Edit tour

Windows Analysis Report
VsTfsPVrfA.exe

Overview

General Information

Sample name:	VsTfsPVrfA.exe renamed because original name is a hash value
Original sample name:	d1465fbe175c0599d01bd7187d5acc41bb386baf783167a7faaa98467fe9e270.exe
Analysis ID:	1587723
MD5:	e946aea01243abbc72c6341437172647
SHA1:	517db53281b8a901f9693caa98ee2e4980377fef
SHA256:	d1465fbe175c0599d01bd7187d5acc41bb386baf783167a7faaa98467fe9e270
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

VsTfsPVrfA.exe (PID: 3108 cmdline: "C:\Users\user\Desktop\VsTfsPVrfA.exe" MD5: E946AEA01243ABBC72C6341437172647)

svchost.exe (PID: 3892 cmdline: "C:\Users\user\Desktop\VsTfsPVrfA.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1541751055.0000000002B80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1541510302.0000000000610000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.610000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.610000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\VsTfsPVrfA.exe", CommandLine: "C:\Users\user\Desktop\VsTfsPVrfA.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\VsTfsPVrfA.exe", ParentImage: C:\Users\user\Desktop\VsTfsPVrfA.exe, ParentProcessId: 3108, ParentProcessName: VsTfsPVrfA.exe, ProcessCommandLine: "C:\Users\user\Desktop\VsTfsPVrfA.exe", ProcessId: 3892, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\VsTfsPVrfA.exe", CommandLine: "C:\Users\user\Desktop\VsTfsPVrfA.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\VsTfsPVrfA.exe", ParentImage: C:\Users\user\Desktop\VsTfsPVrfA.exe, ParentProcessId: 3108, ParentProcessName: VsTfsPVrfA.exe, ProcessCommandLine: "C:\Users\user\Desktop\VsTfsPVrfA.exe", ProcessId: 3892, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: VsTfsPVrfA.exe	Virustotal: Detection: 31%			Perma Link
Source: VsTfsPVrfA.exe	ReversingLabs: Detection: 76%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1541751055.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541510302.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: VsTfsPVrfA.exe

Joe Sandbox ML: detected

Source: VsTfsPVrfA.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: VsTfsPVrfA.exe, 00000000.00000003.1461270981.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, VsTfsPVrfA.exe, 00000000.00000003.1455400739.0000000003910000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1541856086.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1506188652.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1504324547.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1541856086.000000000339E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: VsTfsPVrfA.exe, 00000000.00000003.1461270981.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, VsTfsPVrfA.exe, 00000000.00000003.1455400739.0000000003910000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1541856086.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1506188652.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1504324547.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1541856086.000000000339E000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001ADBBE
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0017C2A2 FindFirstFileExW,	0_2_0017C2A2
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B68EE FindFirstFileW,FindClose,	0_2_001B68EE
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001B698F
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001AD076
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001AD3A9
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001B9642
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001B979D
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001B9B2B
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001B5C97

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001BCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_001BCE44

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001BEAFF

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001BED6A

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

0_2_001BEAFF

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_001AAA57

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001D9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1541751055.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541510302.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: VsTfsPVrfA.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: VsTfsPVrfA.exe, 00000000.00000000.1440110410.0000000000202000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_adf77c7b-b
Source: VsTfsPVrfA.exe, 00000000.00000000.1440110410.0000000000202000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9a11e8bc-7
Source: VsTfsPVrfA.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d7e9177d-5
Source: VsTfsPVrfA.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fb2219dd-0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0063C8C3 NtClose,	2_2_0063C8C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B60 NtClose,LdrInitializeThunk,	2_2_03272B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03272DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,	2_2_032735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274340 NtSetContextThread,	2_2_03274340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274650 NtSuspendThread,	2_2_03274650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BA0 NtEnumerateValueKey,	2_2_03272BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B80 NtQueryInformationFile,	2_2_03272B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BE0 NtQueryValueKey,	2_2_03272BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BF0 NtAllocateVirtualMemory,	2_2_03272BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AB0 NtWaitForSingleObject,	2_2_03272AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AF0 NtWriteFile,	2_2_03272AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AD0 NtReadFile,	2_2_03272AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F30 NtCreateSection,	2_2_03272F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F60 NtCreateProcessEx,	2_2_03272F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FA0 NtQuerySection,	2_2_03272FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FB0 NtResumeThread,	2_2_03272FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F90 NtProtectVirtualMemory,	2_2_03272F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FE0 NtCreateFile,	2_2_03272FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E30 NtWriteVirtualMemory,	2_2_03272E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EA0 NtAdjustPrivilegesToken,	2_2_03272EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E80 NtReadVirtualMemory,	2_2_03272E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EE0 NtQueueApcThread,	2_2_03272EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D30 NtUnmapViewOfSection,	2_2_03272D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D00 NtSetInformationFile,	2_2_03272D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D10 NtMapViewOfSection,	2_2_03272D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DB0 NtEnumerateKey,	2_2_03272DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DD0 NtDelayExecution,	2_2_03272DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C00 NtQueryInformationProcess,	2_2_03272C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C60 NtCreateKey,	2_2_03272C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C70 NtFreeVirtualMemory,	2_2_03272C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CA0 NtQueryInformationToken,	2_2_03272CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CF0 NtOpenProcess,	2_2_03272CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CC0 NtQueryVirtualMemory,	2_2_03272CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273010 NtOpenDirectoryObject,	2_2_03273010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273090 NtSetValueKey,	2_2_03273090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032739B0 NtGetContextThread,	2_2_032739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D10 NtOpenProcessToken,	2_2_03273D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D70 NtOpenThread,	2_2_03273D70

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_001AD5EB

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_001A1201

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001AE8F6

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0014BF40	0_2_0014BF40
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B2046	0_2_001B2046
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00148060	0_2_00148060
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001A8298	0_2_001A8298
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0017E4FF	0_2_0017E4FF
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0017676B	0_2_0017676B
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001D4873	0_2_001D4873
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0016CAA0	0_2_0016CAA0
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0014CAF0	0_2_0014CAF0
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0015CC39	0_2_0015CC39
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00176DD9	0_2_00176DD9
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0015B119	0_2_0015B119
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001491C0	0_2_001491C0
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00161394	0_2_00161394
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00161706	0_2_00161706
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0016781B	0_2_0016781B
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00147920	0_2_00147920
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0015997D	0_2_0015997D
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001619B0	0_2_001619B0
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00167A4A	0_2_00167A4A
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00161C77	0_2_00161C77
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00167CA7	0_2_00167CA7
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001CBE44	0_2_001CBE44
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00179EEE	0_2_00179EEE
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00161F32	0_2_00161F32
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_011D64B8	0_2_011D64B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00620143	2_2_00620143
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0062694E	2_2_0062694E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00626953	2_2_00626953
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0061E133	2_2_0061E133
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0061E27F	2_2_0061E27F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00613250	2_2_00613250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0061E283	2_2_0061E283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006124E0	2_2_006124E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0063EEA3	2_2_0063EEA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0061277A	2_2_0061277A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0061FF23	2_2_0061FF23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0061FF1A	2_2_0061FF1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00612780	2_2_00612780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033003E6	2_2_033003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C02C0	2_2_032C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230100	2_2_03230100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F41A2	2_2_032F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033001AA	2_2_033001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F81CC	2_2_032F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264750	2_2_03264750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C6E0	2_2_0325C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03300591	2_2_03300591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4420	2_2_032E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F2446	2_2_032F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EE4F6	2_2_032EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F6BD7	2_2_032F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330A9A6	2_2_0330A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324A840	2_2_0324A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03242840	2_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032268B8	2_2_032268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E8F0	2_2_0326E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03282F28	2_2_03282F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260F30	2_2_03260F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E2F30	2_2_032E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4F40	2_2_032B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BEFA0	2_2_032BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324CFE0	2_2_0324CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232FC8	2_2_03232FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEE26	2_2_032FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240E59	2_2_03240E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252E90	2_2_03252E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FCE93	2_2_032FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEEDB	2_2_032FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324AD00	2_2_0324AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DCD1F	2_2_032DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03258DBF	2_2_03258DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323ADE0	2_2_0323ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240C00	2_2_03240C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0CB5	2_2_032E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230CF2	2_2_03230CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F132D	2_2_032F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322D34C	2_2_0322D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0328739A	2_2_0328739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032452A0	2_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E12ED	2_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B2C0	2_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327516C	2_2_0327516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322F172	2_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330B16B	2_2_0330B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324B1B0	2_2_0324B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F70E9	2_2_032F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF0E0	2_2_032FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EF0CC	2_2_032EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032470C0	2_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF7B0	2_2_032FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03285630	2_2_03285630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F16CC	2_2_032F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7571	2_2_032F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DD5B0	2_2_032DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033095C3	2_2_033095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF43F	2_2_032FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03231460	2_2_03231460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFB76	2_2_032FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FB80	2_2_0325FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B5BF0	2_2_032B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327DBF9	2_2_0327DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B3A6C	2_2_032B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFA49	2_2_032FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7A46	2_2_032F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DDAAC	2_2_032DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03285AA0	2_2_03285AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E1AA3	2_2_032E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EDAC6	2_2_032EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D5910	2_2_032D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249950	2_2_03249950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B950	2_2_0325B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AD800	2_2_032AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032438E0	2_2_032438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFF09	2_2_032FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFFB1	2_2_032FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03241F92	2_2_03241F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03203FD2	2_2_03203FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03203FD5	2_2_03203FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249EB0	2_2_03249EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7D73	2_2_032F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03243D40	2_2_03243D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F1D5A	2_2_032F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FDC0	2_2_0325FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B9C32	2_2_032B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFCF2	2_2_032FFCF2

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03275130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0322B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03287E54 appears 110 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032BF290 appears 105 times
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: String function: 00149CB3 appears 31 times
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: String function: 00164963 appears 31 times
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: String function: 00160A30 appears 46 times
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: String function: 0015F9F2 appears 40 times

Source: VsTfsPVrfA.exe, 00000000.00000003.1460370747.0000000003A83000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs VsTfsPVrfA.exe
Source: VsTfsPVrfA.exe, 00000000.00000003.1455681463.0000000003BDD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs VsTfsPVrfA.exe

Source: VsTfsPVrfA.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001B37B5 GetLastError,FormatMessageW,

0_2_001B37B5

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001A10BF AdjustTokenPrivileges,CloseHandle,		0_2_001A10BF
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001A16C3

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001B51CD

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001CA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001CA67C

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001B648E

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001442A2

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

File created: C:\Users\user\AppData\Local\Temp\autDC5D.tmp

Jump to behavior

Source: VsTfsPVrfA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VsTfsPVrfA.exe	Virustotal: Detection: 31%
Source: VsTfsPVrfA.exe	ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\VsTfsPVrfA.exe "C:\Users\user\Desktop\VsTfsPVrfA.exe"
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\VsTfsPVrfA.exe"
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\VsTfsPVrfA.exe"	Jump to behavior

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: VsTfsPVrfA.exe

Static file information: File size 1261568 > 1048576

Source: VsTfsPVrfA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: VsTfsPVrfA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: VsTfsPVrfA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: VsTfsPVrfA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: VsTfsPVrfA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: VsTfsPVrfA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: VsTfsPVrfA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: VsTfsPVrfA.exe, 00000000.00000003.1461270981.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, VsTfsPVrfA.exe, 00000000.00000003.1455400739.0000000003910000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1541856086.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1506188652.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1504324547.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1541856086.000000000339E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: VsTfsPVrfA.exe, 00000000.00000003.1461270981.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, VsTfsPVrfA.exe, 00000000.00000003.1455400739.0000000003910000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1541856086.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1506188652.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1504324547.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1541856086.000000000339E000.00000040.00001000.00020000.00000000.sdmp

Source: VsTfsPVrfA.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: VsTfsPVrfA.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: VsTfsPVrfA.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: VsTfsPVrfA.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: VsTfsPVrfA.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001442DE

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00160A76 push ecx; ret	0_2_00160A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00629050 push esp; retf	2_2_00629056
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00624263 push ebp; retf	2_2_0062444B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0061739C push ds; iretd	2_2_006173A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006134F0 push eax; ret	2_2_006134F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0062ED70 push F3E5F1E9h; retf	2_2_0062EDAA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0061D532 push 00000016h; ret	2_2_0061D543
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0061AD3D push esp; ret	2_2_0061AD53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00611E68 push ds; retf	2_2_00611E6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006266B2 push ds; retf	2_2_006266BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00626693 push ds; retf	2_2_006266BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_006117CE push ds; ret	2_2_006117E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00611FB8 push ds; ret	2_2_00611FD6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320225F pushad ; ret	2_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032027FA pushad ; ret	2_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD push ecx; mov dword ptr [esp], ecx	2_2_032309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320283D push eax; iretd	2_2_03202858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320135E push eax; iretd	2_2_03201369

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0015F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0015F98E
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001D1C41

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-99544

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

API/Special instruction interceptor: Address: 11D60DC

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	API coverage: 4.0 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 6812

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001ADBBE
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0017C2A2 FindFirstFileExW,	0_2_0017C2A2
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B68EE FindFirstFileW,FindClose,	0_2_001B68EE
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001B698F
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001AD076
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001AD3A9
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001B9642
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001B979D
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001B9B2B
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001B5C97

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001442DE

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_006278E3 LdrLoadDll,

2_2_006278E3

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001BEAA2 BlockInput,

0_2_001BEAA2

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_00172622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00172622

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001442DE

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00164CE8 mov eax, dword ptr fs:[00000030h]	0_2_00164CE8
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_011D6348 mov eax, dword ptr fs:[00000030h]	0_2_011D6348
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_011D63A8 mov eax, dword ptr fs:[00000030h]	0_2_011D63A8
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_011D4D48 mov eax, dword ptr fs:[00000030h]	0_2_011D4D48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]	2_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03308324 mov ecx, dword ptr fs:[00000030h]	2_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]	2_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]	2_2_03308324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]	2_2_0322C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]	2_2_03250310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]	2_2_032D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]	2_2_032D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330634F mov eax, dword ptr fs:[00000030h]	2_2_0330634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]	2_2_032663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]	2_2_032EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B63C0 mov eax, dword ptr fs:[00000030h]	2_2_032B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]	2_2_0322823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]	2_2_0322826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330625D mov eax, dword ptr fs:[00000030h]	2_2_0330625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]	2_2_0322A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]	2_2_03236259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]	2_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]	2_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033062D6 mov eax, dword ptr fs:[00000030h]	2_2_033062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]	2_2_03260124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]	2_2_032F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]	2_2_03304164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]	2_2_03304164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]	2_2_0322C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]	2_2_03270185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]	2_2_033061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]	2_2_032601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]	2_2_0322A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]	2_2_0322C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]	2_2_032C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]	2_2_032B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]	2_2_0325C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]	2_2_03232050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]	2_2_032B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032280A0 mov eax, dword ptr fs:[00000030h]	2_2_032280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]	2_2_032C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]	2_2_0323208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0322A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]	2_2_032380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]	2_2_032B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0322C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]	2_2_032720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]	2_2_032B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]	2_2_032AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]	2_2_0326C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]	2_2_03230710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]	2_2_03260710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]	2_2_03238770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]	2_2_03230750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]	2_2_032BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]	2_2_032B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]	2_2_032307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]	2_2_032E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]	2_2_032D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_032BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]	2_2_032B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]	2_2_0324E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]	2_2_03266620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]	2_2_03268620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]	2_2_0323262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]	2_2_032AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]	2_2_03272619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]	2_2_03262674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]	2_2_0324C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0326C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]	2_2_032666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]	2_2_032C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]	2_2_03264588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]	2_2_0326E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]	2_2_032325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]	2_2_032365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]	2_2_0322C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A430 mov eax, dword ptr fs:[00000030h]	2_2_0326A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]	2_2_032BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]	2_2_032EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]	2_2_0322645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]	2_2_0325245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]	2_2_032364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]	2_2_032644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_032BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]	2_2_032EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]	2_2_032304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304B00 mov eax, dword ptr fs:[00000030h]	2_2_03304B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]	2_2_0322CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]	2_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]	2_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]	2_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]	2_2_03302B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]	2_2_032D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228B50 mov eax, dword ptr fs:[00000030h]	2_2_03228B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]	2_2_032DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]	2_2_0325EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_032BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_032DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]	2_2_0326CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]	2_2_0325EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA38 mov eax, dword ptr fs:[00000030h]	2_2_0326CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]	2_2_032BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]	2_2_032DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]	2_2_03286AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]	2_2_03304A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]	2_2_03268A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]	2_2_03230AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]	2_2_032B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]	2_2_032C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]	2_2_032BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]	2_2_032BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]	2_2_032B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304940 mov eax, dword ptr fs:[00000030h]	2_2_03304940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_032BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]	2_2_032C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]	2_2_032649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_032FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]	2_2_0326A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]	2_2_032BC810

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_001A0B62

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00172622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00172622
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_0016083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0016083F
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001609D5 SetUnhandledExceptionFilter,	0_2_001609D5
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_00160C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00160C21

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 46C008

Jump to behavior

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

0_2_001A1201

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_00182BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00182BA5

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001AB226 SendInput,keybd_event,

0_2_001AB226

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001C22DA

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\VsTfsPVrfA.exe"

Jump to behavior

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

0_2_001A0B62

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_001A1663

Source: VsTfsPVrfA.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: VsTfsPVrfA.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_00160698 cpuid

0_2_00160698

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001B8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_001B8195

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_0019D27A GetUserNameW,

0_2_0019D27A

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_0017B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0017B952

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe

Code function: 0_2_001442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001442DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1541751055.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541510302.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: VsTfsPVrfA.exe	Binary or memory string: WIN_81
Source: VsTfsPVrfA.exe	Binary or memory string: WIN_XP
Source: VsTfsPVrfA.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: VsTfsPVrfA.exe	Binary or memory string: WIN_XPe
Source: VsTfsPVrfA.exe	Binary or memory string: WIN_VISTA
Source: VsTfsPVrfA.exe	Binary or memory string: WIN_7
Source: VsTfsPVrfA.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1541751055.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1541510302.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_001C1204
Source: C:\Users\user\Desktop\VsTfsPVrfA.exe	Code function: 0_2_001C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	24 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	12 Virtualization/Sandbox Evasion	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
VsTfsPVrfA.exe	32%	Virustotal		Browse
VsTfsPVrfA.exe	76%	ReversingLabs	Win32.Trojan.AutoitInject
VsTfsPVrfA.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587723
Start date and time:	2025-01-10 17:24:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VsTfsPVrfA.exe renamed because original name is a hash value
Original Sample Name:	d1465fbe175c0599d01bd7187d5acc41bb386baf783167a7faaa98467fe9e270.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 45 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 20.242.39.171
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
11:25:17	API Interceptor	3x Sleep call for process: svchost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	51406528193621400.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	32474162872806629906.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	23268167561217715617.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	2045514992161325262.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	1936930021252095876.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	283532861321088537.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	launcher.exe.bin.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	199.232.210.172
	10259286552329511027.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	30562134305434372.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	18559217651387524988.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172

Process:	C:\Users\user\Desktop\VsTfsPVrfA.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.991823666604253
Encrypted:	true
SSDEEP:	6144:FzNM6LxNBUtN6j8Wxpn8syRqrfBgHSOEe3eNUeIAukKG:FzNM6etN0ppSHSy3eNUX4f
MD5:	5BBFBA2DBDF138A75DC898E18412FBB2
SHA1:	6D0326789928E84A003DC79660B8C3ADE7B5EBA8
SHA-256:	27745C2E5CBC0A2CB89FF6EC504B69B1B5FC7A52CA75FB183CD40826D621AE15
SHA-512:	26ADB1677A8313E8A74FE73375A5CAB5A3788C81E573DDC600AD19D9754E9A4AAAC539E34EB70C0B207A3FD27E419B12B8679E53A447A01FA92F1588D676BCE1
Malicious:	false
Reputation:	low
Preview:	...G2XQAHWGU..G1.QALWGUV.G1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1.QALYX.XA.8.p.M..t.).Bx!3#054;a$P6?.8w%0v32_x8/l...v,(U=.LA]cUVAG1XQ8M^.h6&..86.q7 .L...b1&.M...}'V.K..{51..X;9\|,0.UVAG1XQA..GU.@F1.-.-WGUVAG1X.ANVLT]AGg\QALWGUVAG.KQALGGUV1C1XQ.LWWUVAE1XWALWGUVAA1XQALWGU&EG1ZQALWGUTA..XQQLWWUVAG!XQQLWGUVAW1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAiE=)5LWG..EG1HQAL.CUVQG1XQALWGUVAG1XqAL7GUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALW

C:\Users\user\AppData\Local\Temp\leucoryx

Download File

Process:	C:\Users\user\Desktop\VsTfsPVrfA.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.991823666604253
Encrypted:	true
SSDEEP:	6144:FzNM6LxNBUtN6j8Wxpn8syRqrfBgHSOEe3eNUeIAukKG:FzNM6etN0ppSHSy3eNUX4f
MD5:	5BBFBA2DBDF138A75DC898E18412FBB2
SHA1:	6D0326789928E84A003DC79660B8C3ADE7B5EBA8
SHA-256:	27745C2E5CBC0A2CB89FF6EC504B69B1B5FC7A52CA75FB183CD40826D621AE15
SHA-512:	26ADB1677A8313E8A74FE73375A5CAB5A3788C81E573DDC600AD19D9754E9A4AAAC539E34EB70C0B207A3FD27E419B12B8679E53A447A01FA92F1588D676BCE1
Malicious:	false
Reputation:	low
Preview:	...G2XQAHWGU..G1.QALWGUV.G1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1.QALYX.XA.8.p.M..t.).Bx!3#054;a$P6?.8w%0v32_x8/l...v,(U=.LA]cUVAG1XQ8M^.h6&..86.q7 .L...b1&.M...}'V.K..{51..X;9\|,0.UVAG1XQA..GU.@F1.-.-WGUVAG1X.ANVLT]AGg\QALWGUVAG.KQALGGUV1C1XQ.LWWUVAE1XWALWGUVAA1XQALWGU&EG1ZQALWGUTA..XQQLWWUVAG!XQQLWGUVAW1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAiE=)5LWG..EG1HQAL.CUVQG1XQALWGUVAG1XqAL7GUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALWGUVAG1XQALW

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.147543581755613
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	VsTfsPVrfA.exe
File size:	1'261'568 bytes
MD5:	e946aea01243abbc72c6341437172647
SHA1:	517db53281b8a901f9693caa98ee2e4980377fef
SHA256:	d1465fbe175c0599d01bd7187d5acc41bb386baf783167a7faaa98467fe9e270
SHA512:	5d8af2fe8092edf9a13869b675c7f004d45822f59a67bcec639f9a996e000940c6a5ba77c793090c8457d313f85b720cd1af14ffa8eedc2c6ce47aca4b2a12e2
SSDEEP:	24576:YqDEvCTbMWu7rQYlBQcBiT6rprG8aEKFUP0iV5iZ+UVBitiOEgr:YTvC/MTQYxsWR7aEKuPyZpnityg
TLSH:	7545CF0273C1D062FFAB92734B5AF6115BBC69260123E61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67689BA1 [Sun Dec 22 23:07:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F2B506BDF33h
jmp 00007F2B506BD83Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2B506BDA1Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2B506BD9EAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F2B506C05DDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F2B506C0628h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F2B506C0611h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x5d460	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x132000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x5d460	0x5d600	ba537675f38477f92747e4ad25860bf2	False	0.9291724188420348	data	7.897905034982669	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x132000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x54725	data			1.0003353638263857
RT_GROUP_ICON	0x130ee0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x130f58	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x130f6c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x130f80	0x14	data	English	Great Britain	1.25
RT_VERSION	0x130f94	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x131070	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 17:25:25.717740059 CET	1.1.1.1	192.168.2.9	0xcadd	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:25:25.717740059 CET	1.1.1.1	192.168.2.9	0xcadd	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:25:09
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\VsTfsPVrfA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VsTfsPVrfA.exe"
Imagebase:	0x140000
File size:	1'261'568 bytes
MD5 hash:	E946AEA01243ABBC72C6341437172647
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:25:10
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VsTfsPVrfA.exe"
Imagebase:	0xb70000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1541751055.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1541510302.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	1%
Signature Coverage:	5.2%
Total number of Nodes:	1863
Total number of Limit Nodes:	40

Executed Functions

Function 001442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0014430D

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

GetCurrentProcess.KERNEL32(?,001DCB64,00000000,?,?), ref: 00144422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00144429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00144454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00144466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00144474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0014447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001444A0

Strings

kernel32.dll, xrefs: 0014444F
GetNativeSystemInfo, xrefs: 00144460
|O, xrefs: 001836F8

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b1ad9c8795d6014eb96b83267237341a534f071edab4a02c9d9efb826878949f
Instruction ID: 74a03edb0a0015d1920fcd8189615d1a0b2f188872c7bce5a95707bfeeba449e
Opcode Fuzzy Hash: b1ad9c8795d6014eb96b83267237341a534f071edab4a02c9d9efb826878949f
Instruction Fuzzy Hash: 0BA1D46190A2D4CFCB15D7687C4C3D97FA46B36700B1CC8DAE27193A79DB3146A4CB61

Function 001442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001450AA,?,?,00000000,00000000), ref: 001442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001450AA,?,?,00000000,00000000), ref: 001442C9
LoadResource.KERNEL32(?,00000000,?,?,001450AA,?,?,00000000,00000000,?,?,?,?,?,?,00144F20), ref: 001835BE
SizeofResource.KERNEL32(?,00000000,?,?,001450AA,?,?,00000000,00000000,?,?,?,?,?,?,00144F20), ref: 001835D3
LockResource.KERNEL32(001450AA,?,?,001450AA,?,?,00000000,00000000,?,?,?,?,?,?,00144F20,?), ref: 001835E6

Strings

SCRIPT, xrefs: 001442BF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f0ec60015a511fb7322c291f0113e54b8e48c2face4de46b32436dacd25ed868
Instruction ID: b830b4bb7428af1d13fb697ab4139691a0ca3471ae15e9ebb2317921b9a543d8
Opcode Fuzzy Hash: f0ec60015a511fb7322c291f0113e54b8e48c2face4de46b32436dacd25ed868
Instruction Fuzzy Hash: A1118EB0202701BFDB218BA5EC48F677BB9EBC5B51F14456EF442D66A0DBB1DC41CA60

Function 00182BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00142B6B

Part of subcall function 00143A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00211418,?,00142E7F,?,?,?,00000000), ref: 00143A78

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00202224), ref: 00182C10
ShellExecuteW.SHELL32(00000000,?,?,00202224), ref: 00182C17

Strings

runas, xrefs: 00182C0B

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c9089c3c50e6eb11715ac9bd6a862af367df573d40957dcd0bedcae210857dd8
Instruction ID: c5f9640444f3808b05de9fbc0ddf77db07d28595759662aa469e6f1400564307
Opcode Fuzzy Hash: c9089c3c50e6eb11715ac9bd6a862af367df573d40957dcd0bedcae210857dd8
Instruction Fuzzy Hash: 42110331209306AAC704FF60E8559AEB7A4AFB1700F84042DF196130B3CF318A99C752

Function 001ADBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00185222), ref: 001ADBCE
GetFileAttributesW.KERNELBASE(?), ref: 001ADBDD
FindFirstFileW.KERNELBASE(?,?), ref: 001ADBEE
FindClose.KERNEL32(00000000), ref: 001ADBFA

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: ae002422ecffec8c64097ae954572e9abd3a19118f75b27373efa784f302b656
Instruction ID: 7e36bb20015d51904a3908a75ac94ac23edfad18cfab676dfb3c8092ea877029
Opcode Fuzzy Hash: ae002422ecffec8c64097ae954572e9abd3a19118f75b27373efa784f302b656
Instruction Fuzzy Hash: 61F0A0308129215782206B78EC0D8AA376D9F03334B904B1BF876C28E0EBB45D94C6D5

Function 0014BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#!, xrefs: 001907CE

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#!
API String ID: 3964851224-1500567165
Opcode ID: 6a8e3493adf0e28c42b52917bd46f2d3fe6c1cdd477a58f51a17016d3c67fa2a
Instruction ID: be1d87cac44743f0337c6b08bfdca5122dfadd09cd94943726ff704d17feb550
Opcode Fuzzy Hash: 6a8e3493adf0e28c42b52917bd46f2d3fe6c1cdd477a58f51a17016d3c67fa2a
Instruction Fuzzy Hash: ABA25970608301DFDB65CF18C480B6ABBE1BF99304F15896DE99A8B362D771EC45CB92

Function 0014D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0014D807
timeGetTime.WINMM ref: 0014DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0014DB28
TranslateMessage.USER32(?), ref: 0014DB7B
DispatchMessageW.USER32(?), ref: 0014DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0014DB9F
Sleep.KERNEL32(0000000A), ref: 0014DBB1

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 0880f67b5f92c1b264290b0f283c662ba498be8b198cc8e6ee0c469589f66dcf
Instruction ID: 35bd73503aba653dad6c34fdd03a75bdd7385fba166a76968859282d0e8c44d5
Opcode Fuzzy Hash: 0880f67b5f92c1b264290b0f283c662ba498be8b198cc8e6ee0c469589f66dcf
Instruction Fuzzy Hash: 3342D130604342EFEF28CF24D889BAAB7E1FF56314F55855DE466872A1D770E884CB92

Function 00142CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00142D07
RegisterClassExW.USER32(00000030), ref: 00142D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00142D42
InitCommonControlsEx.COMCTL32(?), ref: 00142D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00142D6F
LoadIconW.USER32(000000A9), ref: 00142D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00142D94

Strings

AutoIt v3 GUI, xrefs: 00142D23
0, xrefs: 00142CE9
+, xrefs: 00142CF0
TaskbarCreated, xrefs: 00142D37

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 071ca7cb5caddd635e1fefcd16f41e9d7bff53223f9d201984eaa0498af64087
Instruction ID: be970012decfd0d3f55c93d3912a25682f92e352ad7c97aeb0c961ddd479c093
Opcode Fuzzy Hash: 071ca7cb5caddd635e1fefcd16f41e9d7bff53223f9d201984eaa0498af64087
Instruction Fuzzy Hash: B121C7B5902319EFDB00DFA4ED49BDDBBB8FB08705F00851AF621A62A0DBB54554CF91

Function 0018065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0018039A: CreateFileW.KERNELBASE(00000000,00000000,?,00180704,?,?,00000000,?,00180704,00000000,0000000C), ref: 001803B7

GetLastError.KERNEL32 ref: 0018076F
__dosmaperr.LIBCMT ref: 00180776
GetFileType.KERNELBASE(00000000), ref: 00180782
GetLastError.KERNEL32 ref: 0018078C
__dosmaperr.LIBCMT ref: 00180795
CloseHandle.KERNEL32(00000000), ref: 001807B5
CloseHandle.KERNEL32(?), ref: 001808FF
GetLastError.KERNEL32 ref: 00180931
__dosmaperr.LIBCMT ref: 00180938

Strings

H, xrefs: 001808BD

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 06d4e71afce8f837d2a4df43e05c23aa22d688b847b9fcf38d785f3fd1f81467
Instruction ID: 6174ac79a36075fd76cff8b962cc09c35afabc9019e42a57b06dcf0f9f581ddb
Opcode Fuzzy Hash: 06d4e71afce8f837d2a4df43e05c23aa22d688b847b9fcf38d785f3fd1f81467
Instruction Fuzzy Hash: 12A12932A001089FDF1AAF68DC967AD7BA0AB1A320F24415DF8159B3D1DB319E57CF91

Function 0014344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00143A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00211418,?,00142E7F,?,?,?,00000000), ref: 00143A78

Part of subcall function 00143357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00143379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0014356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0018318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001831CE
RegCloseKey.ADVAPI32(?), ref: 00183210
_wcslen.LIBCMT ref: 00183277
_wcslen.LIBCMT ref: 00183286

Strings

\, xrefs: 0018328C
\Include\, xrefs: 00143527
Include, xrefs: 00183184, 001831C5
Software\AutoIt v3\AutoIt, xrefs: 00143560

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 385bb71609817d5c073220b3795d782b74511f75ffac8a652695a34b49ff6b41
Instruction ID: 95e938aeb7315032f519daae46a82d76581e84b55849a23ad47db056ba58c2be
Opcode Fuzzy Hash: 385bb71609817d5c073220b3795d782b74511f75ffac8a652695a34b49ff6b41
Instruction Fuzzy Hash: D0719D71405305DEC314EF29EC869ABBBE8FFA4740F40482EF565971B1EB309A58CB92

Function 00142B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00142B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00142B9D
LoadIconW.USER32(00000063), ref: 00142BB3
LoadIconW.USER32(000000A4), ref: 00142BC5
LoadIconW.USER32(000000A2), ref: 00142BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00142BEF
RegisterClassExW.USER32(?), ref: 00142C40

Part of subcall function 00142CD4: GetSysColorBrush.USER32(0000000F), ref: 00142D07
Part of subcall function 00142CD4: RegisterClassExW.USER32(00000030), ref: 00142D31
Part of subcall function 00142CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00142D42
Part of subcall function 00142CD4: InitCommonControlsEx.COMCTL32(?), ref: 00142D5F
Part of subcall function 00142CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00142D6F
Part of subcall function 00142CD4: LoadIconW.USER32(000000A9), ref: 00142D85
Part of subcall function 00142CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00142D94

Strings

AutoIt v3, xrefs: 00142C2F
#, xrefs: 00142C16
0, xrefs: 00142C0F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3e0c959d06d48fb1c3eb13acd035ed84af3a04a5421d3c9e0e98e97b26a9fea6
Instruction ID: 9757f2bc64a2c0886aab0693405d45996ca3f8e2b0c6523b546fb2b9e128e33a
Opcode Fuzzy Hash: 3e0c959d06d48fb1c3eb13acd035ed84af3a04a5421d3c9e0e98e97b26a9fea6
Instruction Fuzzy Hash: 4C214C70E02314ABDB109FA5FC59AD9BFB4FB18B50F10849AF620A66A4DBB10560CF90

Function 0014B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0014BB4E

Strings

p%!, xrefs: 0014BB32
p#!, xrefs: 0019024F
x#!, xrefs: 00190168
p#!, xrefs: 0014BA72
p#!, xrefs: 00190263
p%!, xrefs: 0014B8DC
x#!, xrefs: 00190207
p#!, xrefs: 0014BB6B

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#!$p#!$p#!$p#!$p%!$p%!$x#!$x#!
API String ID: 1385522511-4272460735
Opcode ID: 60907567cce92638725a489af31047cc21bf031b780edf99bca09e4c0aa8aecf
Instruction ID: 2165d5ba08758ea8bcba404a260d04c91d206bac00c391c2145a126ee32fe529
Opcode Fuzzy Hash: 60907567cce92638725a489af31047cc21bf031b780edf99bca09e4c0aa8aecf
Instruction Fuzzy Hash: 4132CD70A08209DFCF29CF54C894ABEB7B9FF58304F158069E915AB261C774EE91CB91

Function 00143170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0014316A,?,?), ref: 001431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0014316A,?,?), ref: 00143204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00143227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0014316A,?,?), ref: 00143232
CreatePopupMenu.USER32 ref: 00143246
PostQuitMessage.USER32(00000000), ref: 00143267

Strings

TaskbarCreated, xrefs: 0014322D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 7b420c408f00370a18c0f5c9c60411b6b1675acd57dad664572e046427afea9f
Instruction ID: 6ed78ae63e93be2787c63c8c024563292799a1b45960dbc48d9585dc9dae7703
Opcode Fuzzy Hash: 7b420c408f00370a18c0f5c9c60411b6b1675acd57dad664572e046427afea9f
Instruction Fuzzy Hash: E8414835210205ABDF192F78AC4DFF93B59E725700F044226FA32862B5DBB19F91DBA1

Function 0014DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%!, xrefs: 0014E4B1
D%!, xrefs: 0019302D
Variable must be of type 'Object'., xrefs: 001932B7
D%!, xrefs: 00192FDA
D%!, xrefs: 0014E1E0
D%!D%!, xrefs: 0014E27E

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID: D%!$D%!$D%!$D%!$D%!D%!$Variable must be of type 'Object'.
API String ID: 0-2751283870
Opcode ID: 18907055072b0b47ccc69ab93e857b63a480aacd70a6da0dcf0e4bab97ab0bae
Instruction ID: ae38eb82494ab75f07a7b4be4d0ca191e3fa452f8a36b9d78ca89c7c7cb3a877
Opcode Fuzzy Hash: 18907055072b0b47ccc69ab93e857b63a480aacd70a6da0dcf0e4bab97ab0bae
Instruction Fuzzy Hash: A2C2AB75A00205CFCB24CFA8C885AADB7F1FF18310F258569E966AB3A1D371ED51CB91

Function 011D5498 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 011D5569
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 011D578F

Memory Dump Source

Source File: 00000000.00000002.1465653293.00000000011D2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d2000_VsTfsPVrfA.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction ID: a9b0f63d869f49bb77a7be27914a69eef6e832a9fcecccb709c6dbbe0dc8c817
Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction Fuzzy Hash: 5BA12A74E00209EBDB58CFA4C994BEEBBB6FF48304F208159E111BB281D7759A81CF65

Function 00142C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00142C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00142CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00141CAD,?), ref: 00142CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00141CAD,?), ref: 00142CCF

Strings

AutoIt v3, xrefs: 00142C89, 00142C8E, 00142C8F
edit, xrefs: 00142CAC

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 98eb3e34cd1e58c0e890594f72b606a219bd82088c682b6b97e6d1aec551d998
Instruction ID: c702d8f6037fe6b1c26705cf1f54a44c921ae58f2df8a44c0fbae6b58c9d5625
Opcode Fuzzy Hash: 98eb3e34cd1e58c0e890594f72b606a219bd82088c682b6b97e6d1aec551d998
Instruction Fuzzy Hash: F3F0DA755412907AEB311717BC4CEB77EBDD7D6F50B0081AAFA10A26A4CA711860DAB0

Function 011D5288 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 011D5178: Sleep.KERNELBASE(000001F4), ref: 011D5189

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011D538C

Strings

UVAG1XQALWG, xrefs: 011D53EF, 011D53F2

Memory Dump Source

Source File: 00000000.00000002.1465653293.00000000011D2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d2000_VsTfsPVrfA.jbxd

Similarity

API ID: CreateFileSleep
String ID: UVAG1XQALWG
API String ID: 2694422964-2416278638
Opcode ID: 0d52d39b9ec1b18eddac7b56328ed324227e5d6cc1d16f42d44f26adfe0709f0
Instruction ID: 7ef0e7ee631c3bd2632ec09b6e831ab255e7488667f2361cf32fa6a0680e82ae
Opcode Fuzzy Hash: 0d52d39b9ec1b18eddac7b56328ed324227e5d6cc1d16f42d44f26adfe0709f0
Instruction Fuzzy Hash: 2C519431E04249EBEF14DBA4C844BEFBB75AF58300F004199E608BB2C0E7B51B44CB66

Function 001B2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001B2C05
DeleteFileW.KERNEL32(?), ref: 001B2C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001B2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001B2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001B2CC0

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 1a8aded28372833442cb7098fe70be72af308f3cee83ae583d838a4a43bde7d3
Instruction ID: 916c5975aa783047aba904ff3f1ee10ae325f57b6b9c7ea7b80a36d4d4c7640b
Opcode Fuzzy Hash: 1a8aded28372833442cb7098fe70be72af308f3cee83ae583d838a4a43bde7d3
Instruction Fuzzy Hash: 72B16E72D00119ABDF25DBA4CC85EDEBBBDEF59340F1040A6F509E7151EB309A488FA1

Function 00143B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00143B0F,SwapMouseButtons,00000004,?), ref: 00143B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00143B0F,SwapMouseButtons,00000004,?), ref: 00143B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00143B0F,SwapMouseButtons,00000004,?), ref: 00143B83

Strings

Control Panel\Mouse, xrefs: 00143B3E

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 022867eb696bea49f260880f4ca58205ecf9351c107aacc981200d662693c84f
Instruction ID: 05c8c34c3dd679a1e2d532110c64d2e34b23004a63b7025dffab3d925e26d23c
Opcode Fuzzy Hash: 022867eb696bea49f260880f4ca58205ecf9351c107aacc981200d662693c84f
Instruction Fuzzy Hash: 5A1127B5611208FFDB218FA5DC84AAEBBB8EF44744B10896AB815D7120E3319E449BA0

Function 011D4178 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 011D4933
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011D49C9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011D49EB

Memory Dump Source

Source File: 00000000.00000002.1465653293.00000000011D2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d2000_VsTfsPVrfA.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: 2f6336c0842c687f3b600ab8b926f7e80d49a14750f718abda426b24845a9cea
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: 74620B30A146589BEB28CFA4C840BDEB776FF58300F1091A9D20DEB794E7759E81CB59

Function 00143923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001833A2

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00143A04

Strings

Line: , xrefs: 001833EB

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: f55588e338d14f0c8f41ea946772f8ae4c9e860efb6a22b3ab653b9bcb20f302
Instruction ID: 81110704e350a6b4b1baeef3ac90c5834fc29471585895165c33ad2552354d52
Opcode Fuzzy Hash: f55588e338d14f0c8f41ea946772f8ae4c9e860efb6a22b3ab653b9bcb20f302
Instruction Fuzzy Hash: 0631D471408301AAD725EB20DC49BEBB7D8AF65714F10492AF5A9831E1DF709758C7C3

Function 00142DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00182C8C

Part of subcall function 00143AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00143A97,?,?,00142E7F,?,?,?,00000000), ref: 00143AC2

Part of subcall function 00142DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00142DC4

Strings

X, xrefs: 00182C5A
`e , xrefs: 00182C85

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e
API String ID: 779396738-2317500276
Opcode ID: 336dfa3ceb6bac2fd25ff9c912dda595ccffe57d0520d7dcbd20beab474e227b
Instruction ID: 9da59205d3814f4b84aa35fe828db8ea1ee6616943ff8b0c8a7dfe2fb11d8cc6
Opcode Fuzzy Hash: 336dfa3ceb6bac2fd25ff9c912dda595ccffe57d0520d7dcbd20beab474e227b
Instruction Fuzzy Hash: 7121A571A102589FCB01EF94C849BEE7BFCAF59314F008059F505B7291DBB45A99CFA1

Function 0015FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00160668

Part of subcall function 001632A4: RaiseException.KERNEL32(?,?,?,0016068A,?,00211444,?,?,?,?,?,?,0016068A,00141129,00208738,00141129), ref: 00163304

__CxxThrowException@8.LIBVCRUNTIME ref: 00160685

Strings

Unknown exception, xrefs: 00160692

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 3744b88de5deb821c00e3318495352f089615b8a4dad965ff872666fae1560e6
Instruction ID: 2585f8eee538a08e19a4bd40b75c0c5592a7a4af6d6b1bc37809aded8bf6d051
Opcode Fuzzy Hash: 3744b88de5deb821c00e3318495352f089615b8a4dad965ff872666fae1560e6
Instruction Fuzzy Hash: FFF0C23490030DB7CB05BAA4DC46C9F7B7C5E14310B604539BD249A5D2EF71DA7AC581

Function 001B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001B302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 001B3044

Strings

aut, xrefs: 001B3038

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d8b45ffe04d28ffa3b87e8a504a23131f6e6b4ab44c5777c589b08136eef225f
Instruction ID: 099ac8ea2b148826340cfc260353ff582d930e8149904b942d67048d3a9c6c08
Opcode Fuzzy Hash: d8b45ffe04d28ffa3b87e8a504a23131f6e6b4ab44c5777c589b08136eef225f
Instruction Fuzzy Hash: CBD05B7150131467DB20A7949C0DFC77B7CD705750F000652B655D24D1DAB09584CAD0

Function 001C7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001C82F5
TerminateProcess.KERNEL32(00000000), ref: 001C82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 001C84DD

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 90d5cd2158b41b5fa0728f28b407cf0960a534d6ab8d9fee4e4a6ff6a9b0b004
Instruction ID: 2ae0f9d9357655028efddbd40659a56274d71d8126a0dd08beed543e1a0e1509
Opcode Fuzzy Hash: 90d5cd2158b41b5fa0728f28b407cf0960a534d6ab8d9fee4e4a6ff6a9b0b004
Instruction Fuzzy Hash: 12126A719083419FC714DF28C484B6ABBE5BF99318F04895DE8998B392DB31ED45CF92

Function 00175AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44032ca1bea590eaf62eafc59c151f382190c08905f054bc8d8cb09828da7671
Instruction ID: aa5ca69095650c344ff568096cbaead2e6746ad799143d2565b5f0e9485d596d
Opcode Fuzzy Hash: 44032ca1bea590eaf62eafc59c151f382190c08905f054bc8d8cb09828da7671
Instruction Fuzzy Hash: 1E51E071D006099FCB159FA4DC45FFE7BBAEF15310F158059F409A7291DBB19A02CB61

Function 001410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00141BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00141BF4
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00141BFC
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00141C07
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00141C12
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00141C1A
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00141C22

Part of subcall function 00141B4A: RegisterWindowMessageW.USER32(00000004,?,001412C4), ref: 00141BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0014136A
OleInitialize.OLE32 ref: 00141388
CloseHandle.KERNEL32(00000000,00000000), ref: 001824AB

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: c0ca979e099a39ac393e86f6dc4f48c061205afefcfc6f5f0f7653b4df5241c3
Instruction ID: 7918de0e5dee6fd50aa8001c640f892856d01649ae258b52ffa407ad9ccc3375
Opcode Fuzzy Hash: c0ca979e099a39ac393e86f6dc4f48c061205afefcfc6f5f0f7653b4df5241c3
Instruction Fuzzy Hash: 1271CCB4912201AED788DF79B9496D57BE6FBB8344395C22AD20AC7371EF304461CF84

Function 001786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001785CC,?,00208CC8,0000000C), ref: 00178704
GetLastError.KERNEL32(?,001785CC,?,00208CC8,0000000C), ref: 0017870E
__dosmaperr.LIBCMT ref: 00178739

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 4ec592fc25d98bbefa69ffd4faf057bd59d02dc65a4e8f4f3b891256e0737c7f
Instruction ID: 4bbf35634205e431151b91b1eb9d6a99bedba808aeaf31efbf71d60c225a6e22
Opcode Fuzzy Hash: 4ec592fc25d98bbefa69ffd4faf057bd59d02dc65a4e8f4f3b891256e0737c7f
Instruction Fuzzy Hash: C3010432E4562036D6286234A84EB6E677B5BA2774F39C119F81C8B1E2DFF09CC18190

Function 001B2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,001B2CD4,?,?,?,00000004,00000001), ref: 001B2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,001B2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001B3006
CloseHandle.KERNEL32(00000000,?,001B2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001B300D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 2ae34317c01c3b331568c77a03fff5522ba61a49582ca818ca62209ab846dcda
Instruction ID: a6fd19ce422e1e18617013ac7a5900b09d88acd5238d5bad508693b50cbdc457
Opcode Fuzzy Hash: 2ae34317c01c3b331568c77a03fff5522ba61a49582ca818ca62209ab846dcda
Instruction Fuzzy Hash: EDE0863228222177D6302759BC0DFCB3B1CDB86B71F104611F729750D087A01541C2E8

Function 00151310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001517F6

Strings

CALL, xrefs: 001517C6

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 5da6965ba47e9143575a39f3231a27d041a352762113f7a956b4fac69fdfbe15
Instruction ID: d48d9ec6863c544d75128a64984a79e5ee85a17114b60794709e7c9a6a64b0b9
Opcode Fuzzy Hash: 5da6965ba47e9143575a39f3231a27d041a352762113f7a956b4fac69fdfbe15
Instruction Fuzzy Hash: D0229B70608201EFCB15DF14C480B2ABBF1BF99315F15891DF8AA8B3A1D771E949CB92

Function 001B6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B6F6B

Part of subcall function 00144ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 001B6F5A, 001B6F63

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: ccb5c7d2e5678e4209cb267ffd2c0007e673b178e7ea7245564a0c593c9b1f5b
Instruction ID: 0d1fcd0a2edf9a8f3fc545a56fc1bc52dfaf943088c8b15a9728874798980303
Opcode Fuzzy Hash: ccb5c7d2e5678e4209cb267ffd2c0007e673b178e7ea7245564a0c593c9b1f5b
Instruction Fuzzy Hash: 0DB182315082018FCB14EF24D4919AEB7E5FFA5314F44895DF49A9B2B2EB30ED49CB92

Function 00143837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00143908

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: aab16b3b30b57e62e47cb3bb349f9861b6bcf864598d8bf45c06c8c784d49e88
Instruction ID: 9411a5b253101be341d46321de6befe05518de3dd0355abdef6061c2b6f043d7
Opcode Fuzzy Hash: aab16b3b30b57e62e47cb3bb349f9861b6bcf864598d8bf45c06c8c784d49e88
Instruction Fuzzy Hash: 2031A2B05057019FD720DF24D8857D7FBE8FB59708F00096EFAA983250EB71AA54CB92

Function 011D4175 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 011D4933
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011D49C9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011D49EB

Memory Dump Source

Source File: 00000000.00000002.1465653293.00000000011D2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d2000_VsTfsPVrfA.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: dd57213d913b3f0a0d27a0ea688c5acf0bdbab89d9568e73252f0157880fb21d
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: 7812CD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 0015FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0015FD1F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: a8f6e7be758d27c7d486a8d94182f75aac87acbb571e27998b88723ad2c5d872
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D7310074A00109DBC718CF99D480969FBB2FB49302B6486B9E819CF656D731EDCADBC0

Function 00144ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00144E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00144EDD,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E9C
Part of subcall function 00144E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00144EAE
Part of subcall function 00144E90: FreeLibrary.KERNEL32(00000000,?,?,00144EDD,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144EFD

Part of subcall function 00144E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00183CDE,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E62
Part of subcall function 00144E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00144E74
Part of subcall function 00144E59: FreeLibrary.KERNEL32(00000000,?,?,00183CDE,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E87

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: b5285c84fa827cbede6fa58e8496f36df2f1e342002e6482f25cd5c2c5b33625
Instruction ID: a4aa1862ad92137c0a85e13f3992fee2b44a760dede1f04af7f7d0f325fea66c
Opcode Fuzzy Hash: b5285c84fa827cbede6fa58e8496f36df2f1e342002e6482f25cd5c2c5b33625
Instruction Fuzzy Hash: 4E11E332600205ABDF14BB64DC02FAD77A5AF60B10F10882EF542B61E1EF759A499B90

Function 00178402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00178440

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d612ad91ba4fe8eec4871fd71cf52115811780082cd4112405490dbcacefd360
Instruction ID: 594a49c1b32aa92fca752eeb5f2722b3f5da8ed7bba543b7b1da96cbc26c1c9f
Opcode Fuzzy Hash: d612ad91ba4fe8eec4871fd71cf52115811780082cd4112405490dbcacefd360
Instruction Fuzzy Hash: 7111487190810AAFCB05DF58E944A9A7BF4EF48314F108059F809AB312DB70EA11CBA4

Function 00175000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00174C7D: RtlAllocateHeap.NTDLL(00000008,00141129,00000000,?,00172E29,00000001,00000364,?,?,?,0016F2DE,00173863,00211444,?,0015FDF5,?), ref: 00174CBE

_free.LIBCMT ref: 0017506C

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: c6b0e97005bb097bc09479a45bcf41d0f0afd96596ed0a0f532df9eda933734a
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 550126722047086BE3218E659881A5AFBF9FB89370F25451DF19883280EB70A805C6B4

Function 0016E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: c1ea313cb3774b737b3be2df8261359b3ea34258dfcead8edd5c43737755358c
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: A1F02836910A24ABC7313A79DC05B9A33E89F72334F104719F428931D2DB70D8128AA6

Function 00174C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00141129,00000000,?,00172E29,00000001,00000364,?,?,?,0016F2DE,00173863,00211444,?,0015FDF5,?), ref: 00174CBE

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bb59b219a21df14828178fc8661ffb297078275a5d542256e29b77733a85e138
Instruction ID: 547e0c8cf05e84190e67337b3ea12b595278b0d1d6acd138f603f7a2d6323be2
Opcode Fuzzy Hash: bb59b219a21df14828178fc8661ffb297078275a5d542256e29b77733a85e138
Instruction Fuzzy Hash: 17F0E931603224A7DB235F629C09B5A37A8BF517A0B19C515FD1DA61C4CB30DC1196E0

Function 00173820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 812f083da1367f407daeba73e9299c55a921428dbb80a105c6d2592700a5a109
Instruction ID: 3b23d3ba147a3b449f34fdcd8a37c9c489372a684e45fedcd1fb4df464786819
Opcode Fuzzy Hash: 812f083da1367f407daeba73e9299c55a921428dbb80a105c6d2592700a5a109
Instruction Fuzzy Hash: B7E0E53110122597D7212A669C04F9A3768AB527B0F158326BC3C929D5CB31DD11A1E2

Function 00144F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144F6D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c716b89d62fd7729a1a4f7f477ebda5bc9ef5966c2d901855488d237ce227313
Instruction ID: dcb2052d327225042689df4894b5ba4f835fdb0f91579ace7abd540d2136860c
Opcode Fuzzy Hash: c716b89d62fd7729a1a4f7f477ebda5bc9ef5966c2d901855488d237ce227313
Instruction Fuzzy Hash: 13F03071105752CFDB389F68D490922B7E4AF143193108A7EE1EA82531C7319848DF50

Function 00142DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00142DC4

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 6b7b017d2cc831c445b4a56803db14909f96509123d6842af102fd86e2de3527
Instruction ID: 7b58332a982d034d5c1443cad7ff2861919dde146e009e9ac800466e52156d1b
Opcode Fuzzy Hash: 6b7b017d2cc831c445b4a56803db14909f96509123d6842af102fd86e2de3527
Instruction Fuzzy Hash: 9DE0CD726011245BCB10A2589C05FDA77DDDFC8794F040071FD09D7258DA60AD84C691

Function 00142B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00143837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00143908

Part of subcall function 0014D730: GetInputState.USER32 ref: 0014D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00142B6B

Part of subcall function 001430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0014314E

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2ed11ef1e7624d69cf48d36ef885d6dbe47a08aef9c3d6746619743bd780b835
Instruction ID: 5ca5d3463da08ae5ce1070a56c7c57a96e687ce5d32eebc98785916cf379bcf1
Opcode Fuzzy Hash: 2ed11ef1e7624d69cf48d36ef885d6dbe47a08aef9c3d6746619743bd780b835
Instruction Fuzzy Hash: A1E0262230020503CA04BB74B8124AEB3499BF1315F40063EF15243173CF7045958251

Function 0018039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00180704,?,?,00000000,?,00180704,00000000,0000000C), ref: 001803B7

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2496a1cfd18e288c6b21449ed6dcabde4280d34920d435af07548f90903a2aad
Instruction ID: cc8f5daa0c94d63df840f0f805e9a8a177b8b43bf6a5b6a9109cb31f1539746f
Opcode Fuzzy Hash: 2496a1cfd18e288c6b21449ed6dcabde4280d34920d435af07548f90903a2aad
Instruction Fuzzy Hash: 31D06C3204010DFBDF029F84DD06EDA3BAAFB48714F014000BE1856020C732E861EB90

Function 00141CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00141CBC

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 920f538ebc21d1f25ad5ff26f5633bf5c13deca1ce2fd04f77f25179a98b3485
Instruction ID: fcc3d4383b3596f7fe73fa7007c1ec634076f994e0c9fa848cb374729e250db2
Opcode Fuzzy Hash: 920f538ebc21d1f25ad5ff26f5633bf5c13deca1ce2fd04f77f25179a98b3485
Instruction Fuzzy Hash: BBC09B36381305EFF6144B80BC4EF507755E358B00F44C501F709655E3C7B11470D650

Function 011D5178 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 011D5189

Memory Dump Source

Source File: 00000000.00000002.1465653293.00000000011D2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d2000_VsTfsPVrfA.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 5543662694afe702856b1000b79c7d56548e963298b47348dcf9eb461591a4da
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: DBE0E67498010DDFDB00DFB4D54969E7BF4EF04301F100161FD01D2280D7709D508A62

Non-executed Functions

Function 001D9576 Relevance: 75.9, APIs: 39, Strings: 4, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001D961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001D965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001D969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001D96C9
SendMessageW.USER32 ref: 001D96F2
GetKeyState.USER32(00000011), ref: 001D978B
GetKeyState.USER32(00000009), ref: 001D9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001D97AE
GetKeyState.USER32(00000010), ref: 001D97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001D97E9
SendMessageW.USER32 ref: 001D9810
SendMessageW.USER32(?,00001030,?,001D7E95), ref: 001D9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001D992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001D9941
SetCapture.USER32(?), ref: 001D994A
ClientToScreen.USER32(?,?), ref: 001D99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001D99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001D99D6
ReleaseCapture.USER32 ref: 001D99E1
GetCursorPos.USER32(?), ref: 001D9A19
ScreenToClient.USER32(?,?), ref: 001D9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 001D9A80
SendMessageW.USER32 ref: 001D9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 001D9AEB
SendMessageW.USER32 ref: 001D9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001D9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001D9B4A
GetCursorPos.USER32(?), ref: 001D9B68
ScreenToClient.USER32(?,?), ref: 001D9B75
GetParent.USER32(?), ref: 001D9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 001D9BFA
SendMessageW.USER32 ref: 001D9C2B
ClientToScreen.USER32(?,?), ref: 001D9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001D9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 001D9CDE
SendMessageW.USER32 ref: 001D9D01
ClientToScreen.USER32(?,?), ref: 001D9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001D9D82

Part of subcall function 00159944: GetWindowLongW.USER32(?,000000EB), ref: 00159952

GetWindowLongW.USER32(?,000000F0), ref: 001D9E05

Strings

@GUI_DRAGID, xrefs: 001D997D
F, xrefs: 001D9D07
@U=u, xrefs: 001D965B, 001D96C9, 001D96F2, 001D97AE, 001D97E9, 001D9810, 001D9918, 001D9A80, 001D9AAE, 001D9AEB, 001D9B1A, 001D9BFA, 001D9C2B, 001D9CDE, 001D9D01
p#!, xrefs: 001D9990

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$@U=u$F$p#!
API String ID: 3429851547-1027384624
Opcode ID: 80b02b0ed285cc368df9b30442a3354654e4ea4cb91b067e6d5725ae0c9e3e6a
Instruction ID: 22712d5d21ecc5f1d449b435e0e2588e40adcfa11e9820f69a3e897d642878ef
Opcode Fuzzy Hash: 80b02b0ed285cc368df9b30442a3354654e4ea4cb91b067e6d5725ae0c9e3e6a
Instruction Fuzzy Hash: 2F428D74205241AFDB24CF24CC48EAABBE5FF49310F154A1AF699973A1DB31E864CF91

Function 001D4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001D48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001D4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001D4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001D494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001D495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001D497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001D49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001D49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001D4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001D4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001D4A7E
IsMenu.USER32(?), ref: 001D4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001D4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001D4B20
GetWindowLongW.USER32(?,000000F0), ref: 001D4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001D4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001D4C82
wsprintfW.USER32 ref: 001D4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001D4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 001D4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001D4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001D4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 001D4D5A

Strings

%d/%02d/%02d, xrefs: 001D4CA8
@U=u, xrefs: 001D48F3, 001D4908, 001D495C, 001D4A0F, 001D4A56, 001D4A7E, 001D4BE3, 001D4C82, 001D4CC9, 001D4D13, 001D4D33, 001D4E15, 001D4E4E, 001D4EA5, 001D4F10

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$@U=u
API String ID: 4054740463-2764005415
Opcode ID: 3b2379ab20797aa9041dd9bd82014801973cc728c91a9853918c3eea49841c5a
Instruction ID: 7fbb24637270aa10c47803bcb07031852d7f34274d0ea444a66e059ca0b2ffe4
Opcode Fuzzy Hash: 3b2379ab20797aa9041dd9bd82014801973cc728c91a9853918c3eea49841c5a
Instruction Fuzzy Hash: E112DD71601215ABEB248F68CC49FAE7BF8EF45710F10462AF916EB3E1DB749941CB90

Function 0015F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0015F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0019F474
IsIconic.USER32(00000000), ref: 0019F47D
ShowWindow.USER32(00000000,00000009), ref: 0019F48A
SetForegroundWindow.USER32(00000000), ref: 0019F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0019F4AA
GetCurrentThreadId.KERNEL32 ref: 0019F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0019F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0019F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0019F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0019F4DE
SetForegroundWindow.USER32(00000000), ref: 0019F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0019F4F6
keybd_event.USER32(00000012,00000000), ref: 0019F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0019F50B
keybd_event.USER32(00000012,00000000), ref: 0019F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0019F519
keybd_event.USER32(00000012,00000000), ref: 0019F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0019F528
keybd_event.USER32(00000012,00000000), ref: 0019F52D
SetForegroundWindow.USER32(00000000), ref: 0019F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0019F557

Strings

Shell_TrayWnd, xrefs: 0019F46F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 34cef7181c4f1180d105340934ffff2537283f5302040cf1182b9201a29a70c4
Instruction ID: bd06cc3e7933db354b363e710678f90685a46ac18a06e140c2a8409241de2487
Opcode Fuzzy Hash: 34cef7181c4f1180d105340934ffff2537283f5302040cf1182b9201a29a70c4
Instruction Fuzzy Hash: 58315E71B41219BAEF206BB55C4AFBF7F6CEB44B50F11046AFA00E61D1C7B09941EAA0

Function 001A1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001A170D
Part of subcall function 001A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001A173A
Part of subcall function 001A16C3: GetLastError.KERNEL32 ref: 001A174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 001A1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001A12A8
CloseHandle.KERNEL32(?), ref: 001A12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001A12D1
GetProcessWindowStation.USER32 ref: 001A12EA
SetProcessWindowStation.USER32(00000000), ref: 001A12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001A1310

Part of subcall function 001A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001A11FC), ref: 001A10D4
Part of subcall function 001A10BF: CloseHandle.KERNEL32(?,?,001A11FC), ref: 001A10E9

Strings

, xrefs: 001A125A
winsta0, xrefs: 001A12CC
default, xrefs: 001A130B
Z , xrefs: 001A1392

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z
API String ID: 22674027-3366205268
Opcode ID: 1cc1114cc26464efb4854366b9b91e98c76e08d2a8aa0430de197aafa68cdaa5
Instruction ID: c4fa168453d38354dfdf4c9fa5984e1e3d64aef37214109ed5a827202125bff7
Opcode Fuzzy Hash: 1cc1114cc26464efb4854366b9b91e98c76e08d2a8aa0430de197aafa68cdaa5
Instruction Fuzzy Hash: 0D819B7594120ABFDF219FA8DC49FEE7BB9EF09704F14452AF910A62A1C7308994CB60

Function 001A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001A1114
Part of subcall function 001A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1120
Part of subcall function 001A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A112F
Part of subcall function 001A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1136
Part of subcall function 001A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001A0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001A0C00
GetLengthSid.ADVAPI32(?), ref: 001A0C17
GetAce.ADVAPI32(?,00000000,?), ref: 001A0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001A0C6D
GetLengthSid.ADVAPI32(?), ref: 001A0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001A0C8C
HeapAlloc.KERNEL32(00000000), ref: 001A0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001A0CB4
CopySid.ADVAPI32(00000000), ref: 001A0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001A0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001A0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001A0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0D45
HeapFree.KERNEL32(00000000), ref: 001A0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0D55
HeapFree.KERNEL32(00000000), ref: 001A0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0D65
HeapFree.KERNEL32(00000000), ref: 001A0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 001A0D78
HeapFree.KERNEL32(00000000), ref: 001A0D7F

Part of subcall function 001A1193: GetProcessHeap.KERNEL32(00000008,001A0BB1,?,00000000,?,001A0BB1,?), ref: 001A11A1
Part of subcall function 001A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001A0BB1,?), ref: 001A11A8
Part of subcall function 001A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001A0BB1,?), ref: 001A11B7

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 982d1e5d97bd5f79d60d7f0e8fdbfec642382bc16a3a8d331b98f252f88a6c61
Instruction ID: 575d18aab3b8a2c59edfeee611f77bc42fbc8e2e83b34864a54624a206542a3c
Opcode Fuzzy Hash: 982d1e5d97bd5f79d60d7f0e8fdbfec642382bc16a3a8d331b98f252f88a6c61
Instruction Fuzzy Hash: 1B717B7A90121AEBDF11DFE4DC44FAEBBB8BF09310F044615F914A7291D771AA45CBA0

Function 001BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001DCC08), ref: 001BEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001BEB37
GetClipboardData.USER32(0000000D), ref: 001BEB43
CloseClipboard.USER32 ref: 001BEB4F
GlobalLock.KERNEL32(00000000), ref: 001BEB87
CloseClipboard.USER32 ref: 001BEB91
GlobalUnlock.KERNEL32(00000000), ref: 001BEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001BEBC9
GetClipboardData.USER32(00000001), ref: 001BEBD1
GlobalLock.KERNEL32(00000000), ref: 001BEBE2
GlobalUnlock.KERNEL32(00000000), ref: 001BEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001BEC38
GetClipboardData.USER32(0000000F), ref: 001BEC44
GlobalLock.KERNEL32(00000000), ref: 001BEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001BEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001BEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001BECD2
GlobalUnlock.KERNEL32(00000000), ref: 001BECF3
CountClipboardFormats.USER32 ref: 001BED14
CloseClipboard.USER32 ref: 001BED59

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9051d8630654b163ef58e1259a39ae3eeccd35ae787a30ae76094b4730c18988
Instruction ID: 8fc718e0e73b273499e13ee450636fa88d3d793f49655b059b842ae38e2b3dc4
Opcode Fuzzy Hash: 9051d8630654b163ef58e1259a39ae3eeccd35ae787a30ae76094b4730c18988
Instruction Fuzzy Hash: 6561D2352053029FD300EF64D888FAA77E8EF94714F14491EF456972A2CB71DD85CBA2

Function 001B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001B69BE
FindClose.KERNEL32(00000000), ref: 001B6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001B6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001B6A75

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001B6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001B6ADF

Strings

%4d, xrefs: 001B6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 001B6B32
%4d%02d%02d%02d%02d%02d, xrefs: 001B6B6A
%02d, xrefs: 001B6C00, 001B6C0A, 001B6C5A, 001B6CAA, 001B6CFA, 001B6D4A
%03d, xrefs: 001B6DA2

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9f8bf00ab914542d7427e53e30467cb8c3a9ec91ec0a88e7dbd94d2a98c4e12a
Instruction ID: b363b33c2f2a2b20c561079e730a94289c976e43239faa5dc57d539463a1f36a
Opcode Fuzzy Hash: 9f8bf00ab914542d7427e53e30467cb8c3a9ec91ec0a88e7dbd94d2a98c4e12a
Instruction Fuzzy Hash: 17D17271508300AFC714EBA4D891EAFB7ECAFA9704F44491DF585D71A1EB34DA48CBA2

Function 001B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 001B9663
GetFileAttributesW.KERNEL32(?), ref: 001B96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001B96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001B96D3
FindClose.KERNEL32(00000000), ref: 001B96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001B96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001B974A
SetCurrentDirectoryW.KERNEL32(00206B7C), ref: 001B9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001B9772
FindClose.KERNEL32(00000000), ref: 001B977F
FindClose.KERNEL32(00000000), ref: 001B978F

Strings

*.*, xrefs: 001B96F5

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: db18c2fa0c99ba2b717eb38ef472f5bfa9f3e0e29bacdefc11be97f87bef9ef0
Instruction ID: 3ec6a01ba28fd3cbdde3f344a5ba05b88bd3e501bfccb4f00e216375309551cf
Opcode Fuzzy Hash: db18c2fa0c99ba2b717eb38ef472f5bfa9f3e0e29bacdefc11be97f87bef9ef0
Instruction Fuzzy Hash: 0F31E47254221A6EDF14EFB4DC48ADE77ECAF09320F104556FA05E21A1EB30DD91CE90

Function 001B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 001B97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001B9819
FindClose.KERNEL32(00000000), ref: 001B9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001B9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001B9890
SetCurrentDirectoryW.KERNEL32(00206B7C), ref: 001B98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001B98B8
FindClose.KERNEL32(00000000), ref: 001B98C5
FindClose.KERNEL32(00000000), ref: 001B98D5

Part of subcall function 001ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001ADB00

Strings

*.*, xrefs: 001B983B

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: a2660e9c33dd03fdf8231f50ddcd9de09f27a2006043955d1e2fadd560335eca
Instruction ID: 5ebfb528ac21e9be1df646d224f41bb4f302c31639098593abb823f61c3b8380
Opcode Fuzzy Hash: a2660e9c33dd03fdf8231f50ddcd9de09f27a2006043955d1e2fadd560335eca
Instruction Fuzzy Hash: 0031127250121E6ADF10EFB4EC48ADE77BCAF06320F104556EA00E20E1DB30DA96CAA0

Function 001B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001B8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001B8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001B8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001B8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001B838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8395

Strings

*.*, xrefs: 001B839B

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: fdd964d0929e29ca5514a5a0300a148153c204be66a397aeb15e12dc89bbc532
Instruction ID: 9b49178c694891e401f93924861950f2c7bacafe958dfe418cd09dc738b7247b
Opcode Fuzzy Hash: fdd964d0929e29ca5514a5a0300a148153c204be66a397aeb15e12dc89bbc532
Instruction Fuzzy Hash: F26159725083459FCB10EF64D8809AEB3ECFF99714F04491AF999C7261DB31E945CB92

Function 001AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00143AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00143A97,?,?,00142E7F,?,?,?,00000000), ref: 00143AC2

Part of subcall function 001AE199: GetFileAttributesW.KERNEL32(?,001ACF95), ref: 001AE19A

FindFirstFileW.KERNEL32(?,?), ref: 001AD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 001AD1DD
MoveFileW.KERNEL32(?,?), ref: 001AD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 001AD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 001AD237

Part of subcall function 001AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,001AD21C,?,?), ref: 001AD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 001AD253
FindClose.KERNEL32(00000000), ref: 001AD264

Strings

\*.*, xrefs: 001AD0CD, 001AD0D6, 001AD0EB

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: c2f998ab14309c5e970a323354c96b0f09db0eb663573fd08296e55ac3541a29
Instruction ID: e94fe19ac2b6f85d99f35bbadbaaacdeb927d10a88c753362bd079bab7d20636
Opcode Fuzzy Hash: c2f998ab14309c5e970a323354c96b0f09db0eb663573fd08296e55ac3541a29
Instruction Fuzzy Hash: 8961603580110D9FCF05EBE0E992AEDB7B5AF66304F604166E406771A2EB305F09DB60

Function 001BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001BED91
EmptyClipboard.USER32 ref: 001BED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001BEDAC
CloseClipboard.USER32 ref: 001BEEA3

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2e7e903bdebf3f315500f55df17264010b5b044bd6b4ed649e38427e4a658f8e
Instruction ID: 2e681123ae6cfbf8ee5eb1d80282386f79ca5ccaa28f2aec17fe753a22acc445
Opcode Fuzzy Hash: 2e7e903bdebf3f315500f55df17264010b5b044bd6b4ed649e38427e4a658f8e
Instruction Fuzzy Hash: 7541BE35606612AFE720DF19E888B99BBE5EF44318F14C49AE4158FB62C775EC81CBD0

Function 001AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001A170D
Part of subcall function 001A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001A173A
Part of subcall function 001A16C3: GetLastError.KERNEL32 ref: 001A174A

ExitWindowsEx.USER32(?,00000000), ref: 001AE932

Strings

@, xrefs: 001AE925
SeShutdownPrivilege, xrefs: 001AE902
, xrefs: 001AE95C
, xrefs: 001AE920

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: e6ad180fda822dfe47621d64569b90339bb9f75bcf578710b6e575ad2caca6b9
Instruction ID: 7d5f24cc18d3cf24a4cac72ab988cabe195133fd25b153d88768e39c808b3433
Opcode Fuzzy Hash: e6ad180fda822dfe47621d64569b90339bb9f75bcf578710b6e575ad2caca6b9
Instruction Fuzzy Hash: 6001D67A611311ABEB5426B89C8ABBB729CAB16758F154922F802E21D2D7A05C84C5E4

Function 001C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001C1276
WSAGetLastError.WSOCK32 ref: 001C1283
bind.WSOCK32(00000000,?,00000010), ref: 001C12BA
WSAGetLastError.WSOCK32 ref: 001C12C5
closesocket.WSOCK32(00000000), ref: 001C12F4
listen.WSOCK32(00000000,00000005), ref: 001C1303
WSAGetLastError.WSOCK32 ref: 001C130D
closesocket.WSOCK32(00000000), ref: 001C133C

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 3f6a58d3e1d20f38102ad23a6be20ebe58aaeadfec7798f16f17b8e80e710bfa
Instruction ID: d92cc8cfa6f6d6e16bd2b72ba7efc64be6f0677521fa1c04255536caf4069e4a
Opcode Fuzzy Hash: 3f6a58d3e1d20f38102ad23a6be20ebe58aaeadfec7798f16f17b8e80e710bfa
Instruction Fuzzy Hash: 1A416E35601141AFD710DF24C488F29BBE6AF56318F28858DE8568F2A3C771EC81CBE1

Function 0017B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0017B9D4
_free.LIBCMT ref: 0017B9F8
_free.LIBCMT ref: 0017BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001E3700), ref: 0017BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0021121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0017BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00211270,000000FF,?,0000003F,00000000,?), ref: 0017BC36
_free.LIBCMT ref: 0017BD4B

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 4343a6f2d91b320eb58ac05cbd318b768275657fb18bd014ca00e97e6b5a46a9
Instruction ID: d8e50a08684c964bd3aa1b0f7c7bfe28d868566dbcc9fba96314416af102be4c
Opcode Fuzzy Hash: 4343a6f2d91b320eb58ac05cbd318b768275657fb18bd014ca00e97e6b5a46a9
Instruction Fuzzy Hash: 59C12971908219AFCB25AF78DC85BAA7BB8EF51310F14C19AE99CD7251EB308E41C750

Function 001AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00143AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00143A97,?,?,00142E7F,?,?,?,00000000), ref: 00143AC2

Part of subcall function 001AE199: GetFileAttributesW.KERNEL32(?,001ACF95), ref: 001AE19A

FindFirstFileW.KERNEL32(?,?), ref: 001AD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 001AD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 001AD481
FindClose.KERNEL32(00000000), ref: 001AD498
FindClose.KERNEL32(00000000), ref: 001AD4A1

Strings

\*.*, xrefs: 001AD3F2

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 0c4621bc845d0176bd9c57aa882f61f601f7db38507967a7d189c3d3603f61a1
Instruction ID: f6ab44dc650406ffa4e0fb9360131d7211e4e47f0b97b92457efac5a86242c15
Opcode Fuzzy Hash: 0c4621bc845d0176bd9c57aa882f61f601f7db38507967a7d189c3d3603f61a1
Instruction Fuzzy Hash: 343170710093459FC304EF64D8558AF77A8BFA6314F444E1EF4D6935A1EB30AA09C763

Function 0017E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0017E645

Strings

1#IND, xrefs: 0017F83D
1#INF, xrefs: 0017F852
1#SNAN, xrefs: 0017F844
1#QNAN, xrefs: 0017F84B

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 44b2aba24df5de21a78a234cf013e4b0a3a59c267238b4e76a173c11773f76c9
Instruction ID: 587800f399d3e97c7064dddcab1d8cf1a1dbd40b6f0cd93bf47d5a76b552fe8d
Opcode Fuzzy Hash: 44b2aba24df5de21a78a234cf013e4b0a3a59c267238b4e76a173c11773f76c9
Instruction Fuzzy Hash: BCC21A71E086298FDB29CE28DD407EAB7F5EB49305F1581EAD44DE7241E774AE828F40

Function 001B648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B64DC
CoInitialize.OLE32(00000000), ref: 001B6639
CoCreateInstance.OLE32(001DFCF8,00000000,00000001,001DFB68,?), ref: 001B6650
CoUninitialize.OLE32 ref: 001B68D4

Strings

.lnk, xrefs: 001B64BA, 001B6524, 001B65E0

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: bb53d128ff063f15dae857c3af4bf3d5e17fc517a161f32f7c283e4ca162d67f
Instruction ID: eba0de6e904314fba357371ac1f3a6ca80b1b6e37aa15dd3f962e3003c1fec1d
Opcode Fuzzy Hash: bb53d128ff063f15dae857c3af4bf3d5e17fc517a161f32f7c283e4ca162d67f
Instruction Fuzzy Hash: 90D139715083019FC314EF24C881DABB7E9FFA9744F10496DF5958B2A1DB71E909CB92

Function 001C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001C22E8

Part of subcall function 001BE4EC: GetWindowRect.USER32(?,?), ref: 001BE504

GetDesktopWindow.USER32 ref: 001C2312
GetWindowRect.USER32(00000000), ref: 001C2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001C2355
GetCursorPos.USER32(?), ref: 001C2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001C23DF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: fc0e4faa44738ffa557d34a0f54938c7c2d910b8745b07d304008d578674684c
Instruction ID: a33c9695d29398b64e4dcbe09c29d51b316a266c3045bbdf9f70cd73f7023948
Opcode Fuzzy Hash: fc0e4faa44738ffa557d34a0f54938c7c2d910b8745b07d304008d578674684c
Instruction Fuzzy Hash: 3731DC72106346ABC720DF54D808F9BBBA9FB98714F000A1EF88497181DB34EA48CBD2

Function 001B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001B9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001B9C8B

Part of subcall function 001B3874: GetInputState.USER32 ref: 001B38CB
Part of subcall function 001B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001B3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001B9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001B9C75

Strings

*.*, xrefs: 001B9B5D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: e99f56d6f64485c4e6ebbb372425d899faf294feba4221a76163c5c00a5e8196
Instruction ID: d78c28f151339c6dc2429afcab1b6d973d78961cca4642fa97fcd07648fae118
Opcode Fuzzy Hash: e99f56d6f64485c4e6ebbb372425d899faf294feba4221a76163c5c00a5e8196
Instruction Fuzzy Hash: 9041807194120AAFCF14DFA4C989AEEBBB4EF15310F204156F505A71A1EB309E95CFA0

Function 00148060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00185DF0
VUUU, xrefs: 001483E8
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00185D55
VUUU, xrefs: 0014843C
VUUU, xrefs: 001483FA
ERCP, xrefs: 0014813C

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 0-2009957334
Opcode ID: ec53f2ae3c28bea9cd28bad2d19a40c54220da0ae65aeffdb00d686f5cf7bcab
Instruction ID: 92b0f601a77e8414bd6f43fdfb0462bdfe0b7f87a03c407f76e8ad3d3096846a
Opcode Fuzzy Hash: ec53f2ae3c28bea9cd28bad2d19a40c54220da0ae65aeffdb00d686f5cf7bcab
Instruction Fuzzy Hash: 36A27071E0061ACBDF24DF58C8507AEB7B2FF54314F2581AAE815AB295DB709E81CF90

Function 0015997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00159A4E
GetSysColor.USER32(0000000F), ref: 00159B23
SetBkColor.GDI32(?,00000000), ref: 00159B36

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 13c695ce5b28d92faade3b908edac03832463c2b4c9c0757ca769d781ddfe7d2
Instruction ID: c5fa91400d9d11c65f5f0aa0fea77c718e83bcb629c90a60bfa2ede97f53faa2
Opcode Fuzzy Hash: 13c695ce5b28d92faade3b908edac03832463c2b4c9c0757ca769d781ddfe7d2
Instruction Fuzzy Hash: C9A108B0218544EEEB2DAA3C9C4CDBB365DDF52342B16420AF922CF6D5CB259D05C273

Function 001C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001C307A
Part of subcall function 001C304E: _wcslen.LIBCMT ref: 001C309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001C185D
WSAGetLastError.WSOCK32 ref: 001C1884
bind.WSOCK32(00000000,?,00000010), ref: 001C18DB
WSAGetLastError.WSOCK32 ref: 001C18E6
closesocket.WSOCK32(00000000), ref: 001C1915

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7872cff18f1321441e9869aeb681bde09acd3048cb7e3e298cc4a687929dcfe9
Instruction ID: 11b77ddfcf9cb760a82d5a948cff3556da003358e995e3a9a504b4f459c63e8f
Opcode Fuzzy Hash: 7872cff18f1321441e9869aeb681bde09acd3048cb7e3e298cc4a687929dcfe9
Instruction Fuzzy Hash: 5D519F71A40210AFDB10AF64C886F2AB7A5AB59718F18849CF9169F3D3C771ED41CBE1

Function 001A8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001A82AA

Strings

(, xrefs: 001A82F0
tb , xrefs: 001A84F4
|, xrefs: 001A82DA

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: lstrlen
String ID: ($tb $|
API String ID: 1659193697-4033350771
Opcode ID: a308c0e45cb2b7408476f702342fcbef6a93f1ca568be0546fe30ed432d3169a
Instruction ID: d66500697d6623988cc6ac2edcbfc6b6f99b2d976c5ab7bff38acc80e188a862
Opcode Fuzzy Hash: a308c0e45cb2b7408476f702342fcbef6a93f1ca568be0546fe30ed432d3169a
Instruction Fuzzy Hash: EB322579A007059FCB28CF59C481A6AB7F0FF48710B15C56EE99ADB3A1EB70E941CB40

Function 001CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001CA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 001CA6BA

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Process32NextW.KERNEL32(00000000,?), ref: 001CA79C
CloseHandle.KERNEL32(00000000), ref: 001CA7AB

Part of subcall function 0015CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00183303,?), ref: 0015CE8A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: cd89ebc77494d9b38077b1e149da42a35cd690aa6d00cf6eb588b3f6f8b94383
Instruction ID: 25e0c252b1dcafe970dd62e6c323252e5e04b3bf969d02e2cf2665536df96747
Opcode Fuzzy Hash: cd89ebc77494d9b38077b1e149da42a35cd690aa6d00cf6eb588b3f6f8b94383
Instruction Fuzzy Hash: 7C516C71508311AFD310EF24D886E6BBBE8FFA9754F40491DF99997262EB30D904CB92

Function 001AAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 001AAAAC
SetKeyboardState.USER32(00000080), ref: 001AAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 001AAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 001AAB88

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c884f0988db7a0d46db7c8cda0e38fb0eb7297fae232f2cf16fee31800fc3675
Instruction ID: 945d7f761514dd0eccd1ec8801f8f46e7fa3e95960c1d1325b974ab6d668b50e
Opcode Fuzzy Hash: c884f0988db7a0d46db7c8cda0e38fb0eb7297fae232f2cf16fee31800fc3675
Instruction Fuzzy Hash: 16313934A80348AEFF35CB64CC05BFA7BA6AF56320F84421BF581965D1D3759981C7B2

Function 001BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001BCE89
GetLastError.KERNEL32(?,00000000), ref: 001BCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001BCEFE

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: eea850e30bc5a6fd5b2a360c9f9eed60f62147a8124913271187af00f9e59a9c
Instruction ID: 613448248fd67da98a0fa9c2b8ddae2ff9a7363e3a92511bc51978b7ac994e05
Opcode Fuzzy Hash: eea850e30bc5a6fd5b2a360c9f9eed60f62147a8124913271187af00f9e59a9c
Instruction Fuzzy Hash: B9219D71601306EBDB20DFA5C948BA77BF8EB50354F10481EE546D2151E770EE44CBE0

Function 00172622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0017271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00172724
UnhandledExceptionFilter.KERNEL32(?), ref: 00172731

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c28f90e5547ad01b9c5c45a6c6d2290355540a9941381c3e590f898ed917b119
Instruction ID: 65f14d8c88032bfa191fe82adb4c55660c5b10cfa77ef393bddbb5befb921bfc
Opcode Fuzzy Hash: c28f90e5547ad01b9c5c45a6c6d2290355540a9941381c3e590f898ed917b119
Instruction Fuzzy Hash: 5431B774911218ABCB21DF64DD8979DB7B8BF18310F5082DAE81CA7261E7309F818F45

Function 001B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001B51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001B5238
SetErrorMode.KERNEL32(00000000), ref: 001B52A1

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: fe6bcac8bb77a6fd12a7168ea9fda1c052f73df93a7b47eaf5bc82d445c73430
Instruction ID: 8b9761ed8d2a404a2e9df131e8770008c49f2c292c0d3081ca397eb39efe9393
Opcode Fuzzy Hash: fe6bcac8bb77a6fd12a7168ea9fda1c052f73df93a7b47eaf5bc82d445c73430
Instruction Fuzzy Hash: DB314C75A01519DFDB00DF54D884FAEBBB5FF49314F048499E805AB3A2DB31E856CB90

Function 001A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0015FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00160668
Part of subcall function 0015FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00160685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001A170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001A173A
GetLastError.KERNEL32 ref: 001A174A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: ebdc164fd2ae19b97101242c38dfbcee8641fc5af46684840ba1dde1b7b73add
Instruction ID: 0c7efa09d2386b4e6044002b97e336ee09943d6589d4f849a804450a971dd34c
Opcode Fuzzy Hash: ebdc164fd2ae19b97101242c38dfbcee8641fc5af46684840ba1dde1b7b73add
Instruction Fuzzy Hash: DA11C1B2400305BFD7189F94DC86D6BB7B9EB04714B20852EF45697641EB70BC41CA60

Function 001AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001AD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001AD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001AD650

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: aeb102ba6de4ef79fe641ec145d98cfacfa37c4674b577186dd8730ce9323df9
Instruction ID: ffefc15db580afc6e3d5c1be1b9d8d7ad316ed9ac9462a3dc20681e822a381aa
Opcode Fuzzy Hash: aeb102ba6de4ef79fe641ec145d98cfacfa37c4674b577186dd8730ce9323df9
Instruction Fuzzy Hash: EA113C75E06228BBDB148F99AC45FAFBBBCEB45B50F108516F908E7290D6704A058BA1

Function 001A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001A168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001A16A1
FreeSid.ADVAPI32(?), ref: 001A16B1

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 65d880585bdf11a094556d211ec86fb8d43b94949b6c43823b8a6bae734b9254
Instruction ID: 74ecceacf4b9803e4b65106b4e7acee4883419c181fc15b77b789cdcd05e3f69
Opcode Fuzzy Hash: 65d880585bdf11a094556d211ec86fb8d43b94949b6c43823b8a6bae734b9254
Instruction Fuzzy Hash: 47F0F475952309FBDF00DFE49C89AAEBBBCFB08604F504965E501E2181E774AA44CA90

Function 00164CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001728E9,?,00164CBE,001728E9,002088B8,0000000C,00164E15,001728E9,00000002,00000000,?,001728E9), ref: 00164D09
TerminateProcess.KERNEL32(00000000,?,00164CBE,001728E9,002088B8,0000000C,00164E15,001728E9,00000002,00000000,?,001728E9), ref: 00164D10
ExitProcess.KERNEL32 ref: 00164D22

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c659413c85bebc965496659b0888e639e42f12162296d28bfb0d9f5f03e9bf31
Instruction ID: 8eb4d42b98b506fd8f863f45cb945d3d62c296a58e97778ee5cb531dfa3a4aae
Opcode Fuzzy Hash: c659413c85bebc965496659b0888e639e42f12162296d28bfb0d9f5f03e9bf31
Instruction Fuzzy Hash: D0E0B631402149BBCF11AF94DD09A583B69FB61782F108415FC198B522CB35DE92DA80

Function 0017C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0017C36C

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: fb8fb6cc299fb2f25afe35fb47c143a57b13983a342a5ec9a030bfc2de553a91
Instruction ID: ed3a48c8eeedf0dcaffc16e425551259084871958a9f441dbdd5b8ee32d0a667
Opcode Fuzzy Hash: fb8fb6cc299fb2f25afe35fb47c143a57b13983a342a5ec9a030bfc2de553a91
Instruction Fuzzy Hash: 3B412876500619ABCB249FB9DC49EAB77B8FB84314F10866DF909D7181E7709D81CB90

Function 0019D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0019D28C

Strings

X64, xrefs: 0019D2A8

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 4679aca7d1abc07294e902dfdbdb84ec943f95fad2a82139104b8a946f8bdaf1
Instruction ID: bc0570dbce24718aea1d5b7ed4dda982ccd64425deb66a5418ab0114c171608b
Opcode Fuzzy Hash: 4679aca7d1abc07294e902dfdbdb84ec943f95fad2a82139104b8a946f8bdaf1
Instruction Fuzzy Hash: 72D0C9B480211DEACF94CB90EC88DDAB37CBB04305F100552F506A2080DB3095488F10

Function 0016CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d74d4d19bb408f285b5ee52a8c8f45d19c558f8887941f339f9b4dca24924b09
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 53022C72E002199BDF14CFA9C8906ADFBF1EF88314F25816AD859E7380D731AA51CBD4

Function 0014CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#!, xrefs: 0014CF7F
Variable is not of type 'Object'., xrefs: 00190C40

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#!
API String ID: 0-498771827
Opcode ID: 3d567cb0fecabe0f0c45aeed37b17b70db6f06725e889276fdb4c87f3c41834a
Instruction ID: e8dfe3b64cb414df2e8e8dae16c5a54b5d9f002467c8934f60e3e23f2fc4d33b
Opcode Fuzzy Hash: 3d567cb0fecabe0f0c45aeed37b17b70db6f06725e889276fdb4c87f3c41834a
Instruction Fuzzy Hash: D632B174901218DFCF54DF94C885BEDB7B5FF19304F148069E806AB2A2DB35AE49CBA0

Function 001B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001B6918
FindClose.KERNEL32(00000000), ref: 001B6961

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1d16ffce118e1468067dba131ccd6f7a345086399086b375b3089eeac4ec4858
Instruction ID: d1f0710eee54dd9bc7ccf6dc3a11a898b4b9315c57577081668337eb1a06d037
Opcode Fuzzy Hash: 1d16ffce118e1468067dba131ccd6f7a345086399086b375b3089eeac4ec4858
Instruction Fuzzy Hash: 2D11D0316042119FC710CF29D484A16BBE1FF94328F04C699F8698F6A2C734EC45CBD0

Function 001B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001C4891,?,?,00000035,?), ref: 001B37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001C4891,?,?,00000035,?), ref: 001B37F4

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8d1656e7ae3264112a5bd703c9c8d95f035cfc3b508291e2938204a14851475d
Instruction ID: 181431fb81d216e60e80ac6ff1e5fc00aaae73c626c95027e9948a3d0aa10a67
Opcode Fuzzy Hash: 8d1656e7ae3264112a5bd703c9c8d95f035cfc3b508291e2938204a14851475d
Instruction Fuzzy Hash: 31F0E5B16062297AE72027669C4DFEB3BAEEFC4761F000265F509D2291DB609944C7F0

Function 001AB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 001AB25D
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 001AB270

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 3b7ce98068a06247dd9f966b8d21bc0a6e6b92df52350b43a21520c3ca3325cb
Instruction ID: 4b022e199f0c81c92a41e5a4c8c94218f43922c9c7b0bb9c2e2b28fbd7e14877
Opcode Fuzzy Hash: 3b7ce98068a06247dd9f966b8d21bc0a6e6b92df52350b43a21520c3ca3325cb
Instruction Fuzzy Hash: F9F0177590428EABDB059FA0C806BAE7BB4FF09309F00844AF965A61A2C3799651DF94

Function 001A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001A11FC), ref: 001A10D4
CloseHandle.KERNEL32(?,?,001A11FC), ref: 001A10E9

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: db204f65e524e2dc636d9d624359399192af53d5cbc3716768ace5015d51bcf1
Instruction ID: abb4fa19f4c0f144d4f4190745f4a868e90c245555971a36b96474166b5bef9c
Opcode Fuzzy Hash: db204f65e524e2dc636d9d624359399192af53d5cbc3716768ace5015d51bcf1
Instruction Fuzzy Hash: 17E04F72005601FEE7252B51FC06F7377A9EB04311F10882EF8A5844B1DB626CD0DB50

Function 0017676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00176766,?,?,00000008,?,?,0017FEFE,00000000), ref: 00176998

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4c7ec43f57d194eb5991212e79e9231efe18bf36c56838513a315c1f787ebb02
Instruction ID: 6f000df0bcc62ea39bd610a19982691989ef2d069ab1d9db378187b5dbbd8306
Opcode Fuzzy Hash: 4c7ec43f57d194eb5991212e79e9231efe18bf36c56838513a315c1f787ebb02
Instruction Fuzzy Hash: 52B12931610A099FD719CF28C48AB657BB0FF45368F25C698E99DCF2A2C335E995CB40

Function 0015B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0019851F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c2c50ac9a83e1c4662e9f979807399735548f3383686bcb77786b98e00a1fb5c
Instruction ID: e91e4945e1bf1a2c3ba3518efafd517b3755ba2ce7726efc5cacc1ad85d88a15
Opcode Fuzzy Hash: c2c50ac9a83e1c4662e9f979807399735548f3383686bcb77786b98e00a1fb5c
Instruction Fuzzy Hash: 17126D71904229DFCF24CF58C880AEEB7F5FF48710F15819AE859EB255EB309A85CB90

Function 001BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001BEABD

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 743806e2cdeea054bb6eb6514c2eed248bdf92f90e5426142f7b363d25ddf5d9
Instruction ID: 0f2744a009a2816a044936346b9b7f75e2a311ab3303a78a654966337c58ec35
Opcode Fuzzy Hash: 743806e2cdeea054bb6eb6514c2eed248bdf92f90e5426142f7b363d25ddf5d9
Instruction Fuzzy Hash: 91E04F312012049FC710EF69D844EDAF7EDAFA8760F008816FC49CB3A1DB70E8408B90

Function 001609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001603EE), ref: 001609DA

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8496916e2031d0d86dee912fa1534a16462d435cdd112a5848de3db6c116e6a2
Instruction ID: 53ee51feeaf869dc32dce88c387522920ce8648cae3afb2c0f42e35868e70501
Opcode Fuzzy Hash: 8496916e2031d0d86dee912fa1534a16462d435cdd112a5848de3db6c116e6a2
Instruction Fuzzy Hash:

Function 0016781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0016798B

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 418aae584077b7f435f1242f9378701294227c45e8482d7e16ebf2a245c28f45
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4D51777160C7059BDB3889788C5EBBE63DD9B2235CF180A09E882D72C2CB15EE71D356

Function 001B2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&!, xrefs: 001B2053

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID: 0&!
API String ID: 0-1419620344
Opcode ID: 43469d8c244f55b32967cbe7189211f24f8883fcc5b04a1932687fa1acc781e6
Instruction ID: f83aad06b7056ae799c8af964916890489c292ccbf61485bfdff114e1f6493c7
Opcode Fuzzy Hash: 43469d8c244f55b32967cbe7189211f24f8883fcc5b04a1932687fa1acc781e6
Instruction Fuzzy Hash: 7321A8326205158BD728CE79C8166BA73E5A764310F15862EF4A7C37D0DF35A908C740

Function 00176DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18eb8aefda32e9f2cd9994f7d70d92970e4a52fbce395a90b4c2ae266b0437b
Instruction ID: 6300bcb1ee5865f4feafc62022c314af71245c680f04150fb822a920c4795eeb
Opcode Fuzzy Hash: a18eb8aefda32e9f2cd9994f7d70d92970e4a52fbce395a90b4c2ae266b0437b
Instruction Fuzzy Hash: 8932F022D29F414DD7239634CC72339A69DAFB73C5F15D727E81AB9DAAEB2984C34100

Function 0015CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c35bbaf75acc9f5407b43b23d9eac2dbb820a9f8bb7e1af56421969bd5092b1
Instruction ID: 2c93529c94911d5230de55de92e1e3da821f6e75faa36e66dfa8b187cc9ed387
Opcode Fuzzy Hash: 9c35bbaf75acc9f5407b43b23d9eac2dbb820a9f8bb7e1af56421969bd5092b1
Instruction Fuzzy Hash: 55324831A00255CFDF28CF68C4946BD7BA1EB45355F29816AD8EACB292E330DD85DBC1

Function 00147920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94cd8aa7561e03236420860383581ecc9d5f567e5b30bc204d3bb354d936fc11
Instruction ID: d8aece26733260cc8be88075c7a8c31e179b13d78f54f192c37b848b133ee278
Opcode Fuzzy Hash: 94cd8aa7561e03236420860383581ecc9d5f567e5b30bc204d3bb354d936fc11
Instruction Fuzzy Hash: E522A270A04609DFDF14DF64D881AAEB7F6FF54300F244529E816E72A1EB369E15CB50

Function 001491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708acfea16953aaff483c47b3697636efa58d6042dde55ff8ef4db047a5b087a
Instruction ID: 7a8b27500df56ac18505e8cb6a5a82c5d8080611502b77bee8000e3541fa717a
Opcode Fuzzy Hash: 708acfea16953aaff483c47b3697636efa58d6042dde55ff8ef4db047a5b087a
Instruction Fuzzy Hash: 4C0295B1E00205EFDB04EF64D881AAEB7F5FF54300F118169E816DB291EB71AA65CF91

Function 001619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 6bbbf60e94c3df67cdbc3714a9ff1c3ce6f27c1f8b007afa81bf017022a85110
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: EE913F722090E35ADB6D467A897403EFEF15A923A631E479ED4F2CB1C1FF248574E620

Function 00167A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3f9e476ef45f889762b840d682d2d264a9b8c80951358764e0511bd22aac0a
Instruction ID: 579f48a34205f4943f764b5e11bcb6a5cf0a7ac56d41965876cecde91d000803
Opcode Fuzzy Hash: 8b3f9e476ef45f889762b840d682d2d264a9b8c80951358764e0511bd22aac0a
Instruction Fuzzy Hash: 90616B7120870996DE38AA6C8DA5BBE6394DF5170CF280A1AEC43DB2C1DB51DE72C355

Function 00161706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: fb07e7584644e0f371780fb448f8157c4635b63a77c4e1de14408719270aac4b
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 7D8161736090E35ADB6D863A893447EFFE15A923A531E079ED4F2CB1C1EF248574E620

Function 001C2ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001C2B30
DeleteObject.GDI32(00000000), ref: 001C2B43
DestroyWindow.USER32 ref: 001C2B52
GetDesktopWindow.USER32 ref: 001C2B6D
GetWindowRect.USER32(00000000), ref: 001C2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001C2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001C2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2CF8
GetClientRect.USER32(00000000,?), ref: 001C2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001C2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D80
GlobalLock.KERNEL32(00000000), ref: 001C2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D98
GlobalUnlock.KERNEL32(00000000), ref: 001C2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2DA8
GlobalFree.KERNEL32(00000000), ref: 001C2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,001DFC38,00000000), ref: 001C2DDB
GlobalFree.KERNEL32(00000000), ref: 001C2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001C2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001C2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C303F

Strings

, xrefs: 001C2FC5
DISPLAY, xrefs: 001C2EA2
AutoIt v3, xrefs: 001C2CF2
static, xrefs: 001C2D3A, 001C2E91
@U=u, xrefs: 001C2E30, 001C2FBF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 8146bf7c11a5c19e0220cf7c8a80cb2381445aac4a34373ab09afd608f0a5e0d
Instruction ID: 6b11f97b9be6f70c9187a0a5c41605fae505077e6a5bd8de4dea5317da30caa0
Opcode Fuzzy Hash: 8146bf7c11a5c19e0220cf7c8a80cb2381445aac4a34373ab09afd608f0a5e0d
Instruction Fuzzy Hash: 87027C71901219EFDB14DF64DC89FAEBBB9EB58310F008559F915AB2A1CB70ED41CBA0

Function 001D70D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001D712F
GetSysColorBrush.USER32(0000000F), ref: 001D7160
GetSysColor.USER32(0000000F), ref: 001D716C
SetBkColor.GDI32(?,000000FF), ref: 001D7186
SelectObject.GDI32(?,?), ref: 001D7195
InflateRect.USER32(?,000000FF,000000FF), ref: 001D71C0
GetSysColor.USER32(00000010), ref: 001D71C8
CreateSolidBrush.GDI32(00000000), ref: 001D71CF
FrameRect.USER32(?,?,00000000), ref: 001D71DE
DeleteObject.GDI32(00000000), ref: 001D71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 001D7230
FillRect.USER32(?,?,?), ref: 001D7262
GetWindowLongW.USER32(?,000000F0), ref: 001D7284

Part of subcall function 001D73E8: GetSysColor.USER32(00000012), ref: 001D7421
Part of subcall function 001D73E8: SetTextColor.GDI32(?,?), ref: 001D7425
Part of subcall function 001D73E8: GetSysColorBrush.USER32(0000000F), ref: 001D743B
Part of subcall function 001D73E8: GetSysColor.USER32(0000000F), ref: 001D7446
Part of subcall function 001D73E8: GetSysColor.USER32(00000011), ref: 001D7463
Part of subcall function 001D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001D7471
Part of subcall function 001D73E8: SelectObject.GDI32(?,00000000), ref: 001D7482
Part of subcall function 001D73E8: SetBkColor.GDI32(?,00000000), ref: 001D748B
Part of subcall function 001D73E8: SelectObject.GDI32(?,?), ref: 001D7498
Part of subcall function 001D73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001D74B7
Part of subcall function 001D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001D74CE
Part of subcall function 001D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001D74DB

Strings

@U=u, xrefs: 001D72CC

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: d88b1d56664f90aacbb2eddace4631470b7aa15059a751f635792e8a66e66348
Instruction ID: 6ef2aa0c0fe5f2ee0fdb3bdc05e4841a27ddfd5486aaa62378ea042723fbc2c2
Opcode Fuzzy Hash: d88b1d56664f90aacbb2eddace4631470b7aa15059a751f635792e8a66e66348
Instruction Fuzzy Hash: 2BA1947210A312FFDB009F60DC48A5BB7A9FB49321F100F1AF962961E1D771E944CB91

Function 00158D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00158E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00196AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00196AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00196F43

Part of subcall function 00158F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00158BE8,?,00000000,?,?,?,?,00158BBA,00000000,?), ref: 00158FC5

SendMessageW.USER32(?,00001053), ref: 00196F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00196F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00196FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00196FB7

Strings

0, xrefs: 00196DCF
@U=u, xrefs: 00196AC5, 00196BD6, 00196EBF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 2760611726-975001249
Opcode ID: eccfaca5ccd03fb50cce06ae38c4a12a804c6ad563e5e837155452e5ffc68a04
Instruction ID: b79f2a0aef5ed522a1130d013fcc53c33f4ea8661f13797afc3f73e3e88253e7
Opcode Fuzzy Hash: eccfaca5ccd03fb50cce06ae38c4a12a804c6ad563e5e837155452e5ffc68a04
Instruction Fuzzy Hash: 0A12BD34201201DFDB25CF24D899BAAB7F1FF54301F148469F9A59B661CB31ECA6CBA1

Function 001C2711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001C273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001C286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001C28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001C28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001C2900
GetClientRect.USER32(00000000,?), ref: 001C290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001C2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001C2964
GetStockObject.GDI32(00000011), ref: 001C2974
SelectObject.GDI32(00000000,00000000), ref: 001C2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001C2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001C2991
DeleteDC.GDI32(00000000), ref: 001C299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001C29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001C29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001C2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001C2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 001C2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001C2A77
GetStockObject.GDI32(00000011), ref: 001C2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001C2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001C2A97

Strings

DISPLAY, xrefs: 001C295A
AutoIt v3, xrefs: 001C28F8
static, xrefs: 001C294F, 001C2A71
@U=u, xrefs: 001C29CC
msctls_progress32, xrefs: 001C2A13

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 41e491f1f23630f45ea3f38a4fce2cce568c25db581805a047b51d25abf2ea41
Instruction ID: 6b40c7f923c8513d05b0b77fdbd53e3d421a92608f4f94f4dc54e451b65dec1c
Opcode Fuzzy Hash: 41e491f1f23630f45ea3f38a4fce2cce568c25db581805a047b51d25abf2ea41
Instruction Fuzzy Hash: 61B16071A01215AFDB14DF68DC89FAEBBA9EF14710F008559FA14EB2A0DB70ED40CB90

Function 001D73E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001D7421
SetTextColor.GDI32(?,?), ref: 001D7425
GetSysColorBrush.USER32(0000000F), ref: 001D743B
GetSysColor.USER32(0000000F), ref: 001D7446
CreateSolidBrush.GDI32(?), ref: 001D744B
GetSysColor.USER32(00000011), ref: 001D7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001D7471
SelectObject.GDI32(?,00000000), ref: 001D7482
SetBkColor.GDI32(?,00000000), ref: 001D748B
SelectObject.GDI32(?,?), ref: 001D7498
InflateRect.USER32(?,000000FF,000000FF), ref: 001D74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001D74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001D74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001D752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001D7554
InflateRect.USER32(?,000000FD,000000FD), ref: 001D7572
DrawFocusRect.USER32(?,?), ref: 001D757D
GetSysColor.USER32(00000011), ref: 001D758E
SetTextColor.GDI32(?,00000000), ref: 001D7596
DrawTextW.USER32(?,001D70F5,000000FF,?,00000000), ref: 001D75A8
SelectObject.GDI32(?,?), ref: 001D75BF
DeleteObject.GDI32(?), ref: 001D75CA
SelectObject.GDI32(?,?), ref: 001D75D0
DeleteObject.GDI32(?), ref: 001D75D5
SetTextColor.GDI32(?,?), ref: 001D75DB
SetBkColor.GDI32(?,?), ref: 001D75E5

Strings

@U=u, xrefs: 001D752A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: e9875deb2259a8205b5b77a44c752534fe0a0e2d112667e1cf1d805559695c44
Instruction ID: 81869771981bf9151ade3fe621ed14d87cfd55d82cc5476544baaa6953ef62eb
Opcode Fuzzy Hash: e9875deb2259a8205b5b77a44c752534fe0a0e2d112667e1cf1d805559695c44
Instruction Fuzzy Hash: 1A615072902219EFDF019FA4DC49EEEBF79EB08320F114616F915AB2E1D7749980CB90

Function 001B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001B4AED
GetDriveTypeW.KERNEL32(?,001DCB68,?,\\.\,001DCC08), ref: 001B4BCA
SetErrorMode.KERNEL32(00000000,001DCB68,?,\\.\,001DCC08), ref: 001B4D36

Strings

ATA, xrefs: 001B4C98
SATA, xrefs: 001B4CD0
\\.\, xrefs: 001B4B3F
1394, xrefs: 001B4C9F
SSA, xrefs: 001B4CA6
Fibre, xrefs: 001B4CAD
Network, xrefs: 001B4C02
FileBackedVirtual, xrefs: 001B4CEC
CDROM, xrefs: 001B4BFB
Fixed, xrefs: 001B4C09
PhysicalDrive, xrefs: 001B4B76
iSCSI, xrefs: 001B4CC2
Removable, xrefs: 001B4C10, 001B4C15
SAS, xrefs: 001B4CC9
RAMDisk, xrefs: 001B4BF4
RAID, xrefs: 001B4CBB
SCSI, xrefs: 001B4C8A
ATAPI, xrefs: 001B4C91
SSD, xrefs: 001B4C4A
Virtual, xrefs: 001B4CE5
MMC, xrefs: 001B4CDE
USB, xrefs: 001B4CB4
Unknown, xrefs: 001B4BED, 001B4C83

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e8daedb8ae2184135d312c6d6ffacd38da8da57d52e17cf0941a893d090f0240
Instruction ID: 8f36e95d265733f882c9d82598a744b70a7ab5b0c9cf26ebc1a17f1aefc31118
Opcode Fuzzy Hash: e8daedb8ae2184135d312c6d6ffacd38da8da57d52e17cf0941a893d090f0240
Instruction Fuzzy Hash: 7561C330615206DBCB08EF64CA8A9FD7BB0EF15B00B24C416F806AB693DB31ED65DB41

Function 001D0241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001D02E5
_wcslen.LIBCMT ref: 001D031F
_wcslen.LIBCMT ref: 001D0389
_wcslen.LIBCMT ref: 001D03F1
_wcslen.LIBCMT ref: 001D0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001D04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001D0504

Part of subcall function 0015F9F2: _wcslen.LIBCMT ref: 0015F9FD

Part of subcall function 001A223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001A2258
Part of subcall function 001A223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001A228A

Strings

ISSELECTED, xrefs: 001D04DD
DESELECT, xrefs: 001D059C
VIEWCHANGE, xrefs: 001D0675
SELECT, xrefs: 001D0548
@U=u, xrefs: 001D04C5, 001D0504
SELECTALL, xrefs: 001D0515
GETSUBITEMCOUNT, xrefs: 001D0384, 001D039F
GETTEXT, xrefs: 001D03EC, 001D0407
FINDITEM, xrefs: 001D0627
SELECTINVERT, xrefs: 001D057E
GETITEMCOUNT, xrefs: 001D0316, 001D0337
GETSELECTEDCOUNT, xrefs: 001D0470, 001D048B
SELECTCLEAR, xrefs: 001D052D
GETSELECTED, xrefs: 001D05E1

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-1753161424
Opcode ID: 48860f35190414b9760058f6ea2d0f69d666a876ef397762bb64e166c86c723e
Instruction ID: 1ad9732f1e381611df20db7101d2ce20edf08bfdda120bfabfde680e92f66b8d
Opcode Fuzzy Hash: 48860f35190414b9760058f6ea2d0f69d666a876ef397762bb64e166c86c723e
Instruction Fuzzy Hash: 71E1AF316183019FC715DF28C590A2AB3E6BF9C314F15495EF8969B3A2DB30ED45CB91

Function 001D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001D1128
GetDesktopWindow.USER32 ref: 001D113D
GetWindowRect.USER32(00000000), ref: 001D1144
GetWindowLongW.USER32(?,000000F0), ref: 001D1199
DestroyWindow.USER32(?), ref: 001D11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001D11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001D120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001D121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 001D1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001D1245
IsWindowVisible.USER32(00000000), ref: 001D12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001D12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001D12D0
GetWindowRect.USER32(00000000,?), ref: 001D12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 001D130E
GetMonitorInfoW.USER32(00000000,?), ref: 001D1328
CopyRect.USER32(?,?), ref: 001D133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001D13AA

Strings

(, xrefs: 001D131B
0, xrefs: 001D10D3
tooltips_class32, xrefs: 001D11E6

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 1e97c4f3ab642458f38a2368b89293f7a85467963939a08af89323d7f44fd81f
Instruction ID: 68f16e45cac65653b4ca2b8b14b4896b52e81113ce647a93f8ffed85fa620009
Opcode Fuzzy Hash: 1e97c4f3ab642458f38a2368b89293f7a85467963939a08af89323d7f44fd81f
Instruction Fuzzy Hash: B9B16B71608341BFDB14DF64D884B6BBBE5FF98350F00891AF9999B2A1CB71E844CB91

Function 00158891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00158968
GetSystemMetrics.USER32(00000007), ref: 00158970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0015899B
GetSystemMetrics.USER32(00000008), ref: 001589A3
GetSystemMetrics.USER32(00000004), ref: 001589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00158A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00158A3C
GetClientRect.USER32(00000000,000000FF), ref: 00158A5A
GetStockObject.GDI32(00000011), ref: 00158A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00158A81

Part of subcall function 0015912D: GetCursorPos.USER32(?), ref: 00159141
Part of subcall function 0015912D: ScreenToClient.USER32(00000000,?), ref: 0015915E
Part of subcall function 0015912D: GetAsyncKeyState.USER32(00000001), ref: 00159183
Part of subcall function 0015912D: GetAsyncKeyState.USER32(00000002), ref: 0015919D

SetTimer.USER32(00000000,00000000,00000028,001590FC), ref: 00158AA8

Strings

AutoIt v3 GUI, xrefs: 00158A20
@U=u, xrefs: 00158A81

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: defc1fd92438b3045b25c8c9ce42e4607261de283ed5c9d1406330da76edff6a
Instruction ID: e49e1a5c7cf48571bb7a6d3c848cfac700362ed900580c1e0190e70899a7dbe7
Opcode Fuzzy Hash: defc1fd92438b3045b25c8c9ce42e4607261de283ed5c9d1406330da76edff6a
Instruction Fuzzy Hash: 45B16C31A0120ADFDF14DFA8DC49BEA7BB5FB48315F11461AFA25AB290DB30A851CB51

Function 001A5A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001A5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001A5A40
SetWindowTextW.USER32(?,?), ref: 001A5A57
GetDlgItem.USER32(?,000003EA), ref: 001A5A6C
SetWindowTextW.USER32(00000000,?), ref: 001A5A72
GetDlgItem.USER32(?,000003E9), ref: 001A5A82
SetWindowTextW.USER32(00000000,?), ref: 001A5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001A5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001A5AC3
GetWindowRect.USER32(?,?), ref: 001A5ACC
_wcslen.LIBCMT ref: 001A5B33
SetWindowTextW.USER32(?,?), ref: 001A5B6F
GetDesktopWindow.USER32 ref: 001A5B75
GetWindowRect.USER32(00000000), ref: 001A5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001A5BD3
GetClientRect.USER32(?,?), ref: 001A5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 001A5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001A5C2F

Strings

@U=u, xrefs: 001A5A40

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID: @U=u
API String ID: 895679908-2594219639
Opcode ID: f0df1450584d64e2a4f9e92005d250b6d09bcb090f8adf691e588628ebb489c5
Instruction ID: de46000023134d12b05844a6bb561e597328f17b6d0850c58d8b645edd1f34c7
Opcode Fuzzy Hash: f0df1450584d64e2a4f9e92005d250b6d09bcb090f8adf691e588628ebb489c5
Instruction Fuzzy Hash: 0C718135905B05EFDB20DFA8CD85AAEBBF6FF48705F104919E142A35A0D774E944CB60

Function 001D091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001D09C6
_wcslen.LIBCMT ref: 001D0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001D0A54
_wcslen.LIBCMT ref: 001D0A8A
_wcslen.LIBCMT ref: 001D0B06
_wcslen.LIBCMT ref: 001D0B81

Part of subcall function 0015F9F2: _wcslen.LIBCMT ref: 0015F9FD

Part of subcall function 001A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001A2BFA

Strings

EXISTS, xrefs: 001D0B7C, 001D0B97
UNCHECK, xrefs: 001D0D3E
GETTOTALCOUNT, xrefs: 001D09F2, 001D0A17
GETITEMCOUNT, xrefs: 001D0C1E
SELECT, xrefs: 001D0D11
COLLAPSE, xrefs: 001D0B01, 001D0B1C
EXPAND, xrefs: 001D0BF8
@U=u, xrefs: 001D0A54
ISCHECKED, xrefs: 001D0CE1
GETSELECTED, xrefs: 001D0C4E
CHECK, xrefs: 001D0A85, 001D0AA0
GETTEXT, xrefs: 001D0C97

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-383632319
Opcode ID: b652f3fe417f09f484b25c9906d7951f962cba3f0b76a3061466460dd2eec9b4
Instruction ID: f613344b22f84bbe827fb7213f0ab866ce8cd8c9cb5b817583b41635d6ab27ee
Opcode Fuzzy Hash: b652f3fe417f09f484b25c9906d7951f962cba3f0b76a3061466460dd2eec9b4
Instruction Fuzzy Hash: 91E1D1356087118FC715DF24C450A2AB7E2FFA8318F15895EF89A9B3A2D731ED45CB81

Function 001A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001A1114
Part of subcall function 001A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1120
Part of subcall function 001A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A112F
Part of subcall function 001A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1136
Part of subcall function 001A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001A0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001A0E29
GetLengthSid.ADVAPI32(?), ref: 001A0E40
GetAce.ADVAPI32(?,00000000,?), ref: 001A0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001A0E96
GetLengthSid.ADVAPI32(?), ref: 001A0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001A0EB5
HeapAlloc.KERNEL32(00000000), ref: 001A0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001A0EDD
CopySid.ADVAPI32(00000000), ref: 001A0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001A0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001A0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001A0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0F6E
HeapFree.KERNEL32(00000000), ref: 001A0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0F7E
HeapFree.KERNEL32(00000000), ref: 001A0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0F8E
HeapFree.KERNEL32(00000000), ref: 001A0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 001A0FA1
HeapFree.KERNEL32(00000000), ref: 001A0FA8

Part of subcall function 001A1193: GetProcessHeap.KERNEL32(00000008,001A0BB1,?,00000000,?,001A0BB1,?), ref: 001A11A1
Part of subcall function 001A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001A0BB1,?), ref: 001A11A8
Part of subcall function 001A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001A0BB1,?), ref: 001A11B7

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4e23ed59ee41935c5299450197e0a53c34ecfb0a5e53925c70f76261c7bef697
Instruction ID: a35b4354d1f988e0f65a25b07db7eefe89f66d8225e7ba28a22c3c5125e1938c
Opcode Fuzzy Hash: 4e23ed59ee41935c5299450197e0a53c34ecfb0a5e53925c70f76261c7bef697
Instruction Fuzzy Hash: F2716D7690121AEFDF219FA4DC44FAEBBB8BF09301F044516F919F6191D731A945CBA0

Function 001D833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D835A
_wcslen.LIBCMT ref: 001D836E
_wcslen.LIBCMT ref: 001D8391
_wcslen.LIBCMT ref: 001D83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001D83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,001D361A,?), ref: 001D844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001D8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001D84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001D8501
FreeLibrary.KERNEL32(?), ref: 001D850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001D851D
DestroyIcon.USER32(?), ref: 001D852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001D8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001D8555

Strings

.dll, xrefs: 001D83AB
.icl, xrefs: 001D8368
.exe, xrefs: 001D8388
@U=u, xrefs: 001D8535

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$@U=u
API String ID: 799131459-1639919054
Opcode ID: f08f93fc3e1db0d7b9d6928fe5a64c83686e5c2997f0a47af324e95661c58a30
Instruction ID: a858ec16edd9dd68c5a42c43e5d8864fd08d786f7d3768068ded747882375cf6
Opcode Fuzzy Hash: f08f93fc3e1db0d7b9d6928fe5a64c83686e5c2997f0a47af324e95661c58a30
Instruction Fuzzy Hash: 9761D071940216BBEB14DF64DC81BBF77A8FB18B11F10460AF915DA2D1DB74A990CBA0

Function 001CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,001DCC08,00000000,?,00000000,?,?), ref: 001CC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001CC5A4
_wcslen.LIBCMT ref: 001CC5F4
_wcslen.LIBCMT ref: 001CC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001CC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001CC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001CC84D
RegCloseKey.ADVAPI32(?), ref: 001CC881
RegCloseKey.ADVAPI32(00000000), ref: 001CC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001CC960

Strings

REG_DWORD, xrefs: 001CC804
REG_MULTI_SZ, xrefs: 001CC6F5
REG_BINARY, xrefs: 001CC913
REG_EXPAND_SZ, xrefs: 001CC5CD
REG_QWORD, xrefs: 001CC8C3
REG_SZ, xrefs: 001CC644

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: dd113014fb9b425f77fbdd0258d26ebf5bbdae600b154682ec4ac650273e5352
Instruction ID: 84717f4f3d07245db59c44a7dd2da2215eff397ce42af090db74f39d8aa9de88
Opcode Fuzzy Hash: dd113014fb9b425f77fbdd0258d26ebf5bbdae600b154682ec4ac650273e5352
Instruction Fuzzy Hash: AD1255756042119FDB14DF28C891F2AB7E5EF98714F05889DF88A9B3A2DB31ED41CB81

Function 001CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
_wcslen.LIBCMT ref: 001CC9F1
_wcslen.LIBCMT ref: 001CCA68
_wcslen.LIBCMT ref: 001CCA9E
_wcslen.LIBCMT ref: 001CCAF9
_wcslen.LIBCMT ref: 001CCB2F
_wcslen.LIBCMT ref: 001CCB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 001CCB79, 001CCB7E
HKCU, xrefs: 001CCBCE
HKLM, xrefs: 001CCA98, 001CCA9D
HKEY_USERS, xrefs: 001CCBDF
HKEY_CURRENT_USER, xrefs: 001CCBBD
HKCR, xrefs: 001CCB29, 001CCB2E
HKCC, xrefs: 001CCBAC
HKU, xrefs: 001CCBF0
HKEY_CLASSES_ROOT, xrefs: 001CCAF3, 001CCAF8
HKEY_LOCAL_MACHINE, xrefs: 001CCA62, 001CCA67

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ea6126b42ff92a778d90d226aba8ce6b7e9d849aaeb82f0ac723f0f18fe44f6f
Instruction ID: cef471f96e38b848c485dfc7e59b594388e815fb111ae15e7194639a8cf588b9
Opcode Fuzzy Hash: ea6126b42ff92a778d90d226aba8ce6b7e9d849aaeb82f0ac723f0f18fe44f6f
Instruction Fuzzy Hash: 5B71D232A1052A8BCB20DEBC8941BBA3391ABB4794B15052CF86A9B295F731DD55C3E0

Function 00147778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00147873, 001478C5
#ce, xrefs: 001478ED
", xrefs: 00185153
', xrefs: 00185169
#OnAutoItStartRegister, xrefs: 00147817
#notrayicon, xrefs: 001477E7
#comments-end, xrefs: 001478D9
Unterminated group of comments, xrefs: 0018528C
#include-once, xrefs: 0014782F
#include, xrefs: 00147847
#pragma compile, xrefs: 001477D3
#comments-start, xrefs: 0014785F, 001478B1
Cannot parse #include, xrefs: 00185279
#requireadmin, xrefs: 001477FF
Bad directive syntax error, xrefs: 0018519A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 0a3c1fd8a6f95f5a4403ca65c6a95d989b7a020fcba37635e60bdfae9f5e2b11
Instruction ID: 30d857d930ef8672c757438995aa2fa9c6d368e7f858e7ac3a2e5b4cc2ba5421
Opcode Fuzzy Hash: 0a3c1fd8a6f95f5a4403ca65c6a95d989b7a020fcba37635e60bdfae9f5e2b11
Instruction Fuzzy Hash: F2812B71A44205BBDB20BF60DC46FAF37A9EF25300F054025F905AB1E6EB71DA26CB91

Function 001D856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 001D8592
GetFileSize.KERNEL32(00000000,00000000), ref: 001D85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 001D85AD
CloseHandle.KERNEL32(00000000), ref: 001D85BA
GlobalLock.KERNEL32(00000000), ref: 001D85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001D85D7
GlobalUnlock.KERNEL32(00000000), ref: 001D85E0
CloseHandle.KERNEL32(00000000), ref: 001D85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001D85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,001DFC38,?), ref: 001D8611
GlobalFree.KERNEL32(00000000), ref: 001D8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 001D8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001D8671
DeleteObject.GDI32(00000000), ref: 001D8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001D86AF

Strings

@U=u, xrefs: 001D86AF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 080598317d0fcfb8a3202022fa3a954ea1405efb9724e3d3e4b25533c00f6317
Instruction ID: f09034faf4d2a7d03eeca9e609346f2c0cdb198d0126c658757514b192e55805
Opcode Fuzzy Hash: 080598317d0fcfb8a3202022fa3a954ea1405efb9724e3d3e4b25533c00f6317
Instruction Fuzzy Hash: 5B412875602209AFDB119FA5DC48EAE7BBCFF89B11F10855AF909E7260DB309941CB60

Function 001A30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A318D
_wcslen.LIBCMT ref: 001A31F8

Strings

NAME, xrefs: 001A3335, 001A3346
REGEXPCLASS, xrefs: 001A3255, 001A3266
TEXT, xrefs: 001A347C
INSTANCE, xrefs: 001A3453
CLASSNN, xrefs: 001A31F3, 001A3204
CLASS, xrefs: 001A3188, 001A31A5
[ , xrefs: 001A339A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[
API String ID: 176396367-3679483830
Opcode ID: 32d383bcbd9958ed5d078f9e9fd22b6eb3d2e86b252542d7f13d5dde0dbf07e7
Instruction ID: 327637a4215d92fa7b6c8b1ea2cbd0bbeff46afa2e9dd221637401f4966c227e
Opcode Fuzzy Hash: 32d383bcbd9958ed5d078f9e9fd22b6eb3d2e86b252542d7f13d5dde0dbf07e7
Instruction Fuzzy Hash: 5DE1F736A006269BCB18DF78C8517EEFBB0BF16714F55811AF466E7240DB30AE85C790

Function 001D911E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

DragQueryPoint.SHELL32(?,?), ref: 001D9147

Part of subcall function 001D7674: ClientToScreen.USER32(?,?), ref: 001D769A
Part of subcall function 001D7674: GetWindowRect.USER32(?,?), ref: 001D7710
Part of subcall function 001D7674: PtInRect.USER32(?,?,001D8B89), ref: 001D7720

SendMessageW.USER32(?,000000B0,?,?), ref: 001D91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001D91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001D91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001D9225
SendMessageW.USER32(?,000000B0,?,?), ref: 001D923E
SendMessageW.USER32(?,000000B1,?,?), ref: 001D9255
SendMessageW.USER32(?,000000B1,?,?), ref: 001D9277
DragFinish.SHELL32(?), ref: 001D927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001D9371

Strings

p#!, xrefs: 001D92BB
@GUI_DRAGID, xrefs: 001D92E9
@U=u, xrefs: 001D91B0, 001D9225, 001D923E, 001D9255, 001D9277
@GUI_DRAGFILE, xrefs: 001D9320
@GUI_DROPID, xrefs: 001D929E

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u$p#!
API String ID: 221274066-3069434366
Opcode ID: 8ff33cdf07a1e447a448d74c4cb7b41311329d3a0241fd71ee8944323dd9a850
Instruction ID: 6da27d9835edb9261ba6dda3ab6c1bc74119e8cfba8fadb0c683ca8f09b78ebc
Opcode Fuzzy Hash: 8ff33cdf07a1e447a448d74c4cb7b41311329d3a0241fd71ee8944323dd9a850
Instruction Fuzzy Hash: 88618B71109301AFD701DF64DC89DAFBBE8EF99350F000A1EF595932A1DB309A49CB92

Function 001600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001600C6

Part of subcall function 001600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0021070C,00000FA0,B6AF2B46,?,?,?,?,001823B3,000000FF), ref: 0016011C
Part of subcall function 001600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001823B3,000000FF), ref: 00160127
Part of subcall function 001600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001823B3,000000FF), ref: 00160138
Part of subcall function 001600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0016014E
Part of subcall function 001600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0016015C
Part of subcall function 001600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0016016A
Part of subcall function 001600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00160195
Part of subcall function 001600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001601A0

___scrt_fastfail.LIBCMT ref: 001600E7

Part of subcall function 001600A3: __onexit.LIBCMT ref: 001600A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00160122
kernel32.dll, xrefs: 00160133
WakeAllConditionVariable, xrefs: 00160162
SleepConditionVariableCS, xrefs: 00160154
InitializeConditionVariable, xrefs: 00160148

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 2a9b3643a1705994e77e1d7de1fe7cdd23eb6782a8d0cc54157550bf91359f43
Instruction ID: cbcb60a25bef8deb9bb7b75d2abe73185336758b33e3f9efdad3e4200d7c6d19
Opcode Fuzzy Hash: 2a9b3643a1705994e77e1d7de1fe7cdd23eb6782a8d0cc54157550bf91359f43
Instruction Fuzzy Hash: 15212932642711ABD7126BA4AC4AB6B73D5EB1EB51F10052BFC02D67D1DFB09C81CA90

Function 001B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,001DCC08), ref: 001B4527
_wcslen.LIBCMT ref: 001B453B
_wcslen.LIBCMT ref: 001B4599
_wcslen.LIBCMT ref: 001B45F4
_wcslen.LIBCMT ref: 001B463F
_wcslen.LIBCMT ref: 001B46A7

Part of subcall function 0015F9F2: _wcslen.LIBCMT ref: 0015F9FD

GetDriveTypeW.KERNEL32(?,00206BF0,00000061), ref: 001B4743

Strings

all, xrefs: 001B4531, 001B4536
removable, xrefs: 001B45EA, 001B45EF
fixed, xrefs: 001B4635, 001B463A
ramdisk, xrefs: 001B46F1
cdrom, xrefs: 001B458F, 001B4594
unknown, xrefs: 001B4708
network, xrefs: 001B469D, 001B46A2

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a022e23234ca4ff083ba09968232bfa90f6ff14ea4cf86a9ddb3ac9cba118539
Instruction ID: 1a9f9f85fb66672a8ad508265bd9432e0dbee7c5e48823c4ec52127ff3121878
Opcode Fuzzy Hash: a022e23234ca4ff083ba09968232bfa90f6ff14ea4cf86a9ddb3ac9cba118539
Instruction Fuzzy Hash: 5DB1F5716083129FC724DF28C890ABEB7E5BFA9764F50891DF496C7292DB30D845CB92

Function 001D6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 001D6DEB

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001D6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001D6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001D6E94
DestroyWindow.USER32(?), ref: 001D6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00140000,00000000), ref: 001D6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001D6EFD
GetDesktopWindow.USER32 ref: 001D6F16
GetWindowRect.USER32(00000000), ref: 001D6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001D6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001D6F4D

Part of subcall function 00159944: GetWindowLongW.USER32(?,000000EB), ref: 00159952

Strings

0, xrefs: 001D6D98
tooltips_class32, xrefs: 001D6E58, 001D6EDD
@U=u, xrefs: 001D6E81, 001D6E94, 001D6EFD, 001D6F27

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$@U=u$tooltips_class32
API String ID: 2429346358-1130792468
Opcode ID: 7cf86ff6afdcad93a310a1d14f5f9b4f64709c5c688d0721b6a211624fd3b317
Instruction ID: c4056e2e89083219cd6e0184e321d4d41d12258bba41c7a706dab22b85c6f4b1
Opcode Fuzzy Hash: 7cf86ff6afdcad93a310a1d14f5f9b4f64709c5c688d0721b6a211624fd3b317
Instruction Fuzzy Hash: 68716674104245AFDB21CF18DC58EAABBF9FB99304F04491EF99987361CB70E946CB52

Function 001CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001CB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001CB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001CB1D4
_wcslen.LIBCMT ref: 001CB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001CB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001CB236
_wcslen.LIBCMT ref: 001CB332

Part of subcall function 001B05A7: GetStdHandle.KERNEL32(000000F6), ref: 001B05C6

_wcslen.LIBCMT ref: 001CB34B
_wcslen.LIBCMT ref: 001CB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001CB3B6
GetLastError.KERNEL32(00000000), ref: 001CB407
CloseHandle.KERNEL32(?), ref: 001CB439
CloseHandle.KERNEL32(00000000), ref: 001CB44A
CloseHandle.KERNEL32(00000000), ref: 001CB45C
CloseHandle.KERNEL32(00000000), ref: 001CB46E
CloseHandle.KERNEL32(?), ref: 001CB4E3

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 542a4094442cee13826d73596fda6ffd5bd6bd8ea7033acb9dce02e2a11587e2
Instruction ID: c45250d5be4f05b8bb22d0bc195ca18d51145d7a9950b1d6026a047552e87b21
Opcode Fuzzy Hash: 542a4094442cee13826d73596fda6ffd5bd6bd8ea7033acb9dce02e2a11587e2
Instruction Fuzzy Hash: 50F17B315083409FD714EF24C892B6EBBE5BFA5314F14895DF8999B2A2CB31EC45CB92

Function 0014326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00211990), ref: 00182F8D
GetMenuItemCount.USER32(00211990), ref: 0018303D
GetCursorPos.USER32(?), ref: 00183081
SetForegroundWindow.USER32(00000000), ref: 0018308A
TrackPopupMenuEx.USER32(00211990,00000000,?,00000000,00000000,00000000), ref: 0018309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001830A9

Strings

0, xrefs: 0014327D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 19fe32cbb218a5e7cd7739efecbaf07e79d973c1a65ef0e4978842710784cb66
Instruction ID: 9cc4581a028c204addc0e70f13d90bf1e6006de79551446c802528c9d4f46c2f
Opcode Fuzzy Hash: 19fe32cbb218a5e7cd7739efecbaf07e79d973c1a65ef0e4978842710784cb66
Instruction Fuzzy Hash: AB715D30645206BFEB259F64DC89F9ABF64FF05324F204206F624661E0C7B1AE50DF90

Function 001BC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001BC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001BC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001BC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001BC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001BC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001BC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001BC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001BC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001BC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001BC5F0
InternetCloseHandle.WININET(00000000), ref: 001BC5FB

Strings

, xrefs: 001BC575

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d351975b83d6fdc127ac14acda7ac9da6f8a4ec101694e6de40420fbf48e2cfe
Instruction ID: 0b19835dacb7654b6126d76cfa7bb287fb2686729b2a35ab70817f83faaf63fa
Opcode Fuzzy Hash: d351975b83d6fdc127ac14acda7ac9da6f8a4ec101694e6de40420fbf48e2cfe
Instruction Fuzzy Hash: 33513BB1601609BFDB219FA5C988AEB7BBCFF08754F00441AF945D6650DB34EA44DBE0

Function 001B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001B1502
VariantCopy.OLEAUT32(?,?), ref: 001B150B
VariantClear.OLEAUT32(?), ref: 001B1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001B15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001B1657
VariantInit.OLEAUT32(?), ref: 001B1708
SysFreeString.OLEAUT32(?), ref: 001B178C
VariantClear.OLEAUT32(?), ref: 001B17D8
VariantClear.OLEAUT32(?), ref: 001B17E7
VariantInit.OLEAUT32(00000000), ref: 001B1823

Strings

Default, xrefs: 001B16AF
%4d%02d%02d%02d%02d%02d, xrefs: 001B1625

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 17ab7d348a248885a94b51f69d736cc7b6ee352a97376b9db52e0a11c56ddb59
Instruction ID: 68bca7cc80ced9700bdff747a8c219ee6b2508515bf7d0b4f679b34992a00d6c
Opcode Fuzzy Hash: 17ab7d348a248885a94b51f69d736cc7b6ee352a97376b9db52e0a11c56ddb59
Instruction Fuzzy Hash: 62D13432A00115FBCB249F64E8A4BBDB7B5BF46700F92855AF807AB190DB30DC45DBA1

Function 001CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CC9F1
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA68
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001CB772
RegDeleteValueW.ADVAPI32(?,?), ref: 001CB80A
RegCloseKey.ADVAPI32(?), ref: 001CB87E
RegCloseKey.ADVAPI32(?), ref: 001CB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001CB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001CB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 001CB922
FreeLibrary.KERNEL32(00000000), ref: 001CB983
RegCloseKey.ADVAPI32(00000000), ref: 001CB994

Strings

advapi32.dll, xrefs: 001CB8ED
RegDeleteKeyExW, xrefs: 001CB8FE

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f00e429b0b2e8e6ce33bb7ac74b764677605d8d4837d5c16527c1764cce74471
Instruction ID: 8fe7c3fbcfe01bb175dfa5f10e61d8d01453aec19142123bc0919ef08619ef2d
Opcode Fuzzy Hash: f00e429b0b2e8e6ce33bb7ac74b764677605d8d4837d5c16527c1764cce74471
Instruction Fuzzy Hash: 4AC18B74209242AFD714DF24C4D6F2ABBE5BF94308F14855CF49A8B6A2CB35EC45CB92

Function 001D541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001D5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001D5515
CharNextW.USER32(00000158), ref: 001D5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001D5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001D559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001D55AC

Strings

@U=u, xrefs: 001D5504, 001D5515, 001D554A, 001D55C9, 001D562B, 001D5816

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: @U=u
API String ID: 1350042424-2594219639
Opcode ID: f1f8ac76efc12b8795485de61f21b56b0fa2cda16348cb2f328909bcf6602aee
Instruction ID: 94507905809a10cad940bf8c064fcb1596de7a94156ce33a1476f7ef96d7130a
Opcode Fuzzy Hash: f1f8ac76efc12b8795485de61f21b56b0fa2cda16348cb2f328909bcf6602aee
Instruction Fuzzy Hash: 9F618D30901609EBDF149F54DC84EFE7BBAEB09764F10854BF925A6390D7748A80DBA1

Function 001C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001C25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001C25E8
CreateCompatibleDC.GDI32(?), ref: 001C25F4
SelectObject.GDI32(00000000,?), ref: 001C2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001C266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001C26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001C26D0
SelectObject.GDI32(?,?), ref: 001C26D8
DeleteObject.GDI32(?), ref: 001C26E1
DeleteDC.GDI32(?), ref: 001C26E8
ReleaseDC.USER32(00000000,?), ref: 001C26F3

Strings

(, xrefs: 001C268D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: eb8280496ebed931df5fe38381a4395e7e294eda81ee6fc254244a9da48371dd
Instruction ID: f13369aef1000663faad6eb001887ca5169d2309c974f12f2472f2ca0242da36
Opcode Fuzzy Hash: eb8280496ebed931df5fe38381a4395e7e294eda81ee6fc254244a9da48371dd
Instruction Fuzzy Hash: AE61F5B5D0121AEFCF04CFA4D885EAEBBB6FF58310F20851AE955A7250D770A941CFA0

Function 001AE6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001AE6B4

Part of subcall function 0015E551: timeGetTime.WINMM(?,?,001AE6D4), ref: 0015E555

Sleep.KERNEL32(0000000A), ref: 001AE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 001AE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001AE727
SetActiveWindow.USER32 ref: 001AE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001AE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 001AE773
Sleep.KERNEL32(000000FA), ref: 001AE77E
IsWindow.USER32 ref: 001AE78A
EndDialog.USER32(00000000), ref: 001AE79B

Strings

BUTTON, xrefs: 001AE719
@U=u, xrefs: 001AE754, 001AE773

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: b1a64ba9812b3706cd0d254baf8531534466f5632b3eb4c095ad2ee516e94760
Instruction ID: 4f33a7f7e355f7da48044469011f4a819e4941f64c094b077b30ea0de6a3ca1e
Opcode Fuzzy Hash: b1a64ba9812b3706cd0d254baf8531534466f5632b3eb4c095ad2ee516e94760
Instruction Fuzzy Hash: FE21A478301255EFEB005FA0FC8DB653BADF7A6348F004826F915825E1DF71AC64CAA4

Function 0017DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0017DAA1

Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D659
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D66B
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D67D
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D68F
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6A1
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6B3
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6C5
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6D7
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6E9
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6FB
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D70D
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D71F
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D731

_free.LIBCMT ref: 0017DA96

Part of subcall function 001729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 0017DAB8
_free.LIBCMT ref: 0017DACD
_free.LIBCMT ref: 0017DAD8
_free.LIBCMT ref: 0017DAFA
_free.LIBCMT ref: 0017DB0D
_free.LIBCMT ref: 0017DB1B
_free.LIBCMT ref: 0017DB26
_free.LIBCMT ref: 0017DB5E
_free.LIBCMT ref: 0017DB65
_free.LIBCMT ref: 0017DB82
_free.LIBCMT ref: 0017DB9A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 98f2aa1a43219c7336b0de4df0921821873494bf3b3b19de7ca5c6d449403593
Instruction ID: 7b9efbe9b04109fc280035a91de74810e8c9aba553ea0c598b984e48c38ca2a8
Opcode Fuzzy Hash: 98f2aa1a43219c7336b0de4df0921821873494bf3b3b19de7ca5c6d449403593
Instruction Fuzzy Hash: 9B3149316443099FEB22AA39E845B5AB7F9FF21314F19C829E54DD7192DF31AC818B20

Function 001A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001A369C
_wcslen.LIBCMT ref: 001A36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001A3797
GetClassNameW.USER32(?,?,00000400), ref: 001A380C
GetDlgCtrlID.USER32(?), ref: 001A385D
GetWindowRect.USER32(?,?), ref: 001A3882
GetParent.USER32(?), ref: 001A38A0
ScreenToClient.USER32(00000000), ref: 001A38A7
GetClassNameW.USER32(?,?,00000100), ref: 001A3921
GetWindowTextW.USER32(?,?,00000400), ref: 001A395D

Strings

%s%u, xrefs: 001A3734

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 6fc90643cc5b1c3de4783812deb9b86b0c4966a9a3a70b57ad5137f6140622be
Instruction ID: e9b5639df3517ff68d589fe50cddbaa4ecdd23c3471967bf91d4ab22bd805e97
Opcode Fuzzy Hash: 6fc90643cc5b1c3de4783812deb9b86b0c4966a9a3a70b57ad5137f6140622be
Instruction Fuzzy Hash: 1091E175204606AFDB08DF24C885BEBF7A8FF45354F008629F9A9C2190DB34EA56CBD1

Function 001A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 001A4994
GetWindowTextW.USER32(?,?,00000400), ref: 001A49DA
_wcslen.LIBCMT ref: 001A49EB
CharUpperBuffW.USER32(?,00000000), ref: 001A49F7
_wcsstr.LIBVCRUNTIME ref: 001A4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 001A4A64
GetWindowTextW.USER32(?,?,00000400), ref: 001A4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 001A4AE6
GetClassNameW.USER32(?,?,00000400), ref: 001A4B20
GetWindowRect.USER32(?,?), ref: 001A4B8B

Strings

ThumbnailClass, xrefs: 001A4A6F, 001A4AF1

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 43dec076622db6628a2a7c78ac62284ae24e2e8b119c4ad69e9af11b939757fa
Instruction ID: 58322c7d11103d0711d77a880469cfcd63b3d6cfec0694e83462098b75d76033
Opcode Fuzzy Hash: 43dec076622db6628a2a7c78ac62284ae24e2e8b119c4ad69e9af11b939757fa
Instruction Fuzzy Hash: DF91DF750052069FDB04CF14C981BABB7E8FFD6314F04846AFD8A9A196DBB0ED45CBA1

Function 001D8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001D8D5A
GetFocus.USER32 ref: 001D8D6A
GetDlgCtrlID.USER32(00000000), ref: 001D8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 001D8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001D8ECF
GetMenuItemCount.USER32(?), ref: 001D8EEC
GetMenuItemID.USER32(?,00000000), ref: 001D8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001D8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001D8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001D8FA1

Strings

0, xrefs: 001D8E9F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 83e96395b0364950c1bb837d7b0ccfc26bf86195019586d2bc8b3d303d907dea
Instruction ID: 23463da81f8931dc156315b0871799ccfa40e1521e78107108bcea3af31f9c0a
Opcode Fuzzy Hash: 83e96395b0364950c1bb837d7b0ccfc26bf86195019586d2bc8b3d303d907dea
Instruction Fuzzy Hash: E381BF715093019FDB10CF28D884AABBBE9FB98714F040A1EF99497391DB30D941CFA1

Function 001CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001CCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001CCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001CCD48

Part of subcall function 001CCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001CCCAA
Part of subcall function 001CCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001CCCBD
Part of subcall function 001CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001CCCCF
Part of subcall function 001CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001CCD05
Part of subcall function 001CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001CCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 001CCCF3

Strings

advapi32.dll, xrefs: 001CCCB8
RegDeleteKeyExW, xrefs: 001CCCC9

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: b5434ceec3ffda0fda00843b06c15c43b9c7fcce23f2e1348d1a3b013f976004
Instruction ID: f54b1251e240d253922d8936e4a9663c01c57f7f7837a23feadc0fb6efce0591
Opcode Fuzzy Hash: b5434ceec3ffda0fda00843b06c15c43b9c7fcce23f2e1348d1a3b013f976004
Instruction Fuzzy Hash: 3E31617590212ABBDB208B94DC88EFFBB7CEF65750F004569F90AE2141DB349E45DAE0

Function 001AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001AEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001AEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001AEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001AEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001AEAA7

Strings

open , xrefs: 001AEA0C
alias PlayMe, xrefs: 001AEA36
play PlayMe, xrefs: 001AEAA2
status PlayMe mode, xrefs: 001AEA58
close PlayMe, xrefs: 001AEA6E, 001AEA9B
play PlayMe wait, xrefs: 001AEA91

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 3cfc1402a9ca6d8a5fd2265dc955409625b8254b4779764164e84345c106f2be
Instruction ID: 8df496c8acaaddacd70d1ccb8936bb54f4af020428ca478795741307a43038ec
Opcode Fuzzy Hash: 3cfc1402a9ca6d8a5fd2265dc955409625b8254b4779764164e84345c106f2be
Instruction Fuzzy Hash: 22112135AA025D79E720A7A5DC4EEFF7ABCEBD2B00F440429B411A34E2EB705965C5B0

Function 00158BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00158F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00158BE8,?,00000000,?,?,?,?,00158BBA,00000000,?), ref: 00158FC5

DestroyWindow.USER32(?), ref: 00158C81
KillTimer.USER32(00000000,?,?,?,?,00158BBA,00000000,?), ref: 00158D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00196973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00158BBA,00000000,?), ref: 001969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00158BBA,00000000,?), ref: 001969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00158BBA,00000000), ref: 001969D4
DeleteObject.GDI32(00000000), ref: 001969E6

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: caf89d8f828f09cb4edccfe23153a4b52adc84bcf7b75ccc494dcd1a843e0653
Instruction ID: 9fc043a26e53c1f9d9860fa48f2a7d0a201ee63438a0de849424868d4363e315
Opcode Fuzzy Hash: caf89d8f828f09cb4edccfe23153a4b52adc84bcf7b75ccc494dcd1a843e0653
Instruction Fuzzy Hash: A2619D30502701DFDF259F14D948BAAB7F1FB50316F148919E562AB960CB71AC94DFA0

Function 00159838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00159944: GetWindowLongW.USER32(?,000000EB), ref: 00159952

GetSysColor.USER32(0000000F), ref: 00159862

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 9b270f76f2299aa5234ed61c8736848aacd94a2575cf019b7cf0f37853e44fa9
Instruction ID: 3145128e06a9d2ac0a68cf7ed8a975e4afd45bd846a93fe9bf63b702860608cf
Opcode Fuzzy Hash: 9b270f76f2299aa5234ed61c8736848aacd94a2575cf019b7cf0f37853e44fa9
Instruction Fuzzy Hash: 1441AF31105654EFDF205F38DC88BB93BA5AB06332F154A06F9B28F2E1D7319885DB52

Function 001D50D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 001D5186
ShowWindow.USER32(?,00000000), ref: 001D51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001D51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001D51D1

Part of subcall function 001D6FBA: DeleteObject.GDI32(00000000), ref: 001D6FE6

GetWindowLongW.USER32(?,000000F0), ref: 001D520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001D521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001D524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 001D5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 001D5296

Strings

@U=u, xrefs: 001D5186

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: @U=u
API String ID: 3210457359-2594219639
Opcode ID: e1366c15eeb5148a457c29fbab1bd895bf053c457595429a8e50497b492eacf8
Instruction ID: 891788b835e39e2215b7e5cc7ce40f863e150b41c662a13304e40385741cf9ab
Opcode Fuzzy Hash: e1366c15eeb5148a457c29fbab1bd895bf053c457595429a8e50497b492eacf8
Instruction Fuzzy Hash: 3951BE30A41A09FEEF249F24CC4ABD93B73EB15365F148113FA259A3E0C775A998DB41

Function 00158B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00196890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00158874,00000000,00000000,00000000,000000FF,00000000), ref: 00196901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0019691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00158874,00000000,00000000,00000000,000000FF,00000000), ref: 0019692D

Strings

@U=u, xrefs: 001968F2, 0019691E

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: 0d10eceb5c8b6a4178d652f233462258c4708926706952b171f5f87478e77773
Instruction ID: fbc9b85f2b77a9ff98548e79db188d6cb32df6ba816921c6cffb70acd8c17047
Opcode Fuzzy Hash: 0d10eceb5c8b6a4178d652f233462258c4708926706952b171f5f87478e77773
Instruction Fuzzy Hash: 86519870600309EFDF24CF24CC55FAA7BB9EB58761F104519F962AB2A0DB70E990DB50

Function 001D8B02 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

Part of subcall function 0015912D: GetCursorPos.USER32(?), ref: 00159141
Part of subcall function 0015912D: ScreenToClient.USER32(00000000,?), ref: 0015915E
Part of subcall function 0015912D: GetAsyncKeyState.USER32(00000001), ref: 00159183
Part of subcall function 0015912D: GetAsyncKeyState.USER32(00000002), ref: 0015919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 001D8B6B
ImageList_EndDrag.COMCTL32 ref: 001D8B71
ReleaseCapture.USER32 ref: 001D8B77
SetWindowTextW.USER32(?,00000000), ref: 001D8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001D8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 001D8CFF

Strings

@U=u, xrefs: 001D8C25
@GUI_DRAGFILE, xrefs: 001D8C9A
@GUI_DROPID, xrefs: 001D8C51
p#!, xrefs: 001D8C71

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u$p#!
API String ID: 1924731296-2024131959
Opcode ID: 2cabaf76706698434e4184e9c443c882c6b1dcb8c663ca6d0355124a0e11d88d
Instruction ID: 2fd38cefc762e5a6e1cde0adf8f8417b016110b6096cd2bafb43471713bbafc5
Opcode Fuzzy Hash: 2cabaf76706698434e4184e9c443c882c6b1dcb8c663ca6d0355124a0e11d88d
Instruction Fuzzy Hash: FF51AC70205300AFD704DF14DC9AFAA77E4FB98710F000A2EF966972E1DB70A954CBA2

Function 001A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0018F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 001A9717
LoadStringW.USER32(00000000,?,0018F7F8,00000001), ref: 001A9720

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0018F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 001A9742
LoadStringW.USER32(00000000,?,0018F7F8,00000001), ref: 001A9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 001A9866

Strings

Line %d (File "%s"):, xrefs: 001A978F
Line %d:, xrefs: 001A97A0
%s (%d) : ==> %s: %s %s, xrefs: 001A984A
^ ERROR, xrefs: 001A97FB
Error: , xrefs: 001A981D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 8579d8d00eecac72378e28ac5ab92c1957164cb9cb0c20c5c66d59b54838ddf7
Instruction ID: 3d48dfcb84665d631612fb0bc955c086909cef1d513bc9762e6d00c3146e313a
Opcode Fuzzy Hash: 8579d8d00eecac72378e28ac5ab92c1957164cb9cb0c20c5c66d59b54838ddf7
Instruction Fuzzy Hash: 51414E72800219AADF14EFE0DD86DEFB778AF26340F500065F605760A2EB356F59CBA1

Function 001A06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001A07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001A07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001A07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001A0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 001A082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001A0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001A083C

Strings

\IPC$, xrefs: 001A0784
SOFTWARE\Classes\, xrefs: 001A070E
\CLSID, xrefs: 001A0724

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 86b084335eae5a86336d036e83b64053bb216fc7d336ebbe22043574795feff6
Instruction ID: 94e81a818098d30d9f7b850def59ecafadd2f0542a6f2f93212383c133d5452d
Opcode Fuzzy Hash: 86b084335eae5a86336d036e83b64053bb216fc7d336ebbe22043574795feff6
Instruction Fuzzy Hash: 4D410476C11229ABDF11EFA4DC958EEB778FF18350F45412AE901A31A1EB309E44CBA0

Function 001B7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001B7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001B7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001B7BA3
CoCreateInstance.OLE32(001DFD08,00000000,00000001,00206E6C,?), ref: 001B7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001B7C74
CoTaskMemFree.OLE32(?,?), ref: 001B7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001B7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001B7D7A
CoTaskMemFree.OLE32(00000000), ref: 001B7D81
CoTaskMemFree.OLE32(00000000), ref: 001B7DD6
CoUninitialize.OLE32 ref: 001B7DDC

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 95af53046525620f7d9b7517353916db64f439dacae1730f85128dd4a9d548f5
Instruction ID: ffa5d0c71054c43b0bcd439decef4ef3c61823e6c73f53175a6699994c51014e
Opcode Fuzzy Hash: 95af53046525620f7d9b7517353916db64f439dacae1730f85128dd4a9d548f5
Instruction Fuzzy Hash: BCC11A75A05109AFCB14DFA4C894DAEBBF9FF48304B148499E81ADB7A1D730EE45CB90

Function 0019FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0019FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0019FB08
VariantInit.OLEAUT32(?), ref: 0019FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0019FB3A
VariantCopy.OLEAUT32(?,?), ref: 0019FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0019FBA1
VariantClear.OLEAUT32(?), ref: 0019FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0019FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0019FBCC
VariantClear.OLEAUT32(?), ref: 0019FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0019FBE9

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: ee83b951bf524f527d8543e1b5cce79d06e195eb55486dbc244082d109acd932
Instruction ID: 8a313359bdcd5e08dccf277eb87d808d14acfc80eba65176cfdb6a9e15ce03b8
Opcode Fuzzy Hash: ee83b951bf524f527d8543e1b5cce79d06e195eb55486dbc244082d109acd932
Instruction Fuzzy Hash: 55415F35A0121AEFCF04DF68C8549EEBBB9EF18344F008469E916E7661CB34A946CBD0

Function 001C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001C05BC
inet_addr.WSOCK32(?), ref: 001C061C
gethostbyname.WSOCK32(?), ref: 001C0628
IcmpCreateFile.IPHLPAPI ref: 001C0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001C06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001C06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001C07B9
WSACleanup.WSOCK32 ref: 001C07BF

Strings

Ping, xrefs: 001C0676

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 7f9a8e3d9b15529d9831da33f36427a0ffec7ac3e3fe9ebfb62735fd71f00a9d
Instruction ID: 3c68d58e774a66d93033247f8b87c5f5ce2f59de32947aae696fc1f3f9dceff3
Opcode Fuzzy Hash: 7f9a8e3d9b15529d9831da33f36427a0ffec7ac3e3fe9ebfb62735fd71f00a9d
Instruction Fuzzy Hash: 3E918C35609301DFD725CF15C889F1ABBE0AF58318F1589ADE4A98BAA2C730ED45CF81

Function 001C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001C8CF3

Part of subcall function 001A8E54: _wcslen.LIBCMT ref: 001A8E77

_wcslen.LIBCMT ref: 001C8D4E
_wcslen.LIBCMT ref: 001C8D9C
_wcslen.LIBCMT ref: 001C8DDC
_wcslen.LIBCMT ref: 001C8E6E

Strings

stdcall, xrefs: 001C8DD6, 001C8DDB
cdecl, xrefs: 001C8D48, 001C8D4D
winapi, xrefs: 001C8D96, 001C8D9B
none, xrefs: 001C8E65, 001C8E6A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 39faa4d8c63ad9583ae6ca829e5ac1ed4f722eaa9d0a835c83d84dbd2710f8b3
Instruction ID: eaf1fbe081c803483e1e15260c6dc36add7bd0b98133a2308fe51aabc882376f
Opcode Fuzzy Hash: 39faa4d8c63ad9583ae6ca829e5ac1ed4f722eaa9d0a835c83d84dbd2710f8b3
Instruction Fuzzy Hash: 8F518F31A001169BCB14DFACC991ABEB7A6BF75724B21422DE826E72C5DB31DD40C790

Function 001C372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001C3774
CoUninitialize.OLE32 ref: 001C377F
CoCreateInstance.OLE32(?,00000000,00000017,001DFB78,?), ref: 001C37D9
IIDFromString.OLE32(?,?), ref: 001C384C
VariantInit.OLEAUT32(?), ref: 001C38E4
VariantClear.OLEAUT32(?), ref: 001C3936

Strings

NULL Pointer assignment, xrefs: 001C381E
Invalid parameter, xrefs: 001C3865
Failed to create object, xrefs: 001C37E4, 001C389A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: a10a1c6dacfbc288d9cbee7d884f1839ddf01871ccdb5c8def88725cf0141b97
Instruction ID: bf15afba8726334addbc7097291549a00c1b66dbe7a856ffedaed916f494ffbc
Opcode Fuzzy Hash: a10a1c6dacfbc288d9cbee7d884f1839ddf01871ccdb5c8def88725cf0141b97
Instruction Fuzzy Hash: 5661C370608301AFD711DF54C889F6ABBE4EF69714F00891DF9959B2A1D770EE48CB92

Function 001B3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001B33CF

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001B33F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 001B3504
^ ERROR , xrefs: 001B349E
Incorrect parameters to object property !, xrefs: 001B34AB
Line %d (File "%s"):, xrefs: 001B3443, 001B345C
"%s" (%d) : ==> %s:, xrefs: 001B3522
Error: , xrefs: 001B34D1

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: c3f5d74c55527c5833c9c6e8452037319ae2a211dec6a2492eebb5bcf6b7f4ae
Instruction ID: 62c575dc89f6ba4c62de2394e30dc384a4edf870030e7e2fc64da3955ac13335
Opcode Fuzzy Hash: c3f5d74c55527c5833c9c6e8452037319ae2a211dec6a2492eebb5bcf6b7f4ae
Instruction Fuzzy Hash: 6F51907290020AAADF15EBE0DD46EEEB778AF25340F104165F515720A2EB316FA8DB61

Function 001AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001AB5FC
_wcslen.LIBCMT ref: 001AB608
_wcslen.LIBCMT ref: 001AB64D
_wcslen.LIBCMT ref: 001AB68C
_wcslen.LIBCMT ref: 001AB6C7

Strings

EXISTS, xrefs: 001AB686, 001AB68B
KEYS, xrefs: 001AB647, 001AB64C
APPEND, xrefs: 001AB6C1, 001AB6C6
REMOVE, xrefs: 001AB602, 001AB607

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: cae36faeb0112128c1b4e21a17ebeaaf5375141cf3a953a7c10d5723a8f2b109
Instruction ID: df4484db94f4cfb13c562dd48f70e79270ca9179c6cf0d0ee7c11439b9a26e74
Opcode Fuzzy Hash: cae36faeb0112128c1b4e21a17ebeaaf5375141cf3a953a7c10d5723a8f2b109
Instruction Fuzzy Hash: 88413936A081678BCB105F7DCCD05BEB7A1EF72754B254129E429DB282E731CC81C390

Function 001B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001B53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001B5416
GetLastError.KERNEL32 ref: 001B5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001B54A7

Strings

READY, xrefs: 001B5460, 001B5468
NOTREADY, xrefs: 001B544B
READONLY, xrefs: 001B5452
UNKNOWN, xrefs: 001B5444
INVALID, xrefs: 001B5459

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 56f7f78bc32b1745e098f2668714aec8049089bae6413de437770e550fcc63e1
Instruction ID: 644d5c97d02463f932258ad0b71a709764fb002837ae146bdc53d1a6e7eda986
Opcode Fuzzy Hash: 56f7f78bc32b1745e098f2668714aec8049089bae6413de437770e550fcc63e1
Instruction Fuzzy Hash: 9B31A135A00605DFD714DF68C488BEABBB5EF55305F148065E405CF2A2EB71ED86CBA0

Function 001D2D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001D2D1B
GetDC.USER32(00000000), ref: 001D2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001D2D2E
ReleaseDC.USER32(00000000,00000000), ref: 001D2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001D2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001D2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001D5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001D2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001D2DE1

Strings

@U=u, xrefs: 001D2D87, 001D2DE1

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: 6ffb399079b4352ae0d7ba4c624829a2701e8db2bb8219eee24450a2a7bd5912
Instruction ID: 8d3825b4b0876f8611d3b2c97a73a09ca374b300fc53517c1e14e3a7d78c48a2
Opcode Fuzzy Hash: 6ffb399079b4352ae0d7ba4c624829a2701e8db2bb8219eee24450a2a7bd5912
Instruction Fuzzy Hash: 95318E76202614BFEB118F54CC8AFEB3FADEF19715F044056FE089A291D6759C90CBA4

Function 001A209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001A20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001A20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001A214D

Strings

SHELLDLL_DefView, xrefs: 001A20CC
largeicons, xrefs: 001A20E1
@U=u, xrefs: 001A214D
smallicons, xrefs: 001A2115
details, xrefs: 001A20FB
list, xrefs: 001A212F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-1428604138
Opcode ID: a9a34fb94e284435bc2e179a994ae9e97604f7d4bd95cad77888119ab81cc959
Instruction ID: 4fadaeb7ddad6fe93b3e58544bffd2585131c153934d40d5d1c0a493f870697e
Opcode Fuzzy Hash: a9a34fb94e284435bc2e179a994ae9e97604f7d4bd95cad77888119ab81cc959
Instruction Fuzzy Hash: E01106BE688717BAFB052228DC06DE7379CCF17328F204116FB05A50D6EF75A8625A54

Function 001D3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001D3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001D3AA0
GetWindowLongW.USER32(?,000000F0), ref: 001D3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001D3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001D3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001D3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001D3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001D3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001D3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001D3C13

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5cb6f9cd3e54ac3624e50a11c91c4524dac2eeb85051e6e5a2aa85706ed33f4f
Instruction ID: 6ae1a3f6e54c0d606741af4f1d593ea292b855acd1c33621dcf672e7e5663d41
Opcode Fuzzy Hash: 5cb6f9cd3e54ac3624e50a11c91c4524dac2eeb85051e6e5a2aa85706ed33f4f
Instruction Fuzzy Hash: B0616A75A00208AFDB10DFA8CC85EEE77B8EB19700F10419AFA25A73A1D770AE55DB50

Function 001AB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001AB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB165
GetWindowThreadProcessId.USER32(00000000), ref: 001AB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 001AB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB21D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 58e3a39b7b190f30e329a5eb36b4149c095a5d905695ce1131886384092b4eb6
Instruction ID: a96c6b48c28b80182fd067bc2ee49e04ee36b120e1647979c332d4a140264c4f
Opcode Fuzzy Hash: 58e3a39b7b190f30e329a5eb36b4149c095a5d905695ce1131886384092b4eb6
Instruction Fuzzy Hash: 1A31BF79505344BFDB10DF24FC88BAD7BAABB66351F118407FA00D6291DBB4AA40CF60

Function 00172C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00172C94

Part of subcall function 001729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 00172CA0
_free.LIBCMT ref: 00172CAB
_free.LIBCMT ref: 00172CB6
_free.LIBCMT ref: 00172CC1
_free.LIBCMT ref: 00172CCC
_free.LIBCMT ref: 00172CD7
_free.LIBCMT ref: 00172CE2
_free.LIBCMT ref: 00172CED
_free.LIBCMT ref: 00172CFB

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2baf68e42677bab7ec403361dcfab9c94e36466ff95845822e41e8aa746aaee6
Instruction ID: 5812c7a037441d541cf340bbb0ccae2e9635aaadb43f0c079ef29f593c2aad59
Opcode Fuzzy Hash: 2baf68e42677bab7ec403361dcfab9c94e36466ff95845822e41e8aa746aaee6
Instruction Fuzzy Hash: 3D11C376100118AFCB02EF64D882CDD7BB5FF19354F4584A4FA4C9B222DB31EA919B90

Function 00141410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00141459
OleUninitialize.OLE32(?,00000000), ref: 001414F8
UnregisterHotKey.USER32(?), ref: 001416DD
DestroyWindow.USER32(?), ref: 001824B9
FreeLibrary.KERNEL32(?), ref: 0018251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0018254B

Strings

close all, xrefs: 00141454

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7e49a97e2828e55f09aca6a93046d95fc6e945cfae9eff24252d1613d3fabee6
Instruction ID: d1f67b834ec18a870cfdf7fd0dd9c75832527e6cf3f84fbaa3a2060cc3346bd4
Opcode Fuzzy Hash: 7e49a97e2828e55f09aca6a93046d95fc6e945cfae9eff24252d1613d3fabee6
Instruction Fuzzy Hash: 7FD17131702212DFCB1AEF14D499B69F7A4BF15700F2542ADE84A6B262DB30ED56CF90

Function 001B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001B35E4

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

LoadStringW.USER32(00212390,?,00000FFF,?), ref: 001B360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 001B3724
Line %d (File "%s"):, xrefs: 001B366B
"%s" (%d) : ==> %s:, xrefs: 001B3742
^ ERROR, xrefs: 001B36C9
Error: , xrefs: 001B36EF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 77aea0a0a49e0dafacaf980bb807cd94d7b59a8019116052284cdd84d6256d20
Instruction ID: b8c0a9de77efae07e9a3c7d6890ad8969312bea64b2fbd8d7f776ceb25ed6541
Opcode Fuzzy Hash: 77aea0a0a49e0dafacaf980bb807cd94d7b59a8019116052284cdd84d6256d20
Instruction Fuzzy Hash: 2C51607290020ABADF14EFA0DC46EEEBB78AF25300F144165F515721A2DF311BA9DFA1

Function 001D3886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001D3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001D393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001D3954
_wcslen.LIBCMT ref: 001D3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001D39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001D39F4

Strings

SysListView32, xrefs: 001D38F7
@U=u, xrefs: 001D3925, 001D393A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: @U=u$SysListView32
API String ID: 2147712094-1908207174
Opcode ID: 7040b339ec858eb8323bb222eefe301788d19d7bdbb9502214f44c36314c0fee
Instruction ID: 5f69437ee4b4e6081dcf38767473fea8f2fff0dbc38fe2173ce54fe80bf5ceaf
Opcode Fuzzy Hash: 7040b339ec858eb8323bb222eefe301788d19d7bdbb9502214f44c36314c0fee
Instruction Fuzzy Hash: D741A271A00219ABEF219F64CC49BEA7BA9EF18354F100527F958E7281D771DA94CB90

Function 001D2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001D2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 001D2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 001D2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 001D2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001D2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 001D2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001D2F0B

Strings

@U=u, xrefs: 001D2E1C, 001D2EB6, 001D2EE0

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 7cd90f536d84bcd3963fd8dc0456b310fd7c3470d3d7e1df17ba171260ee276b
Instruction ID: 599472b55af0d19d54944a8898b2efecb5f8a8be3b66676a45c31f149ea7f1e9
Opcode Fuzzy Hash: 7cd90f536d84bcd3963fd8dc0456b310fd7c3470d3d7e1df17ba171260ee276b
Instruction Fuzzy Hash: DA3105306461519FDB21CF58EC88FA537E1EBAA711F1545A6FA208B3B1CB71E890DB41

Function 001BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001BC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001BC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001BC2CA
GetLastError.KERNEL32 ref: 001BC322
SetEvent.KERNEL32(?), ref: 001BC336
InternetCloseHandle.WININET(00000000), ref: 001BC341

Strings

, xrefs: 001BC2BB

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a599e7b3fe8cf7e937dcf8e93af8a2c9d9ebf8f4ea4b44cdf9599be449650e20
Instruction ID: c9e676346adff867f74b3a270fea34c6982442845a6dd7d09aabefb177a5e480
Opcode Fuzzy Hash: a599e7b3fe8cf7e937dcf8e93af8a2c9d9ebf8f4ea4b44cdf9599be449650e20
Instruction Fuzzy Hash: DF319AB1601208AFD7219FA58C88AEB7BFCFB99740B54891EF486D2210DB34DD44CBE0

Function 001A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00183AAF,?,?,Bad directive syntax error,001DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001A98BC
LoadStringW.USER32(00000000,?,00183AAF,?), ref: 001A98C3

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001A9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 001A98F1
Line %d (File "%s"):, xrefs: 001A992D
Error: , xrefs: 001A9955
Line %d:, xrefs: 001A9912
., xrefs: 001A996D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b3c9757dfe65d425962f8675952850799e9310db71292126ed529203fa97a7d0
Instruction ID: 1a07a6baaa55814c67c01e21c433dd1fdbb35f4246b88384d2da8f912bc22a31
Opcode Fuzzy Hash: b3c9757dfe65d425962f8675952850799e9310db71292126ed529203fa97a7d0
Instruction Fuzzy Hash: 99218D3280021AFBDF15AF90CC0AEEE7779BF29704F04446AF515660A2EB319668DB50

Function 00178D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0daef21090bf360aa3b7183bd71bc9ade8703c637bae1c342090b675022f9d58
Instruction ID: 05cc89f691d2fcb97b238636a798cbd9b94a6df16d0b73f8a5a5783893242972
Opcode Fuzzy Hash: 0daef21090bf360aa3b7183bd71bc9ade8703c637bae1c342090b675022f9d58
Instruction Fuzzy Hash: 6CC1F374904249AFCB11DFA8D889BADBBB4BF1A310F148099F51CA7392CB708946CB61

Function 0017CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0017CEB7
_free.LIBCMT ref: 0017CF22
_free.LIBCMT ref: 0017CF48
_free.LIBCMT ref: 0017CF71
_free.LIBCMT ref: 0017CFA9
_free.LIBCMT ref: 0017CFDA
_free.LIBCMT ref: 0017D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0017D09C
_free.LIBCMT ref: 0017D0B5

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: cc198d2f23e4ac879480720cf3cc37887c2db0d4dc2522010a1730cbcdbf4d15
Instruction ID: a00a7ad7d3ba88a793a7cf96643d917b90a825c9891993c7975e17a0305d5479
Opcode Fuzzy Hash: cc198d2f23e4ac879480720cf3cc37887c2db0d4dc2522010a1730cbcdbf4d15
Instruction Fuzzy Hash: 36614571904314AFDB25AFB4BC85AAE7BB5EF16720F04C16EF94CA7281DB319D418790

Function 001BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001BC182
GetLastError.KERNEL32 ref: 001BC195
SetEvent.KERNEL32(?), ref: 001BC1A9

Part of subcall function 001BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001BC272
Part of subcall function 001BC253: GetLastError.KERNEL32 ref: 001BC322
Part of subcall function 001BC253: SetEvent.KERNEL32(?), ref: 001BC336
Part of subcall function 001BC253: InternetCloseHandle.WININET(00000000), ref: 001BC341

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 5c144107d05387b8ce5aeb4f25d9084902bcc3fc2f96541063613e06b15e98e2
Instruction ID: 231c6ae5adc7fd5b507fa48178b057fab04c572b88c1c32aae61e84b3770f417
Opcode Fuzzy Hash: 5c144107d05387b8ce5aeb4f25d9084902bcc3fc2f96541063613e06b15e98e2
Instruction Fuzzy Hash: 6E318D71202606EFDB219FA9DC44AA6BBF9FF58300B04481EF956C6A10D730E854DBE0

Function 001A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001A3A57
Part of subcall function 001A3A3D: GetCurrentThreadId.KERNEL32 ref: 001A3A5E
Part of subcall function 001A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001A25B3), ref: 001A3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001A25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001A25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001A25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001A25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001A2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 001A2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 001A260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001A2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 001A2627

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e48cab23c121a5b004a82c2d001f600ba1b6ff0044f34abc038fb8946938277d
Instruction ID: cc732c2c6aa210728c800c992bb64f3b7bccc98cc21e0a3e839b9c8ff411a810
Opcode Fuzzy Hash: e48cab23c121a5b004a82c2d001f600ba1b6ff0044f34abc038fb8946938277d
Instruction Fuzzy Hash: 8A01B530691320FBFF1067689C8AF993F59DB5AB11F100402F318AF1D1CAF15484CAA9

Function 001A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001A1449,?,?,00000000), ref: 001A180C
HeapAlloc.KERNEL32(00000000,?,001A1449,?,?,00000000), ref: 001A1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001A1449,?,?,00000000), ref: 001A1828
GetCurrentProcess.KERNEL32(?,00000000,?,001A1449,?,?,00000000), ref: 001A1830
DuplicateHandle.KERNEL32(00000000,?,001A1449,?,?,00000000), ref: 001A1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001A1449,?,?,00000000), ref: 001A1843
GetCurrentProcess.KERNEL32(001A1449,00000000,?,001A1449,?,?,00000000), ref: 001A184B
DuplicateHandle.KERNEL32(00000000,?,001A1449,?,?,00000000), ref: 001A184E
CreateThread.KERNEL32(00000000,00000000,001A1874,00000000,00000000,00000000), ref: 001A1868

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a102f7843cb034abd52f2c94fc8eaa3a64209a55fd8df94ce8c0a5e90a33c936
Instruction ID: bcb703f7ff77e81b98b3af35d2f63b76765e55c4ae92252ede2cdaefb348e30d
Opcode Fuzzy Hash: a102f7843cb034abd52f2c94fc8eaa3a64209a55fd8df94ce8c0a5e90a33c936
Instruction Fuzzy Hash: 9501BF75241315FFE710AB65DC4DF573B6CEB89B11F004411FA05DB591C6749840CB60

Function 001CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 001AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 001AD501
Part of subcall function 001AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 001AD50F
Part of subcall function 001AD4DC: CloseHandle.KERNEL32(00000000), ref: 001AD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001CA16D
GetLastError.KERNEL32 ref: 001CA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001CA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001CA268
GetLastError.KERNEL32(00000000), ref: 001CA273
CloseHandle.KERNEL32(00000000), ref: 001CA2C4

Strings

SeDebugPrivilege, xrefs: 001CA18F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ddbe28237f6c3620381deb1498cf9aa600b11d6666a9970f17d0df8b2c2b127b
Instruction ID: 02c349e57baf5d2d2c1c88db52865dd6255bc554da7b470cb33a4df988465677
Opcode Fuzzy Hash: ddbe28237f6c3620381deb1498cf9aa600b11d6666a9970f17d0df8b2c2b127b
Instruction Fuzzy Hash: DF619E70205252AFD721DF18C494F15BBE1AF6431CF58848CE4668BBA3C776EC49CB92

Function 001D81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0019F3AB,00000000,?,?,00000000,?,0019682C,00000004,00000000,00000000), ref: 001D824C
EnableWindow.USER32(00000000,00000000), ref: 001D8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001D82D1
ShowWindow.USER32(00000000,00000004), ref: 001D82E5
EnableWindow.USER32(00000000,00000001), ref: 001D830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001D832F

Strings

@U=u, xrefs: 001D832F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: b5d5814477cc91836cf6bd555fb2ea17b3e43efa04b5fd323e89504cc0577032
Instruction ID: 70b361ca79fb63bbb01dab63a1110f1b3388b43ece1a51c622d64a72028923c3
Opcode Fuzzy Hash: b5d5814477cc91836cf6bd555fb2ea17b3e43efa04b5fd323e89504cc0577032
Instruction Fuzzy Hash: 54418034602644AFDF25CF25DC99BE47BF1FB1A715F1842AAE6184B3A2CB31A851CB50

Function 001A4C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001A4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001A4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001A4CEA
_wcslen.LIBCMT ref: 001A4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001A4D10
_wcsstr.LIBVCRUNTIME ref: 001A4D1A

Strings

@U=u, xrefs: 001A4CB2, 001A4CEA

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID: @U=u
API String ID: 72514467-2594219639
Opcode ID: dae5db148b982f098406c8e1dc35a9043ae67e2dad0a073bd753b31bae0502e8
Instruction ID: 63bff3771583b6d758212c144afb416b464ce92d7a9fcd5a9c407969bb28dd19
Opcode Fuzzy Hash: dae5db148b982f098406c8e1dc35a9043ae67e2dad0a073bd753b31bae0502e8
Instruction Fuzzy Hash: EB213B35605201BBEB155B79DC0AEBB7B9CDF96760F10403EF809CA192DFA1DC41C2A0

Function 001AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001AC913

Strings

blank, xrefs: 001AC895
info, xrefs: 001AC8B4
stop, xrefs: 001AC8E4
warning, xrefs: 001AC8FC
question, xrefs: 001AC8CC

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 1556e3aeb1a37c9baf2fa72bdff746e6f0ac5f266632de7210a30caace818248
Instruction ID: 6a6380e8b250f3e671a16afee636bbca4e7daa0a911b93c96f67da83e82c6d42
Opcode Fuzzy Hash: 1556e3aeb1a37c9baf2fa72bdff746e6f0ac5f266632de7210a30caace818248
Instruction Fuzzy Hash: 2F11273A689307BAE7059B549C83DAB67DCDF27328B20402EF500A62C2E7A49E1052E5

Function 00197439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00197452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00197469
GetWindowDC.USER32(?), ref: 00197475
GetPixel.GDI32(00000000,?,?), ref: 00197484
ReleaseDC.USER32(?,00000000), ref: 00197496
GetSysColor.USER32(00000005), ref: 001974B0

Strings

@U=u, xrefs: 00197469

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID: @U=u
API String ID: 272304278-2594219639
Opcode ID: b632e64756e5327da3dd0ddcf82d0c42b09e81f69481a02c63331aa79159ce27
Instruction ID: 664456e0925b76c9df05c33d9e5f479b79725a5198737c4d5b93008ecd66bf3c
Opcode Fuzzy Hash: b632e64756e5327da3dd0ddcf82d0c42b09e81f69481a02c63331aa79159ce27
Instruction Fuzzy Hash: C2018B31506216EFDB105FA4EC08BEEBBB6FF04311F110561F925A35A1CB311E91EB91

Function 001AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001AED2A
_wcslen.LIBCMT ref: 001AED3B
_wcslen.LIBCMT ref: 001AED79
_wcslen.LIBCMT ref: 001AEDAF
_wcslen.LIBCMT ref: 001AEDDF
_wcslen.LIBCMT ref: 001AEDEF
_wcslen.LIBCMT ref: 001AEE2B
_wcslen.LIBCMT ref: 001AEE5A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 1cc5898ede9544b5b9d6159df3582d95f5ca60eb11679c3dde628dd05f4f6cea
Instruction ID: 6c0e3d9ca05449db28eb89b14a1f02047c63e6054ec1e9bceaf91b8261e3ac96
Opcode Fuzzy Hash: 1cc5898ede9544b5b9d6159df3582d95f5ca60eb11679c3dde628dd05f4f6cea
Instruction Fuzzy Hash: 5F41D466D1021876DB11EBF4CC8A9CFB7A8AF56310F508466F518E3121FB34E265C3E5

Function 0015F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0019682C,00000004,00000000,00000000), ref: 0015F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0019682C,00000004,00000000,00000000), ref: 0019F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0019682C,00000004,00000000,00000000), ref: 0019F454

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2b7960383591c662796030159bb268f97feac57a0bc618304f5deb646b89409f
Instruction ID: 55248c08639c7932a70187f7ca5e8e30bda9427bce591ab47f46afb001f0fa8f
Opcode Fuzzy Hash: 2b7960383591c662796030159bb268f97feac57a0bc618304f5deb646b89409f
Instruction Fuzzy Hash: 2C415231605A40FECB388B3DC88876A7B91BB5631AF15443DF8679B560C771A4CBC751

Function 001A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001A5637
_memcmp.LIBVCRUNTIME ref: 001A5659
_memcmp.LIBVCRUNTIME ref: 001A5671
_memcmp.LIBVCRUNTIME ref: 001A5684
_memcmp.LIBVCRUNTIME ref: 001A569E
_memcmp.LIBVCRUNTIME ref: 001A56B1
_memcmp.LIBVCRUNTIME ref: 001A56C9
_memcmp.LIBVCRUNTIME ref: 001A56E4

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2fe07dbba7ad236e8eeec37aa864d2012b78e55dd28c9277d265d0652131e568
Instruction ID: 74716c2b8114f227df25b31af76b7b15f0b1c8f80eec01d09a240a0ad510bea9
Opcode Fuzzy Hash: 2fe07dbba7ad236e8eeec37aa864d2012b78e55dd28c9277d265d0652131e568
Instruction Fuzzy Hash: 3421DB69748A0977D71855208E82FFB335FBF323A4F484025FD1A9A781F720EE3181A5

Function 001C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 001C5007
NULL Pointer assignment, xrefs: 001C502E, 001C5383

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 0f047d9a36478830c0ab624f5c46842cf26f51117ce9351bf758dc6d01fe6993
Instruction ID: c53a0d67c86415c69087cc13fdb2aea32fb4a0e0d2f11247d832910934612205
Opcode Fuzzy Hash: 0f047d9a36478830c0ab624f5c46842cf26f51117ce9351bf758dc6d01fe6993
Instruction Fuzzy Hash: EED1B075A0060A9FDF10CF98C885FAEB7B6BF58344F14856DE915AB281D770ED81CB90

Function 00181522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001817FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001815CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00181651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001817FB,?,001817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001816E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001816FB

Part of subcall function 00173820: RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00181777
__freea.LIBCMT ref: 001817A2
__freea.LIBCMT ref: 001817AE

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: e1a09724ebef1f38a29b79038ad0c3a4d16eb5a8024e77a84e636626c5980124
Instruction ID: 53f8a9fdaf598b1d3773d40e01fce10c1fdd68742a462f63e6299ccc2086b91f
Opcode Fuzzy Hash: e1a09724ebef1f38a29b79038ad0c3a4d16eb5a8024e77a84e636626c5980124
Instruction Fuzzy Hash: 1E91C773E00216BADB24AE74CC81AEE7BBDAF59310F184659E905E7141D735DE42CF60

Function 001C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001C4648
VariantInit.OLEAUT32(?), ref: 001C4749
VariantClear.OLEAUT32(?), ref: 001C4753
VariantClear.OLEAUT32(?), ref: 001C47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 001C45D8, 001C4706, 001C47BE
Incorrect Object type in FOR..IN loop, xrefs: 001C472C

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: f8f6f3bb281c25a7af897f5599f90adf5aa4fd43cca28be619ef81023a75ddc0
Instruction ID: fc5ac22c939f33a2c64e1c99a576e87f13b81c7fbbc6b0a749abc7d149c4dce0
Opcode Fuzzy Hash: f8f6f3bb281c25a7af897f5599f90adf5aa4fd43cca28be619ef81023a75ddc0
Instruction Fuzzy Hash: F6919C71A04319ABDF24CFA4C898FAEBBB8EF66710F10855DF505AB281D770D945CBA0

Function 001B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001B125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001B1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001B12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001B12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001B135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001B13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001B1430

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 804605ea01bd236855e8619e74c351e194b80b02ac8ab77dbe51c5636abed1e2
Instruction ID: c4fe7d0331b2a9220d723b435ea2f032bdb413b68016efe09b9ef8bb94099db6
Opcode Fuzzy Hash: 804605ea01bd236855e8619e74c351e194b80b02ac8ab77dbe51c5636abed1e2
Instruction Fuzzy Hash: E3910572A00219BFDB00DFA8C8A4BFE77B5FF55315F624469E900EB291D774A941CB90

Function 0015948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9c89f50c51ff55d98e7f4028c034864708874e4d28d1bcd9de34b8b30e640b17
Instruction ID: 6add2962bbd148e63110789368eb56b361dc978ef82fe989c2b13c1c8fca83dd
Opcode Fuzzy Hash: 9c89f50c51ff55d98e7f4028c034864708874e4d28d1bcd9de34b8b30e640b17
Instruction Fuzzy Hash: 20914971D10219EFCB14CFA9CC84AEEBBB8FF48320F144556E915BB251D378AA55CB60

Function 001C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001C396B
CharUpperBuffW.USER32(?,?), ref: 001C3A7A
_wcslen.LIBCMT ref: 001C3A8A
VariantClear.OLEAUT32(?), ref: 001C3C1F

Part of subcall function 001B0CDF: VariantInit.OLEAUT32(00000000), ref: 001B0D1F
Part of subcall function 001B0CDF: VariantCopy.OLEAUT32(?,?), ref: 001B0D28
Part of subcall function 001B0CDF: VariantClear.OLEAUT32(?), ref: 001B0D34

Strings

Incorrect Parameter format, xrefs: 001C39A6, 001C3BA1
AUTOIT.ERROR, xrefs: 001C3A80, 001C3A85

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 8de2307f50a9168c69b6492555629546e2cc5426564efb041bc5fbb1f3bca61c
Instruction ID: 8bd070a31234bf4d48f83115c957d79c745b00f2615bf8e54267e7783fd68c95
Opcode Fuzzy Hash: 8de2307f50a9168c69b6492555629546e2cc5426564efb041bc5fbb1f3bca61c
Instruction Fuzzy Hash: 71918A75A083059FC704DF28C480A6AB7E4FFA9314F14892EF8999B351DB31EE45CB92

Function 001C4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 001A000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?,?,001A035E), ref: 001A002B
Part of subcall function 001A000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0046
Part of subcall function 001A000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0054
Part of subcall function 001A000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?), ref: 001A0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001C4C51
_wcslen.LIBCMT ref: 001C4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001C4DCF
CoTaskMemFree.OLE32(?), ref: 001C4DDA

Strings

NULL Pointer assignment, xrefs: 001C4E23, 001C4E52

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 8b2de5f7b66792d9da824436f93ef1b41b5d8d44f0c0ba6bc97e3f2c60d7a04f
Instruction ID: 5d217f485b885ebc6c52522a58b3b31c5cf02bcdd3947c5d9f444d4c8a5bd60b
Opcode Fuzzy Hash: 8b2de5f7b66792d9da824436f93ef1b41b5d8d44f0c0ba6bc97e3f2c60d7a04f
Instruction Fuzzy Hash: 8D913771D0121DAFDF14DFA4D890EEEB7B8BF28304F10856AE915AB251DB349A44CFA0

Function 001D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 001D2183
GetMenuItemCount.USER32(00000000), ref: 001D21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001D21DD
_wcslen.LIBCMT ref: 001D2213
GetMenuItemID.USER32(?,?), ref: 001D224D
GetSubMenu.USER32(?,?), ref: 001D225B

Part of subcall function 001A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001A3A57
Part of subcall function 001A3A3D: GetCurrentThreadId.KERNEL32 ref: 001A3A5E
Part of subcall function 001A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001A25B3), ref: 001A3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001D22E3

Part of subcall function 001AE97B: Sleep.KERNEL32 ref: 001AE9F3

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 9b65d4eef729c499e30184534342619f2689a0ac624f28e272e9de7ba1734e72
Instruction ID: 44d69e71a542ee60c58171a27f6173b919b669da198e6bec3e22411fc33bc7e7
Opcode Fuzzy Hash: 9b65d4eef729c499e30184534342619f2689a0ac624f28e272e9de7ba1734e72
Instruction Fuzzy Hash: 40719E35A00215AFCB14DFA8C845AAEB7F1FF68310F15845AE826EB351D735EE41CB90

Function 001AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001AAEF9
GetKeyboardState.USER32(?), ref: 001AAF0E
SetKeyboardState.USER32(?), ref: 001AAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 001AAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 001AAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 001AAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001AB020

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 28ceb9a80e26647073a1757fc882646b810f48ebc67ce9139008e9381224d5e3
Instruction ID: 38d35a469efc56924760da17f96b60b43507851256acfe20058a3ec2933f0048
Opcode Fuzzy Hash: 28ceb9a80e26647073a1757fc882646b810f48ebc67ce9139008e9381224d5e3
Instruction Fuzzy Hash: 1E5181A46087D53DFB3A42348C85BBABEA95F07304F08858AF1D9958C3D7A9ACC4D751

Function 001AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001AAD19
GetKeyboardState.USER32(?), ref: 001AAD2E
SetKeyboardState.USER32(?), ref: 001AAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001AADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001AADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001AAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001AAE38

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f7311172bb16626a8982aea4d6a19cdae92fef72a87e71b2d99bb23fa6f5002b
Instruction ID: d81f80a58caecf3445e4906ebac908720fc185a647c680b63336ae9f10a2a2a7
Opcode Fuzzy Hash: f7311172bb16626a8982aea4d6a19cdae92fef72a87e71b2d99bb23fa6f5002b
Instruction Fuzzy Hash: CE51E3A55487D53DFB3783748C95BBABEA85F47300F488489E1D5468C3D3A4EC88E762

Function 0017542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00183CD6,?,?,?,?,?,?,?,?,00175BA3,?,?,00183CD6,?,?), ref: 00175470
__fassign.LIBCMT ref: 001754EB
__fassign.LIBCMT ref: 00175506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00183CD6,00000005,00000000,00000000), ref: 0017552C
WriteFile.KERNEL32(?,00183CD6,00000000,00175BA3,00000000,?,?,?,?,?,?,?,?,?,00175BA3,?), ref: 0017554B
WriteFile.KERNEL32(?,?,00000001,00175BA3,00000000,?,?,?,?,?,?,?,?,?,00175BA3,?), ref: 00175584

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6b5c45993f5f2621c874f47a1e718bd0bf23be3e24716d3633a227feeb910bd0
Instruction ID: a42ca37186b2e90a0e20513ada7ef88d654c8a2a57b1f2af5489fca14110fe20
Opcode Fuzzy Hash: 6b5c45993f5f2621c874f47a1e718bd0bf23be3e24716d3633a227feeb910bd0
Instruction Fuzzy Hash: 0851C6719006499FDB10CFA8D885AEEBBFAEF09300F14851AF559E7291E7709A41CB60

Function 001D6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 001D6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 001D6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001D6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001BAB79,00000000,00000000), ref: 001D6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001D6CC7

Strings

@U=u, xrefs: 001D6C73

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: @U=u
API String ID: 3688381893-2594219639
Opcode ID: fe51cd4b2c5088998e01b1a8b84e335c581797af07b7dfdbfba988c6a800d840
Instruction ID: d8c08e374064cc273af92447653a93efeabeffe638020d2ded08664b64c00f6e
Opcode Fuzzy Hash: fe51cd4b2c5088998e01b1a8b84e335c581797af07b7dfdbfba988c6a800d840
Instruction Fuzzy Hash: 0E41E635614114AFDB24CF28CC98FEA7BA5EB09350F15026AF999A73E0C771ED41DA80

Function 00162D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00162D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00162D53
_ValidateLocalCookies.LIBCMT ref: 00162DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00162E0C
_ValidateLocalCookies.LIBCMT ref: 00162E61

Strings

csm, xrefs: 00162DF6

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 2b75e032e8f88fbec625ac0e66f634d498efd7cc6bfd8cc2b62d7007522a88fa
Instruction ID: ae4ef51556ff0a1a82be82e8a2d1c88de12c69344df9d5b8f310616fe4f4a0e4
Opcode Fuzzy Hash: 2b75e032e8f88fbec625ac0e66f634d498efd7cc6bfd8cc2b62d7007522a88fa
Instruction Fuzzy Hash: 4E41D234E00609ABCF10DFA8CC85ADEBBB5BF45324F148165E814AB392D771AA61CBD0

Function 001C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001C307A
Part of subcall function 001C304E: _wcslen.LIBCMT ref: 001C309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001C1112
WSAGetLastError.WSOCK32 ref: 001C1121
WSAGetLastError.WSOCK32 ref: 001C11C9
closesocket.WSOCK32(00000000), ref: 001C11F9

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 42825b03b3e9bf434311ed2c6ed0d0cae9097ca40383313ad9aa897f3af0e55f
Instruction ID: 0d7787d9cd48ae536eed5d370c86f43810aa1d45ee6715c4d49ca4dbb3880f2a
Opcode Fuzzy Hash: 42825b03b3e9bf434311ed2c6ed0d0cae9097ca40383313ad9aa897f3af0e55f
Instruction Fuzzy Hash: 3141E531601205AFDB109F24C884FA9B7E9FF56324F188159FD159B292C778ED81CBE1

Function 001ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001ACF22,?), ref: 001ADDFD

Part of subcall function 001ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001ACF22,?), ref: 001ADE16

lstrcmpiW.KERNEL32(?,?), ref: 001ACF45
MoveFileW.KERNEL32(?,?), ref: 001ACF7F
_wcslen.LIBCMT ref: 001AD005
_wcslen.LIBCMT ref: 001AD01B
SHFileOperationW.SHELL32(?), ref: 001AD061

Strings

\*.*, xrefs: 001ACFF3

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 81d7abb1ca4bd225eac5c7c73078ee08afd2fa394dc8cf5e6924338b7b079ddc
Instruction ID: 22b7972cda2c5b6bb388edaf8f3b1e5f5f87b643644350c1fbae7d8076779d0d
Opcode Fuzzy Hash: 81d7abb1ca4bd225eac5c7c73078ee08afd2fa394dc8cf5e6924338b7b079ddc
Instruction Fuzzy Hash: 5A4167759452199FDF12EFA4DD81ADEB7F9AF19340F1000E6E505EB142EB34AB88CB50

Function 001A7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001A7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001A778F
SysAllocString.OLEAUT32(00000000), ref: 001A7792
SysAllocString.OLEAUT32(?), ref: 001A77B0
SysFreeString.OLEAUT32(?), ref: 001A77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001A77DE
SysAllocString.OLEAUT32(?), ref: 001A77EC

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9e5cfd2ab1e08b4dcbc1538689a921d98377c098b75b08e4bb17a468f2a6c204
Instruction ID: 88de10e42c907a80d393e6fed6835e77b85bad0b2f95360766c8257a8be7d223
Opcode Fuzzy Hash: 9e5cfd2ab1e08b4dcbc1538689a921d98377c098b75b08e4bb17a468f2a6c204
Instruction Fuzzy Hash: D221B27A605219AFDB10DFE8CC88CBB73ACEB0A3647008526F914DB191D770DD81C7A0

Function 001A77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001A7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001A7868
SysAllocString.OLEAUT32(00000000), ref: 001A786B
SysAllocString.OLEAUT32 ref: 001A788C
SysFreeString.OLEAUT32 ref: 001A7895
StringFromGUID2.OLE32(?,?,00000028), ref: 001A78AF
SysAllocString.OLEAUT32(?), ref: 001A78BD

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4ac27cb77fe6ca6635e4068f1329f8dcc9006eaf349e89049a105aa6cf6f768c
Instruction ID: a8e81cfb9b40cd4e9fdfa3f12ac0d8572f335f68ebe95da47c56de110a16e64e
Opcode Fuzzy Hash: 4ac27cb77fe6ca6635e4068f1329f8dcc9006eaf349e89049a105aa6cf6f768c
Instruction Fuzzy Hash: DE21A135609205AFDB109FA8DC88DBA77ECEF0A3607108525F915CB2A5D778DD81CBA4

Function 001D5706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001D5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 001D579D
_wcslen.LIBCMT ref: 001D57AF
_wcslen.LIBCMT ref: 001D57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 001D5816

Strings

@U=u, xrefs: 001D5745, 001D579D, 001D5816

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: b0c9cfdd61e5247263a3837554f9975e1e4e07b141d6b7c9246726ab53f41fb5
Instruction ID: 7f5c2fcafc1bd3fdbd5c267cfe95be05df1cf6572acf9133cb035c9fc1756304
Opcode Fuzzy Hash: b0c9cfdd61e5247263a3837554f9975e1e4e07b141d6b7c9246726ab53f41fb5
Instruction Fuzzy Hash: AE218071905618DADB209FA4CC85AEE7BB9FF14724F10821BE929EA2C0E7709985CF51

Function 001B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001B04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001B052E

Strings

nul, xrefs: 001B0567

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ee516f81dc173b006510a193077479a240b68e65e5d8811c6a61c144d5061278
Instruction ID: 90de4555b2270155c55be678620d056b8cee4fea00072e14af72265ad60e11fc
Opcode Fuzzy Hash: ee516f81dc173b006510a193077479a240b68e65e5d8811c6a61c144d5061278
Instruction Fuzzy Hash: A9218DB1500306AFDB319F69DC44ADB77E4BF49724F204A19F8A1D66E0D7709980CF60

Function 001B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001B05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001B0601

Strings

nul, xrefs: 001B0639

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 643c95bdcf0ac325b924eabc8fa3f985079c205a3f52952327a18a68902f4248
Instruction ID: 6096aaaf024e404108179e5c2b3a55de0286240fb15d65456655ba67c4956048
Opcode Fuzzy Hash: 643c95bdcf0ac325b924eabc8fa3f985079c205a3f52952327a18a68902f4248
Instruction Fuzzy Hash: B2214F755013169FDB219F69DC04ADB77E4BF99720F200B19F8A1E72E0E77099A0CB50

Function 001D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0014600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0014604C
Part of subcall function 0014600E: GetStockObject.GDI32(00000011), ref: 00146060
Part of subcall function 0014600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0014606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001D4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001D411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001D412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001D4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001D4145

Strings

Msctls_Progress32, xrefs: 001D40E3

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 5a3680587d2b02b42eb68cb4aa0871562a94250c1586f0006afc0f3d1ee77b28
Instruction ID: b90a277f43429b9b3a6bcea6516d566bbd3e181a8b342f77ba2e1a06a78c2ae2
Opcode Fuzzy Hash: 5a3680587d2b02b42eb68cb4aa0871562a94250c1586f0006afc0f3d1ee77b28
Instruction Fuzzy Hash: 321190B2150219BFEF118E64CC86EE77F6DEF19798F014111BB18A2190CB72AC61DBA4

Function 0017D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0017D7A3: _free.LIBCMT ref: 0017D7CC

_free.LIBCMT ref: 0017D82D

Part of subcall function 001729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 0017D838
_free.LIBCMT ref: 0017D843
_free.LIBCMT ref: 0017D897
_free.LIBCMT ref: 0017D8A2
_free.LIBCMT ref: 0017D8AD
_free.LIBCMT ref: 0017D8B8

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ae259239f3e1c0009e2af7f360a4a2288260ad55ff94029eca6c7b50c8104110
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 8A118171540B18AAD621BFF0DC07FCBBBFC6F60704F448825F29DA6092DB34B6464651

Function 001ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001ADA74
LoadStringW.USER32(00000000), ref: 001ADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001ADA91
LoadStringW.USER32(00000000), ref: 001ADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001ADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001ADAB9

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: cab72ff9c0cb3ef49c13b3ec1d49de5c2dae3b5c2ccf42da388e22ddd377ec29
Instruction ID: 505afd17c910c338be188217bf10d8742dde712292ee7fb24846dc6b79b94105
Opcode Fuzzy Hash: cab72ff9c0cb3ef49c13b3ec1d49de5c2dae3b5c2ccf42da388e22ddd377ec29
Instruction Fuzzy Hash: 8A0186F6501219BFE7109BA0DD89EFB336CE709301F400992B706E2441EA749EC48FB4

Function 001B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0114E370,0114E370), ref: 001B097B
EnterCriticalSection.KERNEL32(0114E350,00000000), ref: 001B098D
TerminateThread.KERNEL32(0114E368,000001F6), ref: 001B099B
WaitForSingleObject.KERNEL32(0114E368,000003E8), ref: 001B09A9
CloseHandle.KERNEL32(0114E368), ref: 001B09B8
InterlockedExchange.KERNEL32(0114E370,000001F6), ref: 001B09C8
LeaveCriticalSection.KERNEL32(0114E350), ref: 001B09CF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 972ca35f5cf0dbbf21f57e283f0c5576fa51793031d804701e479ac399d78982
Instