LIBCMT ref: 005B57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 005B5816

Strings

@U=u, xrefs: 005B5745, 005B579D, 005B5816

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: eb298b1d412883f406c124e79d12785b1d1eab32d099494e14e128b99e798f4c
Instruction ID: 25620522a1285fbde66eef9d3b03ba70434b2ad870ff7c21f770f42df0c5e10c
Opcode Fuzzy Hash: eb298b1d412883f406c124e79d12785b1d1eab32d099494e14e128b99e798f4c
Instruction Fuzzy Hash: 38217171904618EADB209FA4CC85BEE7FB8FF54764F108616F929EB180E770A985CF50

Function 005904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005904F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0059052E

Strings

nul, xrefs: 00590567

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 8b26e3e3b6465ef67aaeb7b950791993a0f1f6e01b7822fa4b43ca7ce6d8a530
Instruction ID: 6f5f5229c62ec905858a159b327b64dd53428f72133d861f4dcb89f0d21e8c20
Opcode Fuzzy Hash: 8b26e3e3b6465ef67aaeb7b950791993a0f1f6e01b7822fa4b43ca7ce6d8a530
Instruction Fuzzy Hash: 5F215A75500305AFDF209F29D844AAABFE8BF54764F614E29E8A1E62E0E7709944DF20

Function 005905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005905C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00590601

Strings

nul, xrefs: 00590639

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: aa74a45d8b119d789e87ece3397ec37f4c5911ac150372ae201a3237990aea44
Instruction ID: 62f8d6a58c60cae8da616bb4ecbada92df5628c0a6a985f7ab0efc8c7f6cd4f1
Opcode Fuzzy Hash: aa74a45d8b119d789e87ece3397ec37f4c5911ac150372ae201a3237990aea44
Instruction Fuzzy Hash: AE214F755003059FDF209F69DC04AAABFE8BF95724F241F19E8A1E72E0D7709960DB24

Function 005B40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0052600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0052604C
Part of subcall function 0052600E: GetStockObject.GDI32(00000011), ref: 00526060
Part of subcall function 0052600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0052606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005B4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005B411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005B412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005B4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005B4145

Strings

Msctls_Progress32, xrefs: 005B40E3

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f582b8574c5f7f5342cdd6c735728cb8f9312b9201be0178517b7f5c9ed70366
Instruction ID: 692bdb5f060accfd4feee7f335f7273adeba016f81e850251eb2a435992fb356
Opcode Fuzzy Hash: f582b8574c5f7f5342cdd6c735728cb8f9312b9201be0178517b7f5c9ed70366
Instruction Fuzzy Hash: DB11B2B215021EBEEF219F64CC85EE77F5DFF18798F004111BA18A6090C672AC21DBA4

Function 0055D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0055D7A3: _free.LIBCMT ref: 0055D7CC

_free.LIBCMT ref: 0055D82D

Part of subcall function 005529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000), ref: 005529DE
Part of subcall function 005529C8: GetLastError.KERNEL32(00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000,00000000), ref: 005529F0

_free.LIBCMT ref: 0055D838
_free.LIBCMT ref: 0055D843
_free.LIBCMT ref: 0055D897
_free.LIBCMT ref: 0055D8A2
_free.LIBCMT ref: 0055D8AD
_free.LIBCMT ref: 0055D8B8

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 3f12218ecf0da2bf3af5e083e6926c24b9b39d3037272608de4ce07e7c0bc6b0
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B9115E72550705AAD531BFB0CC1AFCB7FBCFF85702F400816BA9DA6992D628A5494760

Function 0058DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0058DA74
LoadStringW.USER32(00000000), ref: 0058DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0058DA91
LoadStringW.USER32(00000000), ref: 0058DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0058DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0058DAB9

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 01f3a9fb0e78abac9501652c6309bdda2ae898081f0b771645a38142fb01a063
Instruction ID: d6ae9fb98d9a605b244df617f9c938f8326788342d4a4c0be4fda9e307429a25
Opcode Fuzzy Hash: 01f3a9fb0e78abac9501652c6309bdda2ae898081f0b771645a38142fb01a063
Instruction Fuzzy Hash: E4018BF29002087FEB51ABA49D89EF73B6CE718301F500595B745F2041E674AD848F78

Function 0059096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00F1E3B0,00F1E3B0), ref: 0059097B
EnterCriticalSection.KERNEL32(00F1E390,00000000), ref: 0059098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 0059099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 005909A9
CloseHandle.KERNEL32(00000000), ref: 005909B8
InterlockedExchange.KERNEL32(00F1E3B0,000001F6), ref: 005909C8
LeaveCriticalSection.KERNEL32(00F1E390), ref: 005909CF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: eca15c047069eb4b5d69ab4e75fd2df975a9e65fbdf76ecc77c8f5bf47dfb378
Instruction ID: dff8c8c0a9e70edfa215b49e0e8a455113895c8a06db494a7a38eb2bbc15b251
Opcode Fuzzy Hash: eca15c047069eb4b5d69ab4e75fd2df975a9e65fbdf76ecc77c8f5bf47dfb378
Instruction Fuzzy Hash: 51F03131442512BFDB855F94EE8CBD6BF35FF11702F402526F141518A0C774A869DF94

Function 005501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005500BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005500D6
__allrem.LIBCMT ref: 005500ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0055010B
__allrem.LIBCMT ref: 00550122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00550140

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 90d44d1fc03783f429a0cf382165cb5dcb71cf7ee453a8cc1e7b8cc513e35bd0
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 2981F772A00B06ABE7249F28CC59BAB7BE8BF81325F24453BF811D76C1E770D9088751

Function 005561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005482D9,005482D9,?,?,?,0055644F,00000001,00000001,8BE85006), ref: 00556258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0055644F,00000001,00000001,8BE85006,?,?,?), ref: 005562DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005563D8
__freea.LIBCMT ref: 005563E5

Part of subcall function 00553820: RtlAllocateHeap.NTDLL(00000000,?,005F1444,?,0053FDF5,?,?,0052A976,00000010,005F1440,005213FC,?,005213C6,?,00521129), ref: 00553852

__freea.LIBCMT ref: 005563EE
__freea.LIBCMT ref: 00556413

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 38abecfe43b874bb87817a917a463badf655ae9f7379b664e57f76972b4668c2
Instruction ID: fe5d813e252220dfd51fba797107032cd88f4ddf262dfa2fe56fb977323dd26f
Opcode Fuzzy Hash: 38abecfe43b874bb87817a917a463badf655ae9f7379b664e57f76972b4668c2
Instruction Fuzzy Hash: FB510172600246ABEB258F64CCA5EAF7FA9FB84751F564A2AFC05D7140EB34DC48C660

Function 005ABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 005AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005AB6AE,?,?), ref: 005AC9B5
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005AC9F1
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA68
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005ABCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005ABD25
RegCloseKey.ADVAPI32(00000000), ref: 005ABD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005ABD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005ABDF3
RegCloseKey.ADVAPI32(?), ref: 005ABDFF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: b1d99a6e9f13c3d24b250e024f1fd1d6f43f6849fb9c41609acc6d199d4abc05
Instruction ID: c23463314fa766a41c36a031a5c72ef339e5d66cc60cba3010c4b554bf714d3c
Opcode Fuzzy Hash: b1d99a6e9f13c3d24b250e024f1fd1d6f43f6849fb9c41609acc6d199d4abc05
Instruction Fuzzy Hash: FE818F70208242AFD714DF24C895E6ABFE5FF86308F14895CF4554B2A2DB31ED45CB92

Function 0057F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0057F7B9
SysAllocString.OLEAUT32(00000001), ref: 0057F860
VariantCopy.OLEAUT32(0057FA64,00000000), ref: 0057F889
VariantClear.OLEAUT32(0057FA64), ref: 0057F8AD
VariantCopy.OLEAUT32(0057FA64,00000000), ref: 0057F8B1
VariantClear.OLEAUT32(?), ref: 0057F8BB

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 40bd826c446280103ec8b3f660e8b39686132a70bf1183b3b85f4fb0e0da6946
Instruction ID: 339837e371e0f204d1dfeb43f3e76fad67a45db00d536ff5b73d823e6e42d5fc
Opcode Fuzzy Hash: 40bd826c446280103ec8b3f660e8b39686132a70bf1183b3b85f4fb0e0da6946
Instruction Fuzzy Hash: 3E51D831500311BACF10EB65F899B69BBA8FF95310F24D866F909EF291DB709C40E766

Function 0059910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00527620: _wcslen.LIBCMT ref: 00527625

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005994E5
_wcslen.LIBCMT ref: 00599506
_wcslen.LIBCMT ref: 0059952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00599585

Strings

X, xrefs: 00599412

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 51bcb49c13e097ab65cef6dbd189364f4d17f3278e8a8b847e8c4840eff5a589
Instruction ID: d588a2c74e7afcba920a1dbf1d6663a057cc05898b988c7a02bc04c4f325244e
Opcode Fuzzy Hash: 51bcb49c13e097ab65cef6dbd189364f4d17f3278e8a8b847e8c4840eff5a589
Instruction Fuzzy Hash: F6E1C3316043518FDB24DF28D485A6ABBE4BFC5314F04896CF8899B2A2EB31DD05CB92

Function 0053920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

BeginPaint.USER32(?,?,?), ref: 00539241
GetWindowRect.USER32(?,?), ref: 005392A5
ScreenToClient.USER32(?,?), ref: 005392C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005392D3
EndPaint.USER32(?,?,?,?,?), ref: 00539321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005771EA

Part of subcall function 00539339: BeginPath.GDI32(00000000), ref: 00539357

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ec27c95d0c4bf5239ef87194e2fd336aa1fc90dd4a9cf9dfc6d5056531cfb605
Instruction ID: a70d723743df2cef06786199bedf2cd8d249be5c727fe86ca6155e8c126d5ece
Opcode Fuzzy Hash: ec27c95d0c4bf5239ef87194e2fd336aa1fc90dd4a9cf9dfc6d5056531cfb605
Instruction Fuzzy Hash: DB41AEB0104601AFD711DF28D884FBA7FA8FB99320F140669F995D72A1C7B1A849EB61

Function 005907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0059080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00590847
EnterCriticalSection.KERNEL32(?), ref: 00590863
LeaveCriticalSection.KERNEL32(?), ref: 005908DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005908F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00590921

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 50de32bd647208e3a4bca8193274e82f24595a4826c264601eef7a61a704fb14
Instruction ID: 18289d33714260a21b1f48c4bae703f0f3a7bc956bcfa847efe4d3401cc2ad29
Opcode Fuzzy Hash: 50de32bd647208e3a4bca8193274e82f24595a4826c264601eef7a61a704fb14
Instruction Fuzzy Hash: DE415971A00206AFDF149F54DC85AAABB78FF44314F1444A9ED00AA296D730EE64EBA4

Function 0059581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00523AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00523A97,?,?,00522E7F,?,?,?,00000000), ref: 00523AC2

_wcslen.LIBCMT ref: 0059587B
CoInitialize.OLE32(00000000), ref: 00595995
CoCreateInstance.OLE32(005BFCF8,00000000,00000001,005BFB68,?), ref: 005959AE
CoUninitialize.OLE32 ref: 005959CC

Strings

.lnk, xrefs: 00595876, 005958C1, 00595985

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 2618f016bdc098eee0db9435dd8ae6a78c07430899b907fb9ccd66b322751170
Instruction ID: 0584bb36d8d77a450fb01dc387ebc26c48922bdaf639e7646d658081a7806e4c
Opcode Fuzzy Hash: 2618f016bdc098eee0db9435dd8ae6a78c07430899b907fb9ccd66b322751170
Instruction Fuzzy Hash: 3ED175716047119FCB05DF24C484A2ABBE6FF89714F14485DF88A9B3A1EB31EC05CB92

Function 0058175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00580FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00580FCA
Part of subcall function 00580FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00580FD6
Part of subcall function 00580FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00580FE5
Part of subcall function 00580FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00580FEC
Part of subcall function 00580FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00581002

GetLengthSid.ADVAPI32(?,00000000,00581335), ref: 005817AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005817BA
HeapAlloc.KERNEL32(00000000), ref: 005817C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005817DA
GetProcessHeap.KERNEL32(00000000,00000000,00581335), ref: 005817EE
HeapFree.KERNEL32(00000000), ref: 005817F5

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c6a3459b4cf3c6a80353bf667bacdd1d8f36bbf1dd4df81ac3de839058022517
Instruction ID: a73f7efd8c3dea4e2594fdf3f2cac9545ad60a7b1fd00a2a13196822ad6f3a95
Opcode Fuzzy Hash: c6a3459b4cf3c6a80353bf667bacdd1d8f36bbf1dd4df81ac3de839058022517
Instruction Fuzzy Hash: CE119A72600605EBDB14AFA8DC49BAE7FADFB41355F104119F881F7210C735A949DB68

Function 005814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005814FF
OpenProcessToken.ADVAPI32(00000000), ref: 00581506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00581515
CloseHandle.KERNEL32(00000004), ref: 00581520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0058154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00581563

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5ccdd155bf9956b2afc1cf4fbce782cd73e75ca461216826e93d6ad9b23ef96b
Instruction ID: 94bc9c7088693934c177abe84add4134b1585661ea37ee4a1d9ddb8a95f43197
Opcode Fuzzy Hash: 5ccdd155bf9956b2afc1cf4fbce782cd73e75ca461216826e93d6ad9b23ef96b
Instruction Fuzzy Hash: 5911447250420DABDF119FA8ED49FDE7FADFB48704F044128FE05A2060C3719E65AB68

Function 00543382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00543379,00542FE5), ref: 00543390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0054339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005433B7
SetLastError.KERNEL32(00000000,?,00543379,00542FE5), ref: 00543409

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4ed3196521e057a80b0784772c8963212e6ab25802f89052b79af75a33e7bb74
Instruction ID: 1e42f2413ae754b9ef87eea5820330eba87fbce4915cf6f7373568ba25f8d18a
Opcode Fuzzy Hash: 4ed3196521e057a80b0784772c8963212e6ab25802f89052b79af75a33e7bb74
Instruction Fuzzy Hash: 2201D833609313BEAB1D2B747CCD5DB2EA4FB6577D7200629F421851F1EF119E0AA544

Function 00552D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00555686,00563CD6,?,00000000,?,00555B6A,?,?,?,?,?,0054E6D1,?,005E8A48), ref: 00552D78
_free.LIBCMT ref: 00552DAB
_free.LIBCMT ref: 00552DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0054E6D1,?,005E8A48,00000010,00524F4A,?,?,00000000,00563CD6), ref: 00552DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0054E6D1,?,005E8A48,00000010,00524F4A,?,?,00000000,00563CD6), ref: 00552DEC
_abort.LIBCMT ref: 00552DF2

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: fd81ff9a42e8184a0c56bbbd7790cba57fa3f6dca096fb29953155822ebca178
Instruction ID: 864f3cf40d1bc2b1eb4bc63ea831c2b4e1f29a26819b9d9e2a925165ff3bf6fb
Opcode Fuzzy Hash: fd81ff9a42e8184a0c56bbbd7790cba57fa3f6dca096fb29953155822ebca178
Instruction Fuzzy Hash: D0F08636504A0167C35627246C2AE5A2E757BD37A3F24451BFC2992192DE24984F5360

Function 005B8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00539639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00539693
Part of subcall function 00539639: SelectObject.GDI32(?,00000000), ref: 005396A2
Part of subcall function 00539639: BeginPath.GDI32(?), ref: 005396B9
Part of subcall function 00539639: SelectObject.GDI32(?,00000000), ref: 005396E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005B8A4E
LineTo.GDI32(?,00000003,00000000), ref: 005B8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005B8A70
LineTo.GDI32(?,00000000,00000003), ref: 005B8A80
EndPath.GDI32(?), ref: 005B8A90
StrokePath.GDI32(?), ref: 005B8AA0

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fe788013630029c0481fb851b2a9a991f21c7b65a7082156d62d175186edfe25
Instruction ID: 8411b70163eedc0b04371913744567bf69f19a835fea9c5899d2531e9f1f4e6a
Opcode Fuzzy Hash: fe788013630029c0481fb851b2a9a991f21c7b65a7082156d62d175186edfe25
Instruction Fuzzy Hash: 9711097640010DFFDB129F94DC88EAA7F6CEB18350F008152BA199A1A1C771AD59EFA4

Function 005851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00585218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00585229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00585230
ReleaseDC.USER32(00000000,00000000), ref: 00585238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0058524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00585261

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3d3bc3c76d8ad4fae09acb0cf60fc811326164e26ec2658b606753398e6c57ee
Instruction ID: fdefd06ffa27982b2cd8658f81c18eda1ea0d795320d0fb4526ba3ae866a9d32
Opcode Fuzzy Hash: 3d3bc3c76d8ad4fae09acb0cf60fc811326164e26ec2658b606753398e6c57ee
Instruction Fuzzy Hash: EB01A275E00708BBEB10AFA99C49E5EBFB8FF58351F044165FA05A7280DA709C04DFA4

Function 00521BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00521BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00521BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00521C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00521C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00521C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00521C22

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8983c864ea2224f3074eed8c37c80f1cf1d4246c932c9ab851aa404352639fdb
Instruction ID: 6e3e47d1e2ec30ad445839c6b735c5f40918ff3be7c1f8a94232bec8e8d77f6b
Opcode Fuzzy Hash: 8983c864ea2224f3074eed8c37c80f1cf1d4246c932c9ab851aa404352639fdb
Instruction Fuzzy Hash: 95016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C4B941C7F5A864CBE5

Function 0058EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0058EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0058EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0058EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0058EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0058EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0058EB75

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 92c769172a684d6a47b0a829d0cb4aee8744cfa8f2870dac1c285e35811ed1d5
Instruction ID: 4644303925b1551b6a649f18666a6b5693e8aa88e4cbe4c0085367221f08af52
Opcode Fuzzy Hash: 92c769172a684d6a47b0a829d0cb4aee8744cfa8f2870dac1c285e35811ed1d5
Instruction Fuzzy Hash: 83F05472140158BBE7615B569C0EEEF3F7CEFDBB11F000259FA01E5091E7A06A05D6B9

Function 00581874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0058187F
UnloadUserProfile.USERENV(?,?), ref: 0058188B
CloseHandle.KERNEL32(?), ref: 00581894
CloseHandle.KERNEL32(?), ref: 0058189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005818A5
HeapFree.KERNEL32(00000000), ref: 005818AC

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d5f59e63690fff0f947412f9fc1f9f236a32d51af231c8bf79f4180fd58da4fc
Instruction ID: 47ac40039174e12b3e83dba1a7fdc89dd196940b44b88f4016afd0d9dc15f996
Opcode Fuzzy Hash: d5f59e63690fff0f947412f9fc1f9f236a32d51af231c8bf79f4180fd58da4fc
Instruction Fuzzy Hash: 6EE0E576004101BBDB815FA5ED0C90ABF79FF69B22B508725F22591070CB32A424EF68

Function 0052BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0052BEB3

Strings

D%_, xrefs: 0052BDED, 0052BD91, 0052BD1B
D%_D%_, xrefs: 0052BCA5
D%_, xrefs: 0052BCA2
D%_, xrefs: 0052BE9A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%_$D%_$D%_$D%_D%_
API String ID: 1385522511-1143351661
Opcode ID: cbe3044b25a5e55861533c7cab0615a79187a870a3b45395914df5fd8c3ec8ff
Instruction ID: 905fcc1a118865fcf124a6b64c1fc747a79ff886e8d1db83b1746bb9fb780cd5
Opcode Fuzzy Hash: cbe3044b25a5e55861533c7cab0615a79187a870a3b45395914df5fd8c3ec8ff
Instruction Fuzzy Hash: 00916BB5A0022ACFDB18CF58D0906B9BBF1FF5A310F248569D945AB391D731ED81DB90

Function 005A7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00540242: EnterCriticalSection.KERNEL32(005F070C,005F1884,?,?,0053198B,005F2518,?,?,?,005212F9,00000000), ref: 0054024D
Part of subcall function 00540242: LeaveCriticalSection.KERNEL32(005F070C,?,0053198B,005F2518,?,?,?,005212F9,00000000), ref: 0054028A

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 005400A3: __onexit.LIBCMT ref: 005400A9

__Init_thread_footer.LIBCMT ref: 005A7BFB

Part of subcall function 005401F8: EnterCriticalSection.KERNEL32(005F070C,?,?,00538747,005F2514), ref: 00540202
Part of subcall function 005401F8: LeaveCriticalSection.KERNEL32(005F070C,?,00538747,005F2514), ref: 00540235

Strings

G, xrefs: 005A7C7F
+TW, xrefs: 005A7E2E
Variable must be of type 'Object'., xrefs: 005A7C3A
5, xrefs: 005A7C78

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TW$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2763875210
Opcode ID: b9c7bf243ced0322101284c7d8fed9bd7dba1d9a876c352482ce529114ae89aa
Instruction ID: 24978a0a1fe812fb697f7b221103668c3ab6f137581debe77b8432cba300daf5
Opcode Fuzzy Hash: b9c7bf243ced0322101284c7d8fed9bd7dba1d9a876c352482ce529114ae89aa
Instruction Fuzzy Hash: 60918A70A0420AEFCB04EF54D8959BDBFB5BF8A300F108459F806AB292DB71AE45CB50

Function 0058C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527620: _wcslen.LIBCMT ref: 00527625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0058C6EE
_wcslen.LIBCMT ref: 0058C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0058C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0058C7CA

Strings

0, xrefs: 0058C6AF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 951ce911b346208d742e77f19ef76d72426b60b3f5b0267ba7bc91881d499ff3
Instruction ID: 996b78382c161752440cc2c09acadde52c0f31451a097468fada14ef2956647d
Opcode Fuzzy Hash: 951ce911b346208d742e77f19ef76d72426b60b3f5b0267ba7bc91881d499ff3
Instruction Fuzzy Hash: 2A51CE716143019BD754AF28C889A7A7FE8FF89314F040A2DFD95E31E0EB74D9049BA6

Function 005AAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 005AAEA3

Part of subcall function 00527620: _wcslen.LIBCMT ref: 00527625

GetProcessId.KERNEL32(00000000), ref: 005AAF38
CloseHandle.KERNEL32(00000000), ref: 005AAF67

Strings

@, xrefs: 005AAE72
<, xrefs: 005AAE6B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 5792f83e361ea03c2637d509f8fb572f043102534606b10548dd642455e65234
Instruction ID: 8fee640a7de249e7fa69f3150908993935be42d36c38773916c8a2ee982adbe4
Opcode Fuzzy Hash: 5792f83e361ea03c2637d509f8fb572f043102534606b10548dd642455e65234
Instruction Fuzzy Hash: 1F717775A0022ADFCB14DF54D488A9EBFF4BF4A300F048499E856AB392D730ED45CB91

Function 005B6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00F2ECE0,?), ref: 005B62E2
ScreenToClient.USER32(?,?), ref: 005B6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 005B6382

Strings

@U=u, xrefs: 005B63DD

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: a9d4c70b4faa8ccc045a6de70e39e0b5fef3f825e2b02edd8feeceb4bbc5b66d
Instruction ID: 0e52781348d57314a283f9fbdaafb56aadf7419c1c1b1faebd277c632d5cf861
Opcode Fuzzy Hash: a9d4c70b4faa8ccc045a6de70e39e0b5fef3f825e2b02edd8feeceb4bbc5b66d
Instruction Fuzzy Hash: 81514774A00609EFDB10CF68D880AEE7BB5FB95360F108669F9159B2A0D734ED81CB90

Function 00582716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005821D0,?,?,00000034,00000800,?,00000034), ref: 0058B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00582760

Part of subcall function 0058B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0058B3F8

Part of subcall function 0058B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0058B355
Part of subcall function 0058B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00582194,00000034,?,?,00001004,00000000,00000000), ref: 0058B365
Part of subcall function 0058B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00582194,00000034,?,?,00001004,00000000,00000000), ref: 0058B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005827CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0058281A

Strings

@, xrefs: 00582832
@U=u, xrefs: 00582760, 005827CD, 0058281A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: aad66e85ad57fa11f682e7316b9b14510e22eeb6f7d8b95836d0398720b0dbc6
Instruction ID: ffd9cecbbe1859d1e3e636f3f177346c15b60894b9b82cd9e53bd59d8eaf74a3
Opcode Fuzzy Hash: aad66e85ad57fa11f682e7316b9b14510e22eeb6f7d8b95836d0398720b0dbc6
Instruction Fuzzy Hash: 22412A72900219AFDB10EFA4C956AEEBBB8FF49300F104059EA55B7191DA706E45CBA0

Function 0058719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00587206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0058723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0058724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005872CF

Strings

DllGetClassObject, xrefs: 00587242

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 559a923d6c017c93809e4d0e6568749c39fe035af05318284e74831bbd672a1d
Instruction ID: 18621d0e355e6d26faee7582ee88bfb1732ac71c4fe81b2dd15d6998668bc44a
Opcode Fuzzy Hash: 559a923d6c017c93809e4d0e6568749c39fe035af05318284e74831bbd672a1d
Instruction Fuzzy Hash: D1418275604208DFDB15DF54C884A9A7FA9FF88310F2484A9BD06AF21AD7B0DA44DBA0

Function 005B52C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 005B5352
GetWindowLongW.USER32(?,000000F0), ref: 005B5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005B5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005B53A8

Strings

@U=u, xrefs: 005B5352

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: @U=u
API String ID: 3340791633-2594219639
Opcode ID: f525865cc99a0db70dbec33bb434d7752697dc070d172dec0491911efe524b5b
Instruction ID: 244a1769a65a713493141e0f1ab65dc1717e123fd64309d88417412ba33503ec
Opcode Fuzzy Hash: f525865cc99a0db70dbec33bb434d7752697dc070d172dec0491911efe524b5b
Instruction Fuzzy Hash: 5931C634A55A08EFEB389E14CC55FE87FE5BB04390F944901FA11963E1E7B5B980E741

Function 005AC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005AC9F1
_wcslen.LIBCMT ref: 005ACA68
_wcslen.LIBCMT ref: 005ACA9E
_wcslen.LIBCMT ref: 005ACAF9
_wcslen.LIBCMT ref: 005ACB2F
_wcslen.LIBCMT ref: 005ACB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 005ACA62, 005ACA67
HKLM, xrefs: 005ACA98, 005ACA9D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 4fce76f203cf4ea1e358c6383da2c982cdd3d03cd46439517ef8a4d60c57df92
Instruction ID: 432ca7dd26d1a49fe723a719b403bcfc16ea58753c8fe9bab09ee2ffd4e03a98
Opcode Fuzzy Hash: 4fce76f203cf4ea1e358c6383da2c982cdd3d03cd46439517ef8a4d60c57df92
Instruction Fuzzy Hash: B631FB7360056E4BCB20DF6D98401BE3F917BA3754F154029E855AB345EA71CE45D7A0

Function 005B2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005B2F8D
LoadLibraryW.KERNEL32(?), ref: 005B2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005B2FA9
DestroyWindow.USER32(?), ref: 005B2FB1

Strings

SysAnimate32, xrefs: 005B2F68

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0a48356a758a0cbb6efa8940e4807d654f7b111ef51eb04e64e415b569b1cb70
Instruction ID: 11febc03718f3efa59e81ff0b71da3b308a8720d1d007271ba9065eed5db3e3e
Opcode Fuzzy Hash: 0a48356a758a0cbb6efa8940e4807d654f7b111ef51eb04e64e415b569b1cb70
Instruction Fuzzy Hash: 0C219A71210209ABEF104F64DC8AEFB7BB9FB59364F100618F950D6190D771EC51AB70

Function 005B5660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 005B56BB
_wcslen.LIBCMT ref: 005B56CD
_wcslen.LIBCMT ref: 005B56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 005B5816

Strings

@U=u, xrefs: 005B56BB, 005B5816

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: @U=u
API String ID: 455545452-2594219639
Opcode ID: 65f3da220eec0082f8ad3110bc535f7674b21cd0373642890e7bbf2dc4041ce9
Instruction ID: 7866920e8b3f5b6ea17e027210c6ac435304353a35b465caf6b18d935ef7ac2d
Opcode Fuzzy Hash: 65f3da220eec0082f8ad3110bc535f7674b21cd0373642890e7bbf2dc4041ce9
Instruction Fuzzy Hash: D911E131A00609AADF249F658C85BEE3FACFF50764F104426F905D6081FB70AA84CB64

Function 0052600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0052604C
GetStockObject.GDI32(00000011), ref: 00526060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0052606A

Strings

@U=u, xrefs: 0052606A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: 21e1d1ad9c3706c2d040196288146568817f9489683c6cf35620b12da1f6162c
Instruction ID: b051cdd79701e89a64fb784602e5b39a41042ca31ed4c0075fc08850820bc686
Opcode Fuzzy Hash: 21e1d1ad9c3706c2d040196288146568817f9489683c6cf35620b12da1f6162c
Instruction Fuzzy Hash: 0E118B72501518BFEF124FA4AC48EEABF69FF1A3A4F000205FA0556150C732AC60EBA1

Function 00544D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00544D1E,005528E9,?,00544CBE,005528E9,005E88B8,0000000C,00544E15,005528E9,00000002), ref: 00544D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00544DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00544D1E,005528E9,?,00544CBE,005528E9,005E88B8,0000000C,00544E15,005528E9,00000002,00000000), ref: 00544DC3

Strings

CorExitProcess, xrefs: 00544D98
mscoree.dll, xrefs: 00544D86

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a362d90ce26e4fdfdae099efa1f9fa05145b71f903f0dbdd4f5a8d2f2280c067
Instruction ID: d5d6c67841c1e5d500fb4c4f34fda5363472a6c50ae47cc77a062b9d596957d5
Opcode Fuzzy Hash: a362d90ce26e4fdfdae099efa1f9fa05145b71f903f0dbdd4f5a8d2f2280c067
Instruction Fuzzy Hash: 59F0AF34A40208BBDB149F94DC49BEDBFF8FF54715F0001A8F809A62A0CB70A945DF94

Function 00524E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00524EDD,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00524EAE
FreeLibrary.KERNEL32(00000000,?,?,00524EDD,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00524EA8
kernel32.dll, xrefs: 00524E94

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a55a89c0291d3face66b0093214304e8eff2c21decf66561332f4a148312c23a
Instruction ID: 5c0d92b3c0823a24a9cde40cc7e29a98b99df46f9e4a96540feb2968b0613a96
Opcode Fuzzy Hash: a55a89c0291d3face66b0093214304e8eff2c21decf66561332f4a148312c23a
Instruction Fuzzy Hash: C9E08636A016325BE2711729BC18A5F6E5CBF93F627060215FC00E2240DBA0DD0694A5

Function 00524E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00563CDE,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00524E74
FreeLibrary.KERNEL32(00000000,?,?,00563CDE,?,005F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00524E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00524E6E
kernel32.dll, xrefs: 00524E5B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 6d08b9620f01d0fb15a2a86c9ef6d8528c18039483bb8856064aff0e58e5948e
Instruction ID: dafec29e41676dd36853013663d7dc7f962c972c436fe341ae9f41ff5b918cbf
Opcode Fuzzy Hash: 6d08b9620f01d0fb15a2a86c9ef6d8528c18039483bb8856064aff0e58e5948e
Instruction Fuzzy Hash: 64D0C23150263257AA221B297C0CD8F2E1CBF82B113060611F800B6260CF60DD02D9E9

Function 005AA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 005AA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005AA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 005AA468
CloseHandle.KERNEL32(?), ref: 005AA63D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 5f571daaee9ae377e2f822f4b4ec0c24ccdcbd8beaec07be65db8dd25c9afbba
Instruction ID: c7767dc5406385d92ec213379eb40dbf9b7cc422fa9702a07ace5cfe6ab88e49
Opcode Fuzzy Hash: 5f571daaee9ae377e2f822f4b4ec0c24ccdcbd8beaec07be65db8dd25c9afbba
Instruction Fuzzy Hash: 7BA18D716043019FDB20DF24D886B2ABBE5BF89714F14881DF55A9B2D2D7B0ED41CB92

Function 0055BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005C3700), ref: 0055BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,005F121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0055BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,005F1270,000000FF,?,0000003F,00000000,?), ref: 0055BC36
_free.LIBCMT ref: 0055BB7F

Part of subcall function 005529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000), ref: 005529DE
Part of subcall function 005529C8: GetLastError.KERNEL32(00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000,00000000), ref: 005529F0

_free.LIBCMT ref: 0055BD4B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: f83d9cc2dc6855cc8cd161945213338040f0bcd765bf4acb4003d9beb82d5f2a
Instruction ID: 9fb41806f2b0cc6c304fca5d41d4b97ed6fa7688d8c6f2782c748bfb760418fc
Opcode Fuzzy Hash: f83d9cc2dc6855cc8cd161945213338040f0bcd765bf4acb4003d9beb82d5f2a
Instruction Fuzzy Hash: 76512B7180020ADFEB10DFA58C999BEBFB8FF80321B10066BE850E7191EB709E48D754

Function 0058E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0058DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0058CF22,?), ref: 0058DDFD

Part of subcall function 0058DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0058CF22,?), ref: 0058DE16

Part of subcall function 0058E199: GetFileAttributesW.KERNEL32(?,0058CF95), ref: 0058E19A

lstrcmpiW.KERNEL32(?,?), ref: 0058E473
MoveFileW.KERNEL32(?,?), ref: 0058E4AC
_wcslen.LIBCMT ref: 0058E5EB
_wcslen.LIBCMT ref: 0058E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0058E650

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 3d55a97cf8a871398d12d73724b55b5ea4c82e3769b60afa3c2a9ef53adcf5f4
Instruction ID: 77a2e215aa7a4fa3fa08b6db0be289889d0a73ff7cafd232a14846425f8d770b
Opcode Fuzzy Hash: 3d55a97cf8a871398d12d73724b55b5ea4c82e3769b60afa3c2a9ef53adcf5f4
Instruction Fuzzy Hash: 775194B24083455BD724EB90D8869DFBBECBFC5344F00092EF989E3191EF75A5888766

Function 005AB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 005AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005AB6AE,?,?), ref: 005AC9B5
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005AC9F1
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA68
Part of subcall function 005AC998: _wcslen.LIBCMT ref: 005ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005ABAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005ABB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005ABB63
RegCloseKey.ADVAPI32(?,?), ref: 005ABBA6
RegCloseKey.ADVAPI32(00000000), ref: 005ABBB3

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 984093ebd903abccd72d7877b774f2bd0f3dce708055593a5a1c8c1927e2e2f3
Instruction ID: 374a91f98a519e5a2b01b11d1629191f5cd54a51b8b3a5ebb1d1cd1beb00b438
Opcode Fuzzy Hash: 984093ebd903abccd72d7877b774f2bd0f3dce708055593a5a1c8c1927e2e2f3
Instruction Fuzzy Hash: 7461A231208245AFD714DF14C494E2ABFE5FF86308F14895CF4998B2A2DB31ED45CBA2

Function 00588BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00588BCD
VariantClear.OLEAUT32 ref: 00588C3E
VariantClear.OLEAUT32 ref: 00588C9D
VariantClear.OLEAUT32(?), ref: 00588D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00588D3B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 8058ac2d7265c30a92503b199e84e4b71c67ebe218d93dc1cb599219141c94d3
Instruction ID: d181e8deed7f8186bdefd306a39c25b74326e71b8558c9de7009156a1902793f
Opcode Fuzzy Hash: 8058ac2d7265c30a92503b199e84e4b71c67ebe218d93dc1cb599219141c94d3
Instruction Fuzzy Hash: F85169B5A01219EFCB14DF68C894AAABBF8FF89310B158559ED05EB354E730E911CF90

Function 00598AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00598BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00598BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00598C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00598C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00598C5F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 3748efb18871fa3ed9e8c61fa8500a5b0ab31f2faf58f30bc031877a9148d1e8
Instruction ID: 76a7e9d7725fe861352df056d29411af3c28bd007cd0948bec61cc79718d6633
Opcode Fuzzy Hash: 3748efb18871fa3ed9e8c61fa8500a5b0ab31f2faf58f30bc031877a9148d1e8
Instruction Fuzzy Hash: 2E513835A002199FCB05DF64C885A69BBF5FF89314F088458E849AB3A2DB35ED51DB90

Function 005A8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 005A8F40
GetProcAddress.KERNEL32(00000000,?), ref: 005A8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 005A8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 005A9032
FreeLibrary.KERNEL32(00000000), ref: 005A9052

Part of subcall function 0053F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00591043,?,75B8E610), ref: 0053F6E6
Part of subcall function 0053F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0057FA64,00000000,00000000,?,?,00591043,?,75B8E610,?,0057FA64), ref: 0053F70D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f5bc57558b8b90a9dfd35b7dc908e1cf6052ae0ed5964cfb73534c5e365b02ce
Instruction ID: 2327bbf0230121725cd9d25604984c03c2550a0f4da7c0831842b731047de43a
Opcode Fuzzy Hash: f5bc57558b8b90a9dfd35b7dc908e1cf6052ae0ed5964cfb73534c5e365b02ce
Instruction Fuzzy Hash: 66511935604216DFC715DF58C4988ADBFB1FF8A314F0881A9E816AB362DB31ED85CB90

Function 00552051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005520C3
_free.LIBCMT ref: 005520E3

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 74cbd2d9a4537f25b8b6ab948c0e8d65a15d62f47aa0afc2332fa56d86610490
Instruction ID: 6660d7b20255ad0e2e77255ef05003e2613651b1c5fccc8721ac94554bb3e2e2
Opcode Fuzzy Hash: 74cbd2d9a4537f25b8b6ab948c0e8d65a15d62f47aa0afc2332fa56d86610490
Instruction Fuzzy Hash: 6741D232A002009FCB24DF78C995A5EBBB5FF8A314F15456AE915EB3A1D731ED05DB80

Function 0053912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00539141
ScreenToClient.USER32(00000000,?), ref: 0053915E
GetAsyncKeyState.USER32(00000001), ref: 00539183
GetAsyncKeyState.USER32(00000002), ref: 0053919D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 332512103cae5ad2b1ae150693f490b3a4a35227cbace9fa9d7096e0c486874c
Instruction ID: 3e2232b8b08684002578e5e8e2c0e4b71c23f226704c290178a9d1d7ef64302d
Opcode Fuzzy Hash: 332512103cae5ad2b1ae150693f490b3a4a35227cbace9fa9d7096e0c486874c
Instruction Fuzzy Hash: ED415E71A0850BBBDF159F64D848BEEBB74FB49320F208219E429A2290C7706954DFA1

Function 00593874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005938CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00593922
TranslateMessage.USER32(?), ref: 0059394B
DispatchMessageW.USER32(?), ref: 00593955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00593966

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: cd8ad67ac7fa226325017e3fd0267d4b1b7e479907640bbdc30029e90ad5ec75
Instruction ID: a27855e6102014b3c9977e957fc296af2367682c83a06018b4aac20120476877
Opcode Fuzzy Hash: cd8ad67ac7fa226325017e3fd0267d4b1b7e479907640bbdc30029e90ad5ec75
Instruction Fuzzy Hash: 2C31A270904642DEEF35CF249848BB63FA8FB25344F04096DE466C61E0E7A8AA89DB15

Function 0059CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0059C21E,00000000), ref: 0059CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0059CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0059C21E,00000000), ref: 0059CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0059C21E,00000000), ref: 0059CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0059C21E,00000000), ref: 0059CFF2

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 7e3be282f831d546f21bbdf7722315726a858e69981d9d2d5a0d377744fde669
Instruction ID: 22ad52cf27ff762079aafeedc7baf63d2c0b9b5bc9cd26337e53814d2f8e7765
Opcode Fuzzy Hash: 7e3be282f831d546f21bbdf7722315726a858e69981d9d2d5a0d377744fde669
Instruction Fuzzy Hash: E2315971A00206EFDF20DFA5C888AABBFF9FB54354B10442EF506D2241EB30AE44DB60

Function 00581901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00581915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005819C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005819C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005819DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005819E2

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5d39cfbcd0157e1378332716c296ad2b57eb0b549a3ba1d4b835281dd88e5102
Instruction ID: 36a57f4aafb68e11eba5f1d76942dd8ccb27bd707a27f19d1fd1f94ef7338621
Opcode Fuzzy Hash: 5d39cfbcd0157e1378332716c296ad2b57eb0b549a3ba1d4b835281dd88e5102
Instruction Fuzzy Hash: 5D31BE71A00219EFCB00DFACC999AAE3FB9FB04314F104225FD61AB2D0C770A945DB94

Function 005A0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005A0951
GetForegroundWindow.USER32 ref: 005A0968
GetDC.USER32(00000000), ref: 005A09A4
GetPixel.GDI32(00000000,?,00000003), ref: 005A09B0
ReleaseDC.USER32(00000000,00000003), ref: 005A09E8

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e83ae86ae193bffe878daa2d6d7658563261eea7667f72ed53ae1575e2bdd25e
Instruction ID: d6aa29661abe00e4492aa8dd87894fa44e74fc5e70aa6bf6c8ef2c86cdd071c2
Opcode Fuzzy Hash: e83ae86ae193bffe878daa2d6d7658563261eea7667f72ed53ae1575e2bdd25e
Instruction Fuzzy Hash: F7216235600214AFDB44EF69D949A5EBFE9FF85700F048568E84A97792DB30AC04DB50

Function 0055CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0055CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0055CDE9

Part of subcall function 00553820: RtlAllocateHeap.NTDLL(00000000,?,005F1444,?,0053FDF5,?,?,0052A976,00000010,005F1440,005213FC,?,005213C6,?,00521129), ref: 00553852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0055CE0F
_free.LIBCMT ref: 0055CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0055CE31

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b8de0a813d73667e43b941f90edad676d8d457d6de68245f60f4b152db795662
Instruction ID: ed66ebb59d7383905ac402f9b42650d98064af381dbcecc8b2a338f74ff4a443
Opcode Fuzzy Hash: b8de0a813d73667e43b941f90edad676d8d457d6de68245f60f4b152db795662
Instruction Fuzzy Hash: 0D01FC726013157F232216BA6C5EC7F7D6DFEC7BA2315022BFD05D7200DA619D0991B4

Function 00539639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00539693
SelectObject.GDI32(?,00000000), ref: 005396A2
BeginPath.GDI32(?), ref: 005396B9
SelectObject.GDI32(?,00000000), ref: 005396E2

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e7f99f4d4f8b5d34093a73da8ea2b0a4fbde4337ba6e9ac5b0873cd9d83b0368
Instruction ID: 97a9d93d791892336cf30f5931193b7792d6e4c23eab83a4a9cec6c905423b0e
Opcode Fuzzy Hash: e7f99f4d4f8b5d34093a73da8ea2b0a4fbde4337ba6e9ac5b0873cd9d83b0368
Instruction Fuzzy Hash: 94217FB0802709EBDB119F69EE197B93FA8BB60315F104616F410E61A0D3F45899EFD8

Function 00585711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00585726
_memcmp.LIBVCRUNTIME ref: 00585744
_memcmp.LIBVCRUNTIME ref: 00585757
_memcmp.LIBVCRUNTIME ref: 0058576F
_memcmp.LIBVCRUNTIME ref: 00585787

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 78e7d8d841ee572913f3f8f3f355d4829d85a90800476f83d49baac30a6fe80f
Instruction ID: 5822570213de437c4b8494430ab3721cfe4ecb1a6cd4eb617b2c939b48d7ba26
Opcode Fuzzy Hash: 78e7d8d841ee572913f3f8f3f355d4829d85a90800476f83d49baac30a6fe80f
Instruction Fuzzy Hash: AA019275645A0ABBE20865109D82EFA7F5CFB613D8F408420FE05EA241F660FD5083A8

Function 00552DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0054F2DE,00553863,005F1444,?,0053FDF5,?,?,0052A976,00000010,005F1440,005213FC,?,005213C6), ref: 00552DFD
_free.LIBCMT ref: 00552E32
_free.LIBCMT ref: 00552E59
SetLastError.KERNEL32(00000000,00521129), ref: 00552E66
SetLastError.KERNEL32(00000000,00521129), ref: 00552E6F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 09bc1fcfc31839a8f2dc9d5e1cf91cd6ca9dc5209339e83e88e25c04e28bd46c
Instruction ID: e659e877062dd24f6b21f29154ddd0b99110218f9b07dea88b8d19a58330dd99
Opcode Fuzzy Hash: 09bc1fcfc31839a8f2dc9d5e1cf91cd6ca9dc5209339e83e88e25c04e28bd46c
Instruction Fuzzy Hash: 7501D636105A0167871227746C6BD3B2E6DBBE33B7F24452BFC65A2292EA249C0D5320

Function 0058000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?,?,0058035E), ref: 0058002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?), ref: 00580046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?), ref: 00580054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?), ref: 00580064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0057FF41,80070057,?,?), ref: 00580070

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b802ef10df720e4d9570330194703c4a5b7b1aac472c55bef251aac918a49edc
Instruction ID: 0769abdc5c3671f8d877f02854e479d43b4131c32ea4435a7019775f0a99409b
Opcode Fuzzy Hash: b802ef10df720e4d9570330194703c4a5b7b1aac472c55bef251aac918a49edc
Instruction Fuzzy Hash: E701B872600204EFDB906F69DC08BAA7EADEF44392F145224FC05E2250E771ED08ABA0

Function 0058E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0058E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0058E9A5
Sleep.KERNEL32(00000000), ref: 0058E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0058E9B7
Sleep.KERNEL32 ref: 0058E9F3

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a09aaf47f958f957ecc4e425f7fec4bdcdd82b31e0af35e49f1dc358ec85b016
Instruction ID: 4a6fb057b2ce1c51ac7d3069e6628ffd4f1b98518c34545cd4d1a925f6cef4db
Opcode Fuzzy Hash: a09aaf47f958f957ecc4e425f7fec4bdcdd82b31e0af35e49f1dc358ec85b016
Instruction Fuzzy Hash: C0016931D01629DBCF40AFE8DC4AAEDBF78FF18301F000646E942B2241CB70A558DBA5

Function 005810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00581114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 00581120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 0058112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00580B9B,?,?,?), ref: 00581136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0058114D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 7c310b46b6e230df729d1dfd898d6bb39c81c82c1256d5904fb23839181cd6eb
Instruction ID: a139880ca4bc3f5c1bdc18dc6405b4069b0fab20c48842c78a3a17d4dd9e7c1a
Opcode Fuzzy Hash: 7c310b46b6e230df729d1dfd898d6bb39c81c82c1256d5904fb23839181cd6eb
Instruction Fuzzy Hash: A5016975200605BFDB515FA8DC4DAAA3F6EFF893A0B200419FA41E3360DA31EC00EB64

Function 00580FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00580FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00580FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00580FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00580FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00581002

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4b0e7bc37e75927c5ef03d6697f2a2a3718ef4841bd5082f0e9b56632dbb1376
Instruction ID: da963179230029e13e34fd478b1ad875425a892868b1dca0054f08ece0d61abc
Opcode Fuzzy Hash: 4b0e7bc37e75927c5ef03d6697f2a2a3718ef4841bd5082f0e9b56632dbb1376
Instruction Fuzzy Hash: 03F0A975200305EBDB212FA99C4DF5A3FADFF99762F100425FA05E6250DA30EC409B64

Function 00581014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0058102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00581036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00581045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0058104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00581062

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7f3a7d843088baa22b60ca5ce8bae7f78181197eba5b6ea5aa78649664fb72c8
Instruction ID: 5cade6e077317f393348236281f314b0e0217e74ef410b7a66b74c2c9d865dc5
Opcode Fuzzy Hash: 7f3a7d843088baa22b60ca5ce8bae7f78181197eba5b6ea5aa78649664fb72c8
Instruction Fuzzy Hash: 12F0A975200305EBDB212FAAEC4CF5B3FADFF99761F100425FA05E6250CA30E8409B64

Function 0059030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0059017D,?,005932FC,?,00000001,00562592,?), ref: 00590324
CloseHandle.KERNEL32(?,?,?,?,0059017D,?,005932FC,?,00000001,00562592,?), ref: 00590331
CloseHandle.KERNEL32(?,?,?,?,0059017D,?,005932FC,?,00000001,00562592,?), ref: 0059033E
CloseHandle.KERNEL32(?,?,?,?,0059017D,?,005932FC,?,00000001,00562592,?), ref: 0059034B
CloseHandle.KERNEL32(?,?,?,?,0059017D,?,005932FC,?,00000001,00562592,?), ref: 00590358
CloseHandle.KERNEL32(?,?,?,?,0059017D,?,005932FC,?,00000001,00562592,?), ref: 00590365

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2b6ff41047de206ad0009c099dcaadd02568b4de654a7c89a0688541bc8a34ef
Instruction ID: 24475d4993225d98dc47e6dc83d6f5f8e811944f360101244c4717e83edcea55
Opcode Fuzzy Hash: 2b6ff41047de206ad0009c099dcaadd02568b4de654a7c89a0688541bc8a34ef
Instruction Fuzzy Hash: AA019C72800B159FCB30AF6AD880816FBF9BF602153159E3ED19652971C3B1A958DE80

Function 0055D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0055D752

Part of subcall function 005529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000), ref: 005529DE
Part of subcall function 005529C8: GetLastError.KERNEL32(00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000,00000000), ref: 005529F0

_free.LIBCMT ref: 0055D764
_free.LIBCMT ref: 0055D776
_free.LIBCMT ref: 0055D788
_free.LIBCMT ref: 0055D79A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4afc18e938d548e258159d9123abc8c90a4c5a504c78078df8c41250640e5c30
Instruction ID: d00f5848e50bc9f4742c1f08a80fd5bd95588d0cdcb4a81b0eb9b4d6dc476a52
Opcode Fuzzy Hash: 4afc18e938d548e258159d9123abc8c90a4c5a504c78078df8c41250640e5c30
Instruction Fuzzy Hash: 76F03C33514259AB8629EB64F9D5D567FFDFB49312BA40806F889EB602C720FC888670

Function 005522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005522BE

Part of subcall function 005529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000), ref: 005529DE
Part of subcall function 005529C8: GetLastError.KERNEL32(00000000,?,0055D7D1,00000000,00000000,00000000,00000000,?,0055D7F8,00000000,00000007,00000000,?,0055DBF5,00000000,00000000), ref: 005529F0

_free.LIBCMT ref: 005522D0
_free.LIBCMT ref: 005522E3
_free.LIBCMT ref: 005522F4
_free.LIBCMT ref: 00552305

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 538a9b4f90c3a7f399b4009874ad4af3fda8a9ac212fd76a0d4097288d3d154a
Instruction ID: e089f807f6cd22eee2c7701099f45155f839f998c40b1d80b8af1bdf89f60daa
Opcode Fuzzy Hash: 538a9b4f90c3a7f399b4009874ad4af3fda8a9ac212fd76a0d4097288d3d154a
Instruction Fuzzy Hash: 11F054784005119B8616AF99BC558683F74F73A752F041507F818E63B2C739445EFFE8

Function 005395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005395D4
StrokeAndFillPath.GDI32(?,?,005771F7,00000000,?,?,?), ref: 005395F0
SelectObject.GDI32(?,00000000), ref: 00539603
DeleteObject.GDI32 ref: 00539616
StrokePath.GDI32(?), ref: 00539631

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3d71965261e74c30db9a070ee4f40aac361a7921d29908255e3407ad5bf23d09
Instruction ID: 8f6a08509bb903b5a1fbd163d8fceedd2e755b9ae02f395265644a3bd4f7b350
Opcode Fuzzy Hash: 3d71965261e74c30db9a070ee4f40aac361a7921d29908255e3407ad5bf23d09
Instruction Fuzzy Hash: CFF03C30006A08EBDB126F69EE1D7793F65BB20322F048314F465950F0C7B89999EFA8

Function 00550F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005510F9
__freea.LIBCMT ref: 00551117

Part of subcall function 00551537: _free.LIBCMT ref: 0055154F

Strings

a/p, xrefs: 005511DE
am/pm, xrefs: 0055117A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 29e3b6562fc4174c8fa929cc52f202f8922dfcff4c03af7b0ac6812b9ede15f4
Instruction ID: 618f01121c051bdf72503e69896e72d8dbf16e2623c5c1cc83ae28511100031d
Opcode Fuzzy Hash: 29e3b6562fc4174c8fa929cc52f202f8922dfcff4c03af7b0ac6812b9ede15f4
Instruction Fuzzy Hash: 1CD1F235900A069BCB249F68C879BFABFB1FF05702F25095BED019B690D3359D88CB59

Function 005A61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00540242: EnterCriticalSection.KERNEL32(005F070C,005F1884,?,?,0053198B,005F2518,?,?,?,005212F9,00000000), ref: 0054024D
Part of subcall function 00540242: LeaveCriticalSection.KERNEL32(005F070C,?,0053198B,005F2518,?,?,?,005212F9,00000000), ref: 0054028A

Part of subcall function 005400A3: __onexit.LIBCMT ref: 005400A9

__Init_thread_footer.LIBCMT ref: 005A6238

Part of subcall function 005401F8: EnterCriticalSection.KERNEL32(005F070C,?,?,00538747,005F2514), ref: 00540202
Part of subcall function 005401F8: LeaveCriticalSection.KERNEL32(005F070C,?,00538747,005F2514), ref: 00540235

Part of subcall function 0059359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005935E4
Part of subcall function 0059359C: LoadStringW.USER32(005F2390,?,00000FFF,?), ref: 0059360A

Strings

x#_, xrefs: 005A636F
x#_, xrefs: 005A6353
x#_, xrefs: 005A633A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#_$x#_$x#_
API String ID: 1072379062-2414400457
Opcode ID: 74f23f5d791303e65b9ebc726e96732969fde0c2c0b94fac0fef348d18d3dc06
Instruction ID: 028cbd30f5e2c77cf5346aade1e02ac02d0cea0926d57165afb95cc39eb22dad
Opcode Fuzzy Hash: 74f23f5d791303e65b9ebc726e96732969fde0c2c0b94fac0fef348d18d3dc06
Instruction Fuzzy Hash: BAC17E71A0010AAFDB14DF58C895EBEBBB9FF49300F148469F915AB291DB70ED45CB90

Function 00558A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00558B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00558B7A
__dosmaperr.LIBCMT ref: 00558B81

Strings

.T, xrefs: 00558A63

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .T
API String ID: 2434981716-3315649315
Opcode ID: a6c820e536357aee38b6f87eca5d64f98a0bcf8e348fa7260941365041440e0a
Instruction ID: 7475f496775c9e825a4e31826cf9631a7de26a31489083b8ffa0cf5ecad58009
Opcode Fuzzy Hash: a6c820e536357aee38b6f87eca5d64f98a0bcf8e348fa7260941365041440e0a
Instruction Fuzzy Hash: 3A418EB0604045AFDB249F28CCA0A797FA9FB85325F2C459BFC85A7652DE31CC0AD750

Function 0055172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\zAK7HHniGW.exe,00000104), ref: 00551769
_free.LIBCMT ref: 00551834
_free.LIBCMT ref: 0055183E

Strings

C:\Users\user\Desktop\zAK7HHniGW.exe, xrefs: 00551760, 00551767, 00551796, 005517CE

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\zAK7HHniGW.exe
API String ID: 2506810119-3852030548
Opcode ID: 76370b318174f3086361eb13965c1fb06b40b43e0814f464e38d8f3453e77de9
Instruction ID: 3043bd8cac982817de41c42e8f505c6531a17bc5a86ab23c1516f4bdc699473f
Opcode Fuzzy Hash: 76370b318174f3086361eb13965c1fb06b40b43e0814f464e38d8f3453e77de9
Instruction Fuzzy Hash: E4319F75A00618EBCB21DB999C95EAEBFFCFB99311B104167F804D7211D6B08E48DB98

Function 0058C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0058C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0058C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005F1990,00F25BB0), ref: 0058C395

Strings

0, xrefs: 0058C2DF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 310b289d9dfd567eac1b85a612b50e4953bcf28dbca4905d98a0d8ad5111a9e3
Instruction ID: a7b27b68d9d91a6a7d6c544f1102605770e27377bd0e09095c4e1ece059627a6
Opcode Fuzzy Hash: 310b289d9dfd567eac1b85a612b50e4953bcf28dbca4905d98a0d8ad5111a9e3
Instruction Fuzzy Hash: 0A418F312043029FD720EF25D845B5ABFE8BF85310F148A1DFDA5A72D1DB30A905CB62

Function 005B4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005BCC08,00000000,?,?,?,?), ref: 005B44AA
GetWindowLongW.USER32 ref: 005B44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005B44D7

Strings

SysTreeView32, xrefs: 005B447C

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d5d14f95c47c194657df6d01027c1ca4b13ac5cf37bc5b3820255df8c92b054a
Instruction ID: 74573e9a9a7cb5b115c41c603f827b2c120d60eb7b115f6dd479b26181aa1372
Opcode Fuzzy Hash: d5d14f95c47c194657df6d01027c1ca4b13ac5cf37bc5b3820255df8c92b054a
Instruction Fuzzy Hash: 33317A71210606AFDF208E38DC49BEA7FA9FB49324F204725F975921E1D770AC619B60

Function 00586E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00586EED
VariantCopyInd.OLEAUT32(?,?), ref: 00586F08
VariantClear.OLEAUT32(?), ref: 00586F12

Strings

*jX, xrefs: 00586E8B, 00586E90, 00586EF8

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jX
API String ID: 2173805711-809058511
Opcode ID: 2b38ec2c5e8f458df7ae7c3ea1b86c9d4a0966f9425bc34001fcec0260b89cc6
Instruction ID: 99972bd93cc172b1ad5aca2db5d99937f208944fba8ae47b5ba89bf7f068b758
Opcode Fuzzy Hash: 2b38ec2c5e8f458df7ae7c3ea1b86c9d4a0966f9425bc34001fcec0260b89cc6
Instruction Fuzzy Hash: DF31B371604256DFDB05BF64E8569BE7F75FF89300B1008A8FE025B2A1C730D951DBA4

Function 005A304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005A335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,005A3077,?,?), ref: 005A3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005A307A
_wcslen.LIBCMT ref: 005A309B
htons.WSOCK32(00000000,?,?,00000000), ref: 005A3106

Strings

255.255.255.255, xrefs: 005A3095, 005A309A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b6fd134728f32749b88d46a98537ef8a67cc89ea23c42e50777aa4aa3f1b8a1a
Instruction ID: d4e8735db7c085390d51cfde0142a94496dbb609c3c74f87436e718a0d5b4247
Opcode Fuzzy Hash: b6fd134728f32749b88d46a98537ef8a67cc89ea23c42e50777aa4aa3f1b8a1a
Instruction Fuzzy Hash: 72318F396042059FCB10CF68C58AAAE7FE0FF56318F248559F9158B3A2DB72EE45C760

Function 005B4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005B4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005B4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005B471A

Strings

msctls_updown32, xrefs: 005B4684

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5d38a2fafd6450b2e12b86a9401480a9b255a4d3e3f676fe148f19564aab2da3
Instruction ID: 85978dd5f08c2afb0a180bb0317e9abb773f97ca0223def0ff77db838fb0ae47
Opcode Fuzzy Hash: 5d38a2fafd6450b2e12b86a9401480a9b255a4d3e3f676fe148f19564aab2da3
Instruction Fuzzy Hash: 5A215EB5600209AFDB10DF68DC85DB73BADFF9A3A4B140059FA019B291CB71FC12DA60

Function 005895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0058961D

Strings

#requireadmin, xrefs: 005895D9
#OnAutoItStartRegister, xrefs: 005895F3
#notrayicon, xrefs: 005895B7

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: ae9f6023d8c8954f80ee732a4b2a023e5478aad7ab2dea08ab6f7a23dc89c41e
Instruction ID: e8a5d9d0d80daecf73e600237c7b1126abec24a5dcbf5a2438f7dbcf29b129dd
Opcode Fuzzy Hash: ae9f6023d8c8954f80ee732a4b2a023e5478aad7ab2dea08ab6f7a23dc89c41e
Instruction Fuzzy Hash: B3212332204622A6C331BA259C06FBB7F98BF96304F184426FD49A7081EB51AD51C395

Function 005B37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005B3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005B3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005B3876

Strings

Listbox, xrefs: 005B380F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ec9bdb8f83e6cd98825b9ae28238a5d75a364b8f2e98ec269ad762d7cf3413ab
Instruction ID: 2efaf42bd55e61df675239373040aae3f94044fb50de5ec31778a14abb19542a
Opcode Fuzzy Hash: ec9bdb8f83e6cd98825b9ae28238a5d75a364b8f2e98ec269ad762d7cf3413ab
Instruction Fuzzy Hash: 9821BE72610218BBEB218F64DC85EFB3B6EFF99750F108124F900AB190CA71ED5287A0

Function 0058223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00582258

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0058228A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005822CA

Strings

@U=u, xrefs: 00582258, 0058228A, 005822CA

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: c9a625bdc0e9ec567350cf1733a44677cd0ab97e18b40992c1c522cddf70b03b
Instruction ID: 5a60776d5a1a09ffa087663f401fc3dd7dbfe97081b0d94ab429214405f82ce4
Opcode Fuzzy Hash: c9a625bdc0e9ec567350cf1733a44677cd0ab97e18b40992c1c522cddf70b03b
Instruction Fuzzy Hash: D621C531700205ABDB20AA549D49EEE3FA9FF99710F044424FE06EB181DBB49945D7A2

Function 005949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00594A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00594A5C
SetErrorMode.KERNEL32(00000000,?,?,005BCC08), ref: 00594AD0

Strings

%lu, xrefs: 00594A6F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 031086dc0b099d896534f5fc51502325ac5c95506e226ee122cdd984ee41b761
Instruction ID: f25530382a525a6354efa320b75154fb76d8581eee4e3af7a2772cd463596d0b
Opcode Fuzzy Hash: 031086dc0b099d896534f5fc51502325ac5c95506e226ee122cdd984ee41b761
Instruction Fuzzy Hash: 1C314D75A00109AFDB10DF54C885EAABBF9FF49308F1440A5E905EB352D771ED46CB61

Function 00581B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00581B4F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00581B61
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00581B99

Strings

@U=u, xrefs: 00581B99

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 8972c19db28c145a6da13dfed6a3fe07dfdb9f5d556b01efda23289c3e0d50b0
Instruction ID: 16bdaef7ffd4aeca92ce90ca341b00a509e600dbc90a4b7d13cdb5aea697e83b
Opcode Fuzzy Hash: 8972c19db28c145a6da13dfed6a3fe07dfdb9f5d556b01efda23289c3e0d50b0
Instruction Fuzzy Hash: 7921D532600519BFDF11EB98C841DAEBBFDFF44340F10046AE505E7290DA71AE419B98

Function 005A0CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 005A0D24
SendMessageW.USER32(0000000C,00000000,?), ref: 005A0D65
SendMessageW.USER32(0000000C,00000000,?), ref: 005A0D8D

Strings

@U=u, xrefs: 005A0D24, 005A0D65, 005A0D8D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: e6789139b4e3af337c5d82a2130a27af73b6bb523637b3a9407475439d343e3b
Instruction ID: 7e09ce4c4e5eb49f3f5608b7a2793003d7d6908b2028fd632525ccc62fbc2c98
Opcode Fuzzy Hash: e6789139b4e3af337c5d82a2130a27af73b6bb523637b3a9407475439d343e3b
Instruction Fuzzy Hash: 15215836300911EFD700EB68E985D2ABBE6FF5A310B008914F809DBAB1D760FC10DB94

Function 005B41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005B424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005B4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005B4271

Strings

msctls_trackbar32, xrefs: 005B4226

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4fab09b95316d38486fadf12ef5318be25da1edd7263f0cbdc0498021ce5c810
Instruction ID: a7f201112d67f3b434a955df2e8cb81cfa1b3c50795e315bf864751d56a7ce85
Opcode Fuzzy Hash: 4fab09b95316d38486fadf12ef5318be25da1edd7263f0cbdc0498021ce5c810
Instruction Fuzzy Hash: DC11C131240248BEEF205E29CC06FFB7BACFF95B54F010514FA55E6091D271E811EB50

Function 00582F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

Part of subcall function 00582DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00582DC5
Part of subcall function 00582DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00582DD6
Part of subcall function 00582DA7: GetCurrentThreadId.KERNEL32 ref: 00582DDD
Part of subcall function 00582DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00582DE4

GetFocus.USER32 ref: 00582F78

Part of subcall function 00582DEE: GetParent.USER32(00000000), ref: 00582DF9

GetClassNameW.USER32(?,?,00000100), ref: 00582FC3
EnumChildWindows.USER32(?,0058303B), ref: 00582FEB

Strings

%s%d, xrefs: 00582FFF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 38b5382421b70536994c7d58549e0e30fa8c34906494f435b4ab3e5c82207ca3
Instruction ID: 51d6f969ad89f55520775923976c3914fd6f345639f462526e0070ba9284aab0
Opcode Fuzzy Hash: 38b5382421b70536994c7d58549e0e30fa8c34906494f435b4ab3e5c82207ca3
Instruction Fuzzy Hash: C5119075600206ABCF55BF649C99EED3F6ABFD4304F044075BD09AB192DE30A94A9B70

Function 005B3429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005B34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005B34BA

Strings

@U=u, xrefs: 005B34BA
edit, xrefs: 005B348F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 88914cc8d160de719ee3b1181f90c3e8281cb1d9b6062318618ba461749fc229
Instruction ID: ce79d942d23a15f59e0565ac3bf8c79f544617b29de5836f3a2eea194695a2ff
Opcode Fuzzy Hash: 88914cc8d160de719ee3b1181f90c3e8281cb1d9b6062318618ba461749fc229
Instruction Fuzzy Hash: 44115871100208AAEF228E689C48AEA3F6AFB55374F504724F961A71E0C671EC55AB64

Function 00581BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Part of subcall function 00583CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00583CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00581C46

Strings

ListBox, xrefs: 00581C10
@U=u, xrefs: 00581C46
ComboBox, xrefs: 00581BE5

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: bb18a6fdb24637e4e1e77b83f8c8a8804b0310e3fc71c59b134958d63aac647a
Instruction ID: ab23cf887edc7a717ce43e6570cd360883d267ae3189e47a39cefab7a4f41357
Opcode Fuzzy Hash: bb18a6fdb24637e4e1e77b83f8c8a8804b0310e3fc71c59b134958d63aac647a
Instruction Fuzzy Hash: 2301A775B8111967CB08FB90D959DFF7FACBF56340F140029AC06772C1EA209E0987B5

Function 005B5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005B58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005B58EE
DrawMenuBar.USER32(?), ref: 005B58FD

Strings

0, xrefs: 005B588F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 43a2e42aac345d96b1c59639e0950e0178a8ddd7a799c57c168613f89453eb21
Instruction ID: ec1c1ae0ea4500a18599864f896d0f320bfe3fbc85b525d464186219644615c6
Opcode Fuzzy Hash: 43a2e42aac345d96b1c59639e0950e0178a8ddd7a799c57c168613f89453eb21
Instruction Fuzzy Hash: 24016131500219EFDB619F11DC44BEEBFB8FB45360F148499F849D6151EB30AA84EF21

Function 005B7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,005F18B0,005BA364,000000FC,?,00000000,00000000,?,?,?,005776CF,?,?,?,?,?), ref: 005B7805
GetFocus.USER32 ref: 005B780D

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

Part of subcall function 00539944: GetWindowLongW.USER32(?,000000EB), ref: 00539952

SendMessageW.USER32(00F2ECE0,000000B0,000001BC,000001C0), ref: 005B787A

Strings

@U=u, xrefs: 005B787A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 4b0ce425f2218f70067275217d6f91af63ad0e2d9b709d2c2a6ccced53c40e2e
Instruction ID: 6ecea363432fe8ab2b4b6b0003e09ca83a792ea81437b351afc7f7968fc5d3f4
Opcode Fuzzy Hash: 4b0ce425f2218f70067275217d6f91af63ad0e2d9b709d2c2a6ccced53c40e2e
Instruction Fuzzy Hash: 59012C31605510CFD725DB28D958AB63BE6BFDA320F18026DE5158B2A1DB717C0ACB94

Function 0057D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0057D3BF
FreeLibrary.KERNEL32 ref: 0057D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0057D3B9
X64, xrefs: 0057D2A8

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: c233b043cf56a252d9ffcb20d758d1c6061a71c2cae1ee89389d682a33b2d647
Instruction ID: 7d1fde2588675a6c958237cdb0a849e23bdb94e1c45e4296cf814136b2b33c4f
Opcode Fuzzy Hash: c233b043cf56a252d9ffcb20d758d1c6061a71c2cae1ee89389d682a33b2d647
Instruction Fuzzy Hash: 3BF05525801A248BC7B102106C58AA93F74BF10B01FA5CE15F80EF5146EB64DC46B2BA

Function 0058007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7277baca274e27b7904d62a4ce1f1f8a823a4bdb480cdc483fa11da05dff266
Instruction ID: e15fc1e4d22cf6e15a14a26df9ff24fd4a4ddce3c9a1e3e2c59b65ccb9351d8d
Opcode Fuzzy Hash: d7277baca274e27b7904d62a4ce1f1f8a823a4bdb480cdc483fa11da05dff266
Instruction Fuzzy Hash: 69C18075A00206EFDB54DF94C888EAEBBB5FF48314F209598E805EB291D770ED45DB50

Function 005A342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005A3459
CoUninitialize.OLE32 ref: 005A3463
VariantInit.OLEAUT32(?), ref: 005A346E
VariantClear.OLEAUT32(?), ref: 005A371B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 614dab8562c9ee4cb9e4a1957bef53d06ebd2d09b5b93953bb576ccfb678441e
Instruction ID: 9da74b9bf2387f3d81726c8dbcf60beeec3803b0226a1e6f3b825d212fa8b29b
Opcode Fuzzy Hash: 614dab8562c9ee4cb9e4a1957bef53d06ebd2d09b5b93953bb576ccfb678441e
Instruction Fuzzy Hash: FCA13B756042119FC700DF28D589A2EBBE5FF8E714F048859F98A9B3A2DB30EE05CB51

Function 00580436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005BFC08,?), ref: 005805F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005BFC08,?), ref: 00580608
CLSIDFromProgID.OLE32(?,?,00000000,005BCC40,000000FF,?,00000000,00000800,00000000,?,005BFC08,?), ref: 0058062D
_memcmp.LIBVCRUNTIME ref: 0058064E

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: c9b0bb2c1e9a843178d660a82b0f6d32b13ee51606df3dfbb1d05e85ca781c0e
Instruction ID: c84c84d10f55c45eefc8ed08fbe7349719af32ed95d721fb4557b7baa718c264
Opcode Fuzzy Hash: c9b0bb2c1e9a843178d660a82b0f6d32b13ee51606df3dfbb1d05e85ca781c0e
Instruction Fuzzy Hash: C981FC71A00109EFCB44DF94C984DEEBBB9FF89315F104558E516BB290DB71AE0ACB60

Function 00561391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005614C0

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 40eeecf63112f47984268c344bf1185e2c82d6b290bd99c27c845253d4d29908
Instruction ID: 842835827242d800170ae844a9cd57cc4fe89e35031ae02c224668c7c79abec0
Opcode Fuzzy Hash: 40eeecf63112f47984268c344bf1185e2c82d6b290bd99c27c845253d4d29908
Instruction Fuzzy Hash: 1A414B35A00912ABDF216BFC8C4A6BE3EA4FF81371F1C4626F819D7292EE7488415765

Function 005A1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 005A1AFD
WSAGetLastError.WSOCK32 ref: 005A1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005A1B8A
WSAGetLastError.WSOCK32 ref: 005A1B94

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: ebf4d95c9768b2224ecc0734a19c4ac0189935de6598e7dab447a2660d7bd10b
Instruction ID: 1bb176938f51b1275e457555cf1c1f9f4ff36793959ecc0d48439ff1ed6fcddb
Opcode Fuzzy Hash: ebf4d95c9768b2224ecc0734a19c4ac0189935de6598e7dab447a2660d7bd10b
Instruction Fuzzy Hash: 9E41B434600611AFE720AF24D88AF297BE5BF89718F548448F51A9F7D3D772ED418BA0

Function 0055B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aedc1fb6267103ee4a2b0cf39aa3224d4a781b1e2efc7cff03198c528e1fe11
Instruction ID: 9db650caca72d0cdaf99e4e3813a33cff9ba9315d2a53d256fde26a8ac868e92
Opcode Fuzzy Hash: 8aedc1fb6267103ee4a2b0cf39aa3224d4a781b1e2efc7cff03198c528e1fe11
Instruction Fuzzy Hash: ED410775A00704AFE7249F78CC59BAA7FAAFBC8711F10452BF901DB281E77199058780

Function 005956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00595783
GetLastError.KERNEL32(?,00000000), ref: 005957A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005957CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005957FA

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b9baac6a3ba3d4eb0dc934191f4e72b725402c91d0798119a4240c97db25431f
Instruction ID: 5f14a3cbc2852f20eca892a7d25bdc3e008f203e343622aee919c954481680fa
Opcode Fuzzy Hash: b9baac6a3ba3d4eb0dc934191f4e72b725402c91d0798119a4240c97db25431f
Instruction Fuzzy Hash: AF411C39600611DFCB11EF55D548A1EBFE1FF89320B188488E84A6B3A2DB30FD00CB91

Function 0055D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00546D71,00000000,00000000,005482D9,?,005482D9,?,00000001,00546D71,?,00000001,005482D9,005482D9), ref: 0055D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0055D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0055D9AB
__freea.LIBCMT ref: 0055D9B4

Part of subcall function 00553820: RtlAllocateHeap.NTDLL(00000000,?,005F1444,?,0053FDF5,?,?,0052A976,00000010,005F1440,005213FC,?,005213C6,?,00521129), ref: 00553852

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0308b67b35c096d27d8ba1cce6a7f5bf52c648071c79f1977c7daaacaf1bb45e
Instruction ID: f26527fd1a588a6769a88cd88403c89d82fbe441c389b8c10b8baf62d6d1515a
Opcode Fuzzy Hash: 0308b67b35c096d27d8ba1cce6a7f5bf52c648071c79f1977c7daaacaf1bb45e
Instruction Fuzzy Hash: DF31BC72A0020AABDB24DF64DC95EAE7FB5FB41351B05026AFC04A6251EB35DD58CBA0

Function 0058AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 0058ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0058AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0058AC74
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 0058ACC6

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f46ba1a21ced70dfa44a91e48f51e295efb3dcd51fd1478e59d9951bc326cf5c
Instruction ID: 470d18eda989b9db7ccfc0e3223e1844d0a8f85374503d997c6741129e971b54
Opcode Fuzzy Hash: f46ba1a21ced70dfa44a91e48f51e295efb3dcd51fd1478e59d9951bc326cf5c
Instruction Fuzzy Hash: 63311470A00618AFFF35AB698809BFA7FA5BB89310F08471BF881B61D0C3759D859752

Function 005B7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005B769A
GetWindowRect.USER32(?,?), ref: 005B7710
PtInRect.USER32(?,?,005B8B89), ref: 005B7720
MessageBeep.USER32(00000000), ref: 005B778C

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 31d36dfc95ae0c86085fef0b5ebcacf70908744fdace559e1df080857c4b3a48
Instruction ID: 5fd5f3eb6f63385a4966ee72d9b45d07d483d42796a88ecfdba7ea1087ac76e7
Opcode Fuzzy Hash: 31d36dfc95ae0c86085fef0b5ebcacf70908744fdace559e1df080857c4b3a48
Instruction Fuzzy Hash: 34418734A09219EFCB11CF58C894EE9BBF4FB98300F1941A8E815DB261CB70B946DB90

Function 005B16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005B16EB

Part of subcall function 00583A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00583A57
Part of subcall function 00583A3D: GetCurrentThreadId.KERNEL32 ref: 00583A5E
Part of subcall function 00583A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005825B3), ref: 00583A65

GetCaretPos.USER32(?), ref: 005B16FF
ClientToScreen.USER32(00000000,?), ref: 005B174C
GetForegroundWindow.USER32 ref: 005B1752

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ff5cbc3bdcda0fa86abbe1d8eeb84543a67a58835900633c50bfad29b036f802
Instruction ID: ebdf57608f9a03d11fe48db87f89cea7eda7fa886c570599d32f01c18ff3a543
Opcode Fuzzy Hash: ff5cbc3bdcda0fa86abbe1d8eeb84543a67a58835900633c50bfad29b036f802
Instruction Fuzzy Hash: 8C315071D00159AFCB00EFA5D885CAEBBF9FF89304B504069E415E7251DA31AE45CBA0

Function 0058D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0058D501
Process32FirstW.KERNEL32(00000000,?), ref: 0058D50F
Process32NextW.KERNEL32(00000000,?), ref: 0058D52F
CloseHandle.KERNEL32(00000000), ref: 0058D5DC

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 97691b6370ba782ec032153172cd62eff9221771548ec685a56e7d2aa66bb5a1
Instruction ID: 07342de9e84458bec6e20c4bcd814e19ccd2caa847fcf0d57b5d859a98a22342
Opcode Fuzzy Hash: 97691b6370ba782ec032153172cd62eff9221771548ec685a56e7d2aa66bb5a1
Instruction Fuzzy Hash: 07316D711082019FD301EF54D885AAABFF8BFDA354F14092DF581961E1EB71A948CBA2

Function 005B8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

GetCursorPos.USER32(?), ref: 005B9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00577711,?,?,?,?,?), ref: 005B9016
GetCursorPos.USER32(?), ref: 005B905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00577711,?,?,?), ref: 005B9094

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 8912b9829978bdeeb6effdcd7a2c7c4ee46c3b6ed03f6e744085bbcde17f7169
Instruction ID: bf334b42a4958d5d532667669d7f174deb9f371802c0cb91b4c6d0eb770f51a0
Opcode Fuzzy Hash: 8912b9829978bdeeb6effdcd7a2c7c4ee46c3b6ed03f6e744085bbcde17f7169
Instruction Fuzzy Hash: 06219F35600018EFCB259F94C898EFA7FB9FB8A350F144155FA058B2A1C375A950EB60

Function 0058D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,005BCB68), ref: 0058D2FB
GetLastError.KERNEL32 ref: 0058D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0058D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005BCB68), ref: 0058D376

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 69cc2ea6c869c30918328498896cdb11f46a1e8289e89329c4dd89878e3b9613
Instruction ID: 6051af092c556d9854742542dbbf1017005d9a15e92af127aa98045a879f996f
Opcode Fuzzy Hash: 69cc2ea6c869c30918328498896cdb11f46a1e8289e89329c4dd89878e3b9613
Instruction Fuzzy Hash: 01217E745042029F8700EF28D8854AABFE4BE9A324F504E19F899D72E1DB309949CBA3

Function 00581571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00581014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0058102A
Part of subcall function 00581014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00581036
Part of subcall function 00581014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00581045
Part of subcall function 00581014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0058104C
Part of subcall function 00581014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00581062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005815BE
_memcmp.LIBVCRUNTIME ref: 005815E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00581617
HeapFree.KERNEL32(00000000), ref: 0058161E

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 076b1eba76998cbd55829fb83bc9f46ea7c14b697ae485cb31c0b73a2f6f3339
Instruction ID: bc689f087440cba1358579d4e96600f147953f2d9d2c4fbc8a5b512fcbd3a4e8
Opcode Fuzzy Hash: 076b1eba76998cbd55829fb83bc9f46ea7c14b697ae485cb31c0b73a2f6f3339
Instruction Fuzzy Hash: 52215A71E00509AFDF10EFA5C949BEEBBB8FF84344F084459E841BB241E730AA06DB64

Function 005B2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005B280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005B2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005B2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005B2840

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b04bd9c357d8c4d73d6b8ce16f923419c3d38c4004c4e78595a00bd20738f520
Instruction ID: e21558e735d3bcc97bfb2e9fbed19d3c85c59e43aa18e9cbddb9e5b6e6f85844
Opcode Fuzzy Hash: b04bd9c357d8c4d73d6b8ce16f923419c3d38c4004c4e78595a00bd20738f520
Instruction Fuzzy Hash: 3421A131204611AFD7149B24C845FAA7F99FF85324F148258F4268B6E2CB71FC42CBE4

Function 005878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00588D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0058790A,?,000000FF,?,00588754,00000000,?,0000001C,?,?), ref: 00588D8C
Part of subcall function 00588D7D: lstrcpyW.KERNEL32(00000000,?,?,0058790A,?,000000FF,?,00588754,00000000,?,0000001C,?,?,00000000), ref: 00588DB2
Part of subcall function 00588D7D: lstrcmpiW.KERNEL32(00000000,?,0058790A,?,000000FF,?,00588754,00000000,?,0000001C,?,?), ref: 00588DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00588754,00000000,?,0000001C,?,?,00000000), ref: 00587923
lstrcpyW.KERNEL32(00000000,?,?,00588754,00000000,?,0000001C,?,?,00000000), ref: 00587949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00588754,00000000,?,0000001C,?,?,00000000), ref: 00587984

Strings

cdecl, xrefs: 0058797B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 48cc11cf670fd9f4d962673058bc02d9c62a2bb9b8a4f7316b23a2a76915a3f9
Instruction ID: b94bb042359ae1b5a094ce235567cbba2bd362be11a5fe3fec1ea4627e5627dc
Opcode Fuzzy Hash: 48cc11cf670fd9f4d962673058bc02d9c62a2bb9b8a4f7316b23a2a76915a3f9
Instruction Fuzzy Hash: C011293A200306ABCB15AF39C848D7A7BA9FF99390B50402AFC42DB264EF31D801D791

Function 00581A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00581A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00581A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00581A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00581A8A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 130140a0510f1ddb25adc30f22dff8df5712c7c6cf0b6af43b3812ebad0ea197
Instruction ID: b19d8209b31d60ae6d1f527d556fdb29f188cd118d2614df905d58e164c695a6
Opcode Fuzzy Hash: 130140a0510f1ddb25adc30f22dff8df5712c7c6cf0b6af43b3812ebad0ea197
Instruction Fuzzy Hash: CF11393AD01219FFEB10EBA4CD85FADBB78FB08750F200091EA11B7290D6716E51DB98

Function 0058E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0058E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0058E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0058E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0058E24D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: ba80f16a2ca0ce1d1871058abba3593567a3975f8eb0ffea47436b0fe6b4c81d
Instruction ID: d3b42e438fb06b96eef11cf64634fcd15e76dd6b6c1101a02648ff236758ac94
Opcode Fuzzy Hash: ba80f16a2ca0ce1d1871058abba3593567a3975f8eb0ffea47436b0fe6b4c81d
Instruction Fuzzy Hash: C7110876904214BBC701AFA89C0AAAE7FBEAB55310F004725F816F3290D6B49908D7A4

Function 0054D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0054CFF9,00000000,00000004,00000000), ref: 0054D218
GetLastError.KERNEL32 ref: 0054D224
__dosmaperr.LIBCMT ref: 0054D22B
ResumeThread.KERNEL32(00000000), ref: 0054D249

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 000ae0307212258ca09213c1286c3369ad5b09fedc2d69e506940121202ab1a0
Instruction ID: d8496ad14d21c4e9e2362f662e95f36150928e5f761267834371805b07735394
Opcode Fuzzy Hash: 000ae0307212258ca09213c1286c3369ad5b09fedc2d69e506940121202ab1a0
Instruction Fuzzy Hash: F201C03A809215BBCB115BA9DC09AEA7EB9FFC1339F100219F925921D0DBB08905D7B0

Function 00543B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00543B56

Part of subcall function 00543AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00543AD2
Part of subcall function 00543AA3: ___AdjustPointer.LIBCMT ref: 00543AED

_UnwindNestedFrames.LIBCMT ref: 00543B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00543B7C
CallCatchBlock.LIBVCRUNTIME ref: 00543BA4

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 144a6efec006dc977908915cb384831e0df3a871bf6049d6420352e5f0614b88
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 8401E932100149BBDF126E95CC4AEEB7F69FF98758F044114FE4896121C732E961DBA0

Function 00553073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005213C6,00000000,00000000,?,0055301A,005213C6,00000000,00000000,00000000,?,0055328B,00000006,FlsSetValue), ref: 005530A5
GetLastError.KERNEL32(?,0055301A,005213C6,00000000,00000000,00000000,?,0055328B,00000006,FlsSetValue,005C2290,FlsSetValue,00000000,00000364,?,00552E46), ref: 005530B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0055301A,005213C6,00000000,00000000,00000000,?,0055328B,00000006,FlsSetValue,005C2290,FlsSetValue,00000000), ref: 005530BF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ad1bf4b7453b17e06f9db8837bcba93ef45b301b2525eee0228a3fbe381f5fff
Instruction ID: e5ea390ef52b07a91882f6ac11ae3067e0a6bb0893e80da2cc4cae45db6faacd
Opcode Fuzzy Hash: ad1bf4b7453b17e06f9db8837bcba93ef45b301b2525eee0228a3fbe381f5fff
Instruction Fuzzy Hash: 3301D436301722ABCB614A789C58967BF98BF55BE2B100B22FD09E71E0D721DD0DD6E0

Function 00587464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0058747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00587497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005874AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005874CA

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 1b458f63056bca7a7658d6ad036bc5aae7622abb6d7d0108e27357f4ee20b15f
Instruction ID: 62158eb802d6041c249a4d24ad2be8e67ddeb9436dc3660173a6b240c76f4111
Opcode Fuzzy Hash: 1b458f63056bca7a7658d6ad036bc5aae7622abb6d7d0108e27357f4ee20b15f
Instruction Fuzzy Hash: AB11C4B12053189FEB209F54DC08F927FFCFB04B10F208569AA66E6161D770F908EB60

Function 0058B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0058ACD3,?,00008000), ref: 0058B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0058ACD3,?,00008000), ref: 0058B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0058ACD3,?,00008000), ref: 0058B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0058ACD3,?,00008000), ref: 0058B126

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: cd636a8ddde70ac58897f80c4d0fd0c98bc0b9868dab65ae63da1c39e79af204
Instruction ID: c8c858d5b26735f86971c0b9f9550e49f3ff11900707d86896db8b34f190d49f
Opcode Fuzzy Hash: cd636a8ddde70ac58897f80c4d0fd0c98bc0b9868dab65ae63da1c39e79af204
Instruction Fuzzy Hash: CF117930C00528E7EF04EFA8E99C6EEBF78FF59311F004586D981B6181CB306654DB55

Function 00582DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00582DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00582DD6
GetCurrentThreadId.KERNEL32 ref: 00582DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00582DE4

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 610e9d5bd1a8415c6ae9c10e92a864978c0bbe6b90b0792d0757c6482233f763
Instruction ID: a1b1eae75bc9a6820b0dde737c7432729bf4f077eea18ac5af7a848c73ea8a6a
Opcode Fuzzy Hash: 610e9d5bd1a8415c6ae9c10e92a864978c0bbe6b90b0792d0757c6482233f763
Instruction Fuzzy Hash: 17E092B25022247BD7602B769C0DFFB3F6CFF62BA1F000215F905E10809AA0D845D7B0

Function 005B8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00539639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00539693
Part of subcall function 00539639: SelectObject.GDI32(?,00000000), ref: 005396A2
Part of subcall function 00539639: BeginPath.GDI32(?), ref: 005396B9
Part of subcall function 00539639: SelectObject.GDI32(?,00000000), ref: 005396E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005B8887
LineTo.GDI32(?,?,?), ref: 005B8894
EndPath.GDI32(?), ref: 005B88A4
StrokePath.GDI32(?), ref: 005B88B2

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: bf65a21970f94adeb192a469679c77a873eb5183740af14b2cfb4debeb6df119
Instruction ID: 019d2ca44cb0ce25c9f3cddfcea904e3572c484d54d6a4ff7b1d88d9a1a74301
Opcode Fuzzy Hash: bf65a21970f94adeb192a469679c77a873eb5183740af14b2cfb4debeb6df119
Instruction Fuzzy Hash: 9BF05E36041659FBDB126F94AC0EFDE3F59AF26310F048100FA11650E1C7B96515EFE9

Function 005398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005398CC
SetTextColor.GDI32(?,?), ref: 005398D6
SetBkMode.GDI32(?,00000001), ref: 005398E9
GetStockObject.GDI32(00000005), ref: 005398F1

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 6e5124c13ffcdcdd9519c6832becdd6f7153cb1274dd66ff4ddb50f14ea51bf3
Instruction ID: 725bcd7eb6a4aea79264f85c1017a278e9001ba3cfcb805535b0583c98321d59
Opcode Fuzzy Hash: 6e5124c13ffcdcdd9519c6832becdd6f7153cb1274dd66ff4ddb50f14ea51bf3
Instruction Fuzzy Hash: B9E06D32244284AADB615B78BC09BE83F21BB26336F14C319F6FA680E1C3715644EB20

Function 0058162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00581634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005811D9), ref: 0058163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005811D9), ref: 00581648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005811D9), ref: 0058164F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 07cb4b4ce0d961970178a18c136d2a2997902aec4e608d759b204404ca934286
Instruction ID: a96d2d985290ab13dac3ce03779af06bbe16ea99589f3d9874ea157b91aacbc9
Opcode Fuzzy Hash: 07cb4b4ce0d961970178a18c136d2a2997902aec4e608d759b204404ca934286
Instruction Fuzzy Hash: 7AE08631601211DBD7602FA19D0DB8A3F7CBF64791F184918F685D9080E6345449D768

Function 0057D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0057D858
GetDC.USER32(00000000), ref: 0057D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0057D882
ReleaseDC.USER32(?), ref: 0057D8A3

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c3ed26e31567f38d26f030438bb7094e5ca8833dac8e735c485d53b3d0de21e7
Instruction ID: f1cece627e1137ffc9dd21bc447471fbd1ecc79bad5080da5150b9f2770668e3
Opcode Fuzzy Hash: c3ed26e31567f38d26f030438bb7094e5ca8833dac8e735c485d53b3d0de21e7
Instruction Fuzzy Hash: 06E0E5B4800205DFCB81AFA8A90CA6DBFB1BB58310F108509E806A7250C7386905AF54

Function 0057D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0057D86C
GetDC.USER32(00000000), ref: 0057D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0057D882
ReleaseDC.USER32(?), ref: 0057D8A3

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6b6083eac51c024476abebf490c959af5c9a83a1d7545aab6ebf752fe544bc69
Instruction ID: d4a553bf5db32505d08a5b7a894a3161a38df3ec06df7d7b6d95bf7b7980ca9f
Opcode Fuzzy Hash: 6b6083eac51c024476abebf490c959af5c9a83a1d7545aab6ebf752fe544bc69
Instruction Fuzzy Hash: FBE012B4C00204EFCB80AFA8E80CA6DBFB1BB58310F108508E80AE7350CB386909AF54

Function 00594D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00527620: _wcslen.LIBCMT ref: 00527625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00594ED4

Strings

*, xrefs: 00594E10
LPT, xrefs: 00594DFB

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 0e01270faa238ade47e7ebd00b6da66d8f9d9b9fa85d465c5658602aa85a9f53
Instruction ID: e7f007e1b34ab0d47a999e6771b073b6305dfd6e9f13fc4f953be0c84551bb10
Opcode Fuzzy Hash: 0e01270faa238ade47e7ebd00b6da66d8f9d9b9fa85d465c5658602aa85a9f53
Instruction Fuzzy Hash: DE913A75A002559FCB14DF58C484EAABFB5BF49304F188099E80A9B7A2D731ED86CF91

Function 0054E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0054E30D

Strings

pow, xrefs: 0054E2E5, 0054E302

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 41a82f6a45ccfe17bad25137d2180688b4e472ad21aae3bad3d4aa856d614592
Instruction ID: 15e620081deae9aa5e965fdaf6f6959bc1d9f9870143b325bde95126f8e7cc2d
Opcode Fuzzy Hash: 41a82f6a45ccfe17bad25137d2180688b4e472ad21aae3bad3d4aa856d614592
Instruction Fuzzy Hash: 1651C47190C60A96CB127B24ED277F93FA8FB54746F304D59E8D1432E9DB304C8D9645

Function 005A7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0057569E,00000000,?,005BCC08,?,00000000,00000000), ref: 005A78DD

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

CharUpperBuffW.USER32(0057569E,00000000,?,005BCC08,00000000,?,00000000,00000000), ref: 005A783B

Strings

<s^, xrefs: 005A77C8

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s^
API String ID: 3544283678-1525781280
Opcode ID: 7c8868e7b5462cc5d88113b4edd0460cfc9b956fb12c5b64178debacdee6cb10
Instruction ID: 88cfcfca66ab7513ad47475624646857fe2dbf55692d3d2dc8afd3c821f63875
Opcode Fuzzy Hash: 7c8868e7b5462cc5d88113b4edd0460cfc9b956fb12c5b64178debacdee6cb10
Instruction Fuzzy Hash: 79615E3291412EABCF04EBA4DC95DFEBF78BF6A700F544526E542A3091EB345A45CBA0

Function 0053E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0053E1B1

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bf42be0511bd574e66aadc9766744e51fa677a5432df03a78b8e52011fac46b
Instruction ID: 154474c76fb8d1bf52efd4a826985ef1a659455035508c4d57acc315b7ad8aa5
Opcode Fuzzy Hash: 4bf42be0511bd574e66aadc9766744e51fa677a5432df03a78b8e52011fac46b
Instruction Fuzzy Hash: F2514339500386DFDB19DF68E086ABA7FA8FF5A310F248095F8959B2C0D7309D42DB90

Function 0053F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0053F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0053F2BB

Strings

@, xrefs: 0053F2AF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2be13205d51a1ee20f3cd48184dfd5aaf8b74a0f9600fddd80f9d29686bd4202
Instruction ID: 9228831db9e5efbd82276a628bdd708e4b2251f70994de16d09f9179e041f780
Opcode Fuzzy Hash: 2be13205d51a1ee20f3cd48184dfd5aaf8b74a0f9600fddd80f9d29686bd4202
Instruction Fuzzy Hash: 795127714087499BD320AF50E88ABAFBBF8FFD9300F81885DF1D941195EB709529CB66

Function 00582999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 005829EB
SendMessageW.USER32(?,0000110A,00000001,?), ref: 00582A8D

Part of subcall function 00582C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00582CE0

Strings

@U=u, xrefs: 005829EB, 00582A8D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 09ef81d418e3227a6f21c915afb13010a5759dd75c9079d3649e74b2e98c1c3a
Instruction ID: 8d8ccb971adbade2895cc9c7d55371ce4b4b879bca9abdfff1362b78db50d275
Opcode Fuzzy Hash: 09ef81d418e3227a6f21c915afb13010a5759dd75c9079d3649e74b2e98c1c3a
Instruction Fuzzy Hash: 8B418031A00219ABDF25EF54C849BEE7FB5BF85710F040429FD06B3291DBB09A44CB92

Function 005A5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005A57E0
_wcslen.LIBCMT ref: 005A57EC

Strings

CALLARGARRAY, xrefs: 005A57E6, 005A57EB

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: b26495da2b11b5910b07ac284c57371a1379a277ff793a4a9f3f0aff51392725
Instruction ID: 6065a33508039df996becd1df711bb9d0006f58798f194ec356a6846e10bd908
Opcode Fuzzy Hash: b26495da2b11b5910b07ac284c57371a1379a277ff793a4a9f3f0aff51392725
Instruction Fuzzy Hash: 9F418F31E0020A9FCB14DFA9C885DAEBFF5FF9A314F244069E505A7291E7349D81CBA0

Function 0059D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0059D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0059D13A

Strings

|, xrefs: 0059D10B

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: c6e1474492a25c25eb089f117d993fe5a46d2b3d055cf45bc53106d0f5566b07
Instruction ID: 8c424b6503b2e890045bb87b9dff96a8161a0a638267a0ec9286642470217192
Opcode Fuzzy Hash: c6e1474492a25c25eb089f117d993fe5a46d2b3d055cf45bc53106d0f5566b07
Instruction Fuzzy Hash: 13313071D0111AABCF15EFA4DC89AEFBFB9FF45300F100019F815A6161D731A946DB60

Function 005B356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005B3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005B365C

Strings

static, xrefs: 005B35BC

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: be653611c7019004b98b853d20189b2d4f0a7c37cdc8ec01d0d1daf7f2562c7f
Instruction ID: 0d90e2092b92e6278159e2ee684700da5233db9403619a4d61d58ccd94a9b8e1
Opcode Fuzzy Hash: be653611c7019004b98b853d20189b2d4f0a7c37cdc8ec01d0d1daf7f2562c7f
Instruction Fuzzy Hash: CD319E71110604AEDB24DF28DC84EFB7BA9FF98720F009619F8A5D7280DA30AD81D764

Function 005B4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 005B461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005B4634

Strings

', xrefs: 005B458E

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ae5c4076304c7f56155dc3bf4d3f0521d5e3ff0ca87f884e36c63e3fff3f69a7
Instruction ID: 2f0be6ea90e1e15b68c283d8603530e92647ae4dcb75b0c70072123901a6e5e6
Opcode Fuzzy Hash: ae5c4076304c7f56155dc3bf4d3f0521d5e3ff0ca87f884e36c63e3fff3f69a7
Instruction Fuzzy Hash: 46313874A0061A9FDB24CFA9C980BEA7BB5FF49300F10406AE905EB382D770A941DF90

Function 0058286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00582884
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 005828B6

Strings

@U=u, xrefs: 00582884, 005828B6

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: fc13a3f99e31360ed13d65a45c6102d264622656d3353ed38fbc70e2bf384434
Instruction ID: 216bfd126c48d421f114d6a8cd2547bbf85299e6fa62cc286b4cd9bb19a38475
Opcode Fuzzy Hash: fc13a3f99e31360ed13d65a45c6102d264622656d3353ed38fbc70e2bf384434
Instruction Fuzzy Hash: E721D032E00215ABCB15AF949884DBEBFB9FFD9710F044129ED15B7290EA749D81CBA0

Function 00583BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00583D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00583D18

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00583C23
_strlen.LIBCMT ref: 00583C2E

Strings

@U=u, xrefs: 00583C23

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 0bd0bcb168161aeabe9794a90b1d2e1bdfe472ef925d704e9ed990213c6b2753
Instruction ID: 2c31d1783270aeaf89e75e858d37a6eaab1867e4ba3f24c37833e561f861df80
Opcode Fuzzy Hash: 0bd0bcb168161aeabe9794a90b1d2e1bdfe472ef925d704e9ed990213c6b2753
Instruction Fuzzy Hash: B111A532600116678B287E7C98969BE7F64AF95F40F14003DED06BB292DE509E4287E4

Function 005B336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058ED19: GetLocalTime.KERNEL32 ref: 0058ED2A
Part of subcall function 0058ED19: _wcslen.LIBCMT ref: 0058ED3B
Part of subcall function 0058ED19: _wcslen.LIBCMT ref: 0058ED79
Part of subcall function 0058ED19: _wcslen.LIBCMT ref: 0058EDAF
Part of subcall function 0058ED19: _wcslen.LIBCMT ref: 0058EDDF
Part of subcall function 0058ED19: _wcslen.LIBCMT ref: 0058EDEF
Part of subcall function 0058ED19: _wcslen.LIBCMT ref: 0058EE2B

SendMessageW.USER32(?,00001002,00000000,?), ref: 005B340A

Strings

SysDateTimePick32, xrefs: 005B33C7
@U=u, xrefs: 005B340A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2216836867-2530228043
Opcode ID: e1020c22b62e12a3b6c320d98aca46af873c89f1f78e7d1299534f8f1c336e29
Instruction ID: 3c016d1fce50c1e2c55f8e74b91c4f63a8576337d8fdee34fc974ba40fddfc74
Opcode Fuzzy Hash: e1020c22b62e12a3b6c320d98aca46af873c89f1f78e7d1299534f8f1c336e29
Instruction Fuzzy Hash: 0821D2312502096BEF219E54DC86FFF3BAAFB94754F100919F940BA1D0DAB1EC449760

Function 0058215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00582178

Part of subcall function 0058B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0058B355
Part of subcall function 0058B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00582194,00000034,?,?,00001004,00000000,00000000), ref: 0058B365
Part of subcall function 0058B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00582194,00000034,?,?,00001004,00000000,00000000), ref: 0058B37B

Part of subcall function 0058B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005821D0,?,?,00000034,00000800,?,00000034), ref: 0058B42D

SendMessageW.USER32(?,00001073,00000000,?), ref: 005821DF

Part of subcall function 0058B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0058B3F8

Strings

@U=u, xrefs: 00582178, 005821DF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: a8ac477dcd33ddc34ca6a153df0ab302e6943fb05dd54149361c2ab60b529485
Instruction ID: 4caa86db4ddfe0a643830194a7bcc26aa76eb35a9ad7686e419797ec0d41515e
Opcode Fuzzy Hash: a8ac477dcd33ddc34ca6a153df0ab302e6943fb05dd54149361c2ab60b529485
Instruction Fuzzy Hash: 91215C31901129ABEF15AFA8DC85FDDBFB8FF58350F1001A5E949B7190EA705A44CF54

Function 005B31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005B327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005B3287

Strings

Combobox, xrefs: 005B3249

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: e62ee4ed5d0ad3b5da12d19f82cc53b23a5276f87de78c6ed6132caf6137420e
Instruction ID: 2d5915303156733efeb15e920e8f55f0a5e8f8404e45220c363254bf11d5099a
Opcode Fuzzy Hash: e62ee4ed5d0ad3b5da12d19f82cc53b23a5276f87de78c6ed6132caf6137420e
Instruction Fuzzy Hash: 6711E2753002087FEF219E94DC85EFB7F6AFB983A4F100228F918AB290D631AD519760

Function 005B3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0052600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0052604C
Part of subcall function 0052600E: GetStockObject.GDI32(00000011), ref: 00526060
Part of subcall function 0052600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0052606A

GetWindowRect.USER32(00000000,?), ref: 005B377A
GetSysColor.USER32(00000012), ref: 005B3794

Strings

static, xrefs: 005B3757

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9324667d1328e325dceba7aae4ee5e5e32b1e87f70847460d9a87c1da0b61632
Instruction ID: 9bcd14b39550345c335969b16ed5629bc5fe05b010a2754f1096ef2b3bec5035
Opcode Fuzzy Hash: 9324667d1328e325dceba7aae4ee5e5e32b1e87f70847460d9a87c1da0b61632
Instruction Fuzzy Hash: BF1129B261020AAFDB00DFA8CC45EFA7BB8FB08354F004A14F955E2250EB35E955DB60

Function 005B6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005B61FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 005B6225

Strings

@U=u, xrefs: 005B61FC, 005B6225

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 7e7a4096dd0a5e9bc7ba657d99412002fc5585d088d99f71702767893a230482
Instruction ID: 4af1d345205be4e057ce79d6e9676aa7fbb6d9ea441fd2615d922aacd3520cdd
Opcode Fuzzy Hash: 7e7a4096dd0a5e9bc7ba657d99412002fc5585d088d99f71702767893a230482
Instruction Fuzzy Hash: 06118E3A140214BEFF158F68DD19FF97FA4FB09310F004115FA169A1D1D2B8FA00EA50

Function 0059CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0059CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0059CDA6

Strings

<local>, xrefs: 0059CD66

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fd349addbef8db6bc16e02884009c2f20530c78bbee0eb44006ce49e2cca10da
Instruction ID: 79cfb422a44a564fe47d8178e5d599375828c72f9b5010a24dc0895b4cbbb9cb
Opcode Fuzzy Hash: fd349addbef8db6bc16e02884009c2f20530c78bbee0eb44006ce49e2cca10da
Instruction Fuzzy Hash: 5311C2B1205771BADB384B668C49EE7BEACFF227A4F00462AB10983180D7749844D6F0

Function 005B4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 005B4FCC

Strings

@U=u, xrefs: 005B4FCC, 005B5008

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a02d0224556ee858a7e1a6cb3fc485bfe4ac79c73a492fa0bb2ba541c1fda6b3
Instruction ID: 065c8e4512e07d5ebb003c3da22d6cf47fb3f0ad2c13ac01975e3f6baa045879
Opcode Fuzzy Hash: a02d0224556ee858a7e1a6cb3fc485bfe4ac79c73a492fa0bb2ba541c1fda6b3
Instruction Fuzzy Hash: CE21D07AA0011AEFCB15DFA8C9449EA7BBAFB4D340B104554FA05A7320D631E921EBA0

Function 005B30D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 005B3147

Strings

@U=u, xrefs: 005B3147
button, xrefs: 005B311E

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 0370ba64d2cfc15a0c41eb6f97ca65b4d50ddef9d66885ee5a42c69735beebb0
Instruction ID: b60bd1925a3eef59bf399627efc000bcf5867d597ae9ea0ea971dcf5f4238431
Opcode Fuzzy Hash: 0370ba64d2cfc15a0c41eb6f97ca65b4d50ddef9d66885ee5a42c69735beebb0
Instruction Fuzzy Hash: 0B11AD32250209ABDF119FA8DC45FEA3FAAFF58354F100224FA54A7190C776F961EB60

Function 00586C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

CharUpperBuffW.USER32(?,?,?), ref: 00586CB6
_wcslen.LIBCMT ref: 00586CC2

Strings

STOP, xrefs: 00586CBC, 00586CC1

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: c4995c4473dfa78409a5b20b7d6b02fecc98434f19491a00a1e47a5c2d2c37e2
Instruction ID: 1d1caa929ce9ce40949144d2057b8b9e8af671611f330bffe211b486afdb6121
Opcode Fuzzy Hash: c4995c4473dfa78409a5b20b7d6b02fecc98434f19491a00a1e47a5c2d2c37e2
Instruction Fuzzy Hash: BE01AD32A105278B8B21BEBDDC859BF7FA5BFA1714B500928EC62A6290EA31DD008750

Function 005823DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005821D0,?,?,00000034,00000800,?,00000034), ref: 0058B42D

SendMessageW.USER32(?,0000102B,?,00000000), ref: 0058243B
SendMessageW.USER32(?,0000102B,?,00000000), ref: 0058245E

Strings

@U=u, xrefs: 0058243B, 0058245E

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 53e452fe408bde43009eeea424c80bc9eb603474196c5f966764225d59474f5e
Instruction ID: fa6d97753bd07d5cd27dc997d27d931e04a3a3b1e3ae990146a64ea38332e053
Opcode Fuzzy Hash: 53e452fe408bde43009eeea424c80bc9eb603474196c5f966764225d59474f5e
Instruction Fuzzy Hash: D5018832900115ABEB117F64DC4AFEEBF79EB18310F104166F915BA0D1DBB06D45CB60

Function 005B4366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 005B43AF
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 005B4408

Strings

@U=u, xrefs: 005B43AF

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 268aa33fa52c8cd690ef559f453d3a8e18414631fb265ada23b4eea17771b61f
Instruction ID: bb7939516af5f2667cea8268340931ed4f0943b4862662f9f34d124aead5ad11
Opcode Fuzzy Hash: 268aa33fa52c8cd690ef559f453d3a8e18414631fb265ada23b4eea17771b61f
Instruction Fuzzy Hash: 9211BF30500744AFEB21CF28C891BE7BBE4BF15310F10891CE8AB9B282C7707955DB50

Function 0058250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00582531
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00582564

Part of subcall function 0058B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0058B3F8

Part of subcall function 00526B57: _wcslen.LIBCMT ref: 00526B6A

Strings

@U=u, xrefs: 00582531, 00582564

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_wcslen
String ID: @U=u
API String ID: 1083363909-2594219639
Opcode ID: 9de9b65b114ee4ab4ea662b26bc8b0527fe276c65c4749527a3080ff993399c7
Instruction ID: 11b4ca162191d48747a48b4c2333c187668f5fb1e89c79c3427196ec0ba4a70c
Opcode Fuzzy Hash: 9de9b65b114ee4ab4ea662b26bc8b0527fe276c65c4749527a3080ff993399c7
Instruction Fuzzy Hash: 00016171900129AFDB50AF54DC95DEE7B7CFF64340F40C065B549A7190DE705E88CB90

Function 0053A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0053A529

Part of subcall function 00529CB3: _wcslen.LIBCMT ref: 00529CBD

Strings

3yW, xrefs: 0053A545, 0053A54D, 0053A552
,%_, xrefs: 0053A509

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%_$3yW
API String ID: 2551934079-2061247809
Opcode ID: a44925269a411986c79e07b2a657b92231755f74e8a8ef019a3dd42d70809c2e
Instruction ID: 6dda7cc49a81c58f4136a2ee5e631a0345f0d6d3118cacc3de3fab8a82d17a3e
Opcode Fuzzy Hash: a44925269a411986c79e07b2a657b92231755f74e8a8ef019a3dd42d70809c2e
Instruction Fuzzy Hash: 2C0126717016268BCE04F768EC1FAAD3F64BB86710F501428F6425B2C2EE64AD01CAA7

Function 005B90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00539BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00539BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0057769C,?,?,?), ref: 005B9111

Part of subcall function 00539944: GetWindowLongW.USER32(?,000000EB), ref: 00539952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 005B90F7

Strings

@U=u, xrefs: 005B90F7

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: 7136be1a0d5509041fd10f50e73ca4381c726ddbcc6485bfb865885ce2a71cd3
Instruction ID: 04623f6e2a8053df69057e326cdb03944833740289ea493e2fbf9e3e4a874240
Opcode Fuzzy Hash: 7136be1a0d5509041fd10f50e73ca4381c726ddbcc6485bfb865885ce2a71cd3
Instruction Fuzzy Hash: 5001BC31100219EBDB21AF18DC49FA63FA6FB95365F200528FA511A2E1CBB27815EB64

Function 005B8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005F3018,005F305C), ref: 005B81BF
CloseHandle.KERNEL32 ref: 005B81D1

Strings

\0_, xrefs: 005B818A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0_
API String ID: 3712363035-3195368528
Opcode ID: 418e41443227a4b94de5ecd05e17b5d79694f01af60294271120cc37fffc4e59
Instruction ID: 48cdf59b6bea4366bd94ee0f176bf841c0d92124c1e3126d11aff4ec31a7749e
Opcode Fuzzy Hash: 418e41443227a4b94de5ecd05e17b5d79694f01af60294271120cc37fffc4e59
Instruction Fuzzy Hash: C7F054B1640314BAF3506B65AC4DFB73E9CEB14754F400422BB08D51A2DA799A04E3B8

Function 0058246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00582480
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00582497

Part of subcall function 005823DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 0058243B

Strings

@U=u, xrefs: 00582480, 00582497

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 53a1a69495c12f7525d9ed52eace80c7510ac8c5245996c4d65539ecdf307f60
Instruction ID: 87c3b31c030806330191c419985da17ed8766ab6261bcfd16fc61195ec15d04f
Opcode Fuzzy Hash: 53a1a69495c12f7525d9ed52eace80c7510ac8c5245996c4d65539ecdf307f60
Instruction Fuzzy Hash: D2F0E230601121BBEB202B5ACC0FCDFBF6DEF96760F100114B805B6161CAE16D41D7B0

Function 005A747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005A7493
_wcslen.LIBCMT ref: 005A74B9

Strings

3, 3, 16, 1, xrefs: 005A7483

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 17225793d47d5d5b5329e1ba97591e5d66bb53cceb0d0f55a6bcddc271d9814c
Instruction ID: cb2c3c93fa2ae0a3cbd3e1a43447d0380d510b7b4f71a5d81d1039204fe2ce3d
Opcode Fuzzy Hash: 17225793d47d5d5b5329e1ba97591e5d66bb53cceb0d0f55a6bcddc271d9814c
Instruction Fuzzy Hash: 0DE02B12254321109731127A9CC5ABF5F8DFFCE750710182BF981C2266EE948D92A3A0

Function 00582BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00582BFA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00582C2A

Strings

@U=u, xrefs: 00582BFA, 00582C2A

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 3786e8717c8bf9f42e389b3bd1fcd576397a4f9a8336c0b814408b0995844a96
Instruction ID: 2beb203c6a5add504cb31905e67f2a08c4b99b5a8979b68b5bcb11d66c444a0f
Opcode Fuzzy Hash: 3786e8717c8bf9f42e389b3bd1fcd576397a4f9a8336c0b814408b0995844a96
Instruction Fuzzy Hash: DAF08C75240304BBFA116E84AC4AFAA3F58BB28761F000014FB056E0D0C9E26C0097A4

Function 00582D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00582884
Part of subcall function 0058286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 005828B6

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00582D80
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00582D90

Strings

@U=u, xrefs: 00582D80, 00582D90

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 73c39c96e68545a81d448da2d1d99978d02213cb7f82a361688f5e17d720b4db
Instruction ID: 2f16c03ba1c0c7c3362c1f73138d70883aaf9e0be1d74998fb888dc88d7f38d3
Opcode Fuzzy Hash: 73c39c96e68545a81d448da2d1d99978d02213cb7f82a361688f5e17d720b4db
Instruction Fuzzy Hash: 09E0D8753443057FFA212A519C4AEA33F9CE758751F100026FB057D091DEE2DC216724

Function 005B5829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133D,?,?), ref: 005B5855
InvalidateRect.USER32(?,?,00000001), ref: 005B5877

Strings

@U=u, xrefs: 005B5855

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: a1be87370b01bd742bfe952717f678cd4d034561d9a0c4751621da245e7251d9
Instruction ID: db6df84913c6846949a7578349a1f709e39897eed8207007f919a37ed87dfd64
Opcode Fuzzy Hash: a1be87370b01bd742bfe952717f678cd4d034561d9a0c4751621da245e7251d9
Instruction Fuzzy Hash: 70F08232604140AFDB259F69DC44FEEBFF8EB95321F0445B2E55AD9051E6309A85DB20

Function 00580B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00580B23

Strings

AutoIt, xrefs: 00580B17
Error allocating memory., xrefs: 00580B1C

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: ba9f9f46da9a0c9071329fa6825336795d18e6b943254991d3553ac2294c6f76
Instruction ID: f1926225109bd97344892daa991b88e52e09ad574608d8a6000cd1b77d57c30c
Opcode Fuzzy Hash: ba9f9f46da9a0c9071329fa6825336795d18e6b943254991d3553ac2294c6f76
Instruction Fuzzy Hash: 99E0483228435927D25436957C0BFC97F88FF45B55F10042AFB98995C38AE1745057AD

Function 00540D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0053F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00540D71,?,?,?,0052100A), ref: 0053F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0052100A), ref: 00540D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0052100A), ref: 00540D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00540D7F

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ac6ef73ddda01a73652725faa3ba0154fab2bc0a849f2040c595e974e85d1e93
Instruction ID: 679c36e6e8f91874d72358bf22f4fd340180e6762c31833e3bc18dc923d09813
Opcode Fuzzy Hash: ac6ef73ddda01a73652725faa3ba0154fab2bc0a849f2040c595e974e85d1e93
Instruction Fuzzy Hash: 44E06D746007118BD7A09FB8E808796BFE4BF14748F104A2DE582C6691DBB5F4489BA1

Function 0053E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0053E3D5

Strings

0%_, xrefs: 0053E3B5
8%_, xrefs: 0053E3CA

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%_$8%_
API String ID: 1385522511-3458377328
Opcode ID: 006f57e015d23491d89a4b62df1aa25ee71b929a6ce0a75b87b3f1d67f24e18f
Instruction ID: 1cdb38b1b73f3a195c889a237753dc1d8925e3ae9075f95b66e5a1d710ea649d
Opcode Fuzzy Hash: 006f57e015d23491d89a4b62df1aa25ee71b929a6ce0a75b87b3f1d67f24e18f
Instruction Fuzzy Hash: A1E026B1484915CBC6049718F85AAA83BD3BB44320F202964E202CF1D19B383C49E644

Function 0057D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0057D220

Strings

%.3d, xrefs: 0057D22B
X64, xrefs: 0057D2A8

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: fe2db2b5e1d5c35ef5aa2cbb9cd2ae82612decc52b44b1b3ae1815f883ab20b6
Instruction ID: de1d134c241f4339fc0bf225f37b094ed8452967ead0160a2d4cbfb7055e8351
Opcode Fuzzy Hash: fe2db2b5e1d5c35ef5aa2cbb9cd2ae82612decc52b44b1b3ae1815f883ab20b6
Instruction Fuzzy Hash: 42D012A9C08109EACBD096D0EC498BDBF7CBF58301F50CC52FD4AA1041E624D5097771

Function 005B2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005B236C
PostMessageW.USER32(00000000), ref: 005B2373

Part of subcall function 0058E97B: Sleep.KERNEL32 ref: 0058E9F3

Strings

Shell_TrayWnd, xrefs: 005B2365

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0b48a04fb5a15ff5f7fe0ddb899c3a7549f6839c1c8c2c0c271048f678e33235
Instruction ID: efc477f8e8a6d7f46556470ed25a778c12681965aff194e059f7a09690596006
Opcode Fuzzy Hash: 0b48a04fb5a15ff5f7fe0ddb899c3a7549f6839c1c8c2c0c271048f678e33235
Instruction Fuzzy Hash: B9D0C9323C13517AE6B8BB719C0FFD66E14AB65B50F004A16B685AA1D0D9E0B8458A58

Function 005B2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005B232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005B233F

Part of subcall function 0058E97B: Sleep.KERNEL32 ref: 0058E9F3

Strings

Shell_TrayWnd, xrefs: 005B2325

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ae0ad5d0488dc846aad3eb3e40847098a44b7b82c509f7ce6dec2c3bf556e97e
Instruction ID: b7763acd550721bbfd867b6e4aa37ebe7d81d87742558aaa297a89a4a2046ecf
Opcode Fuzzy Hash: ae0ad5d0488dc846aad3eb3e40847098a44b7b82c509f7ce6dec2c3bf556e97e
Instruction Fuzzy Hash: A4D0A932380300B6E2B8BB309C0FFD66E14AB20B00F000A02B685AA0D0C8E0B8048A08

Function 00582313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0058231F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0058232D

Strings

@U=u, xrefs: 0058231F, 0058232D

Memory Dump Source

Source File: 00000000.00000002.1356026365.0000000000521000.00000020.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1356000635.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356076559.00000000005E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356176752.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1356222828.00000000005F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_zAK7HHniGW.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 99e582f1b787f23b6492426720e2e964a9c938f4fbac2a2bd90d4c7127894ecd
Instruction ID: 888a898ce9e3f99ccc9705c3ef319fa5d6092cc5932ceeffeb7ef3f9ede092a6
Opcode Fuzzy Hash: 99e582f1b787f23b6492426720e2e964a9c938f4fbac2a2bd90d4c7127894ecd
Instruction Fuzzy Hash: CAC00231140180BBE6611B6BAD0DD573E3DE7EAF517101258B2159D0A586A51059E628

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zAK7HHniGW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut136E.tmp

C:\Users\user\AppData\Local\Temp\spado

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
zAK7HHniGW.exe

Function 005242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 005242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00562BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00522CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00558D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 0056065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0052344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00522B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00523170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 010D35C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00522C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 010D33C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
fileCOMMON

Function 00592947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00555AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre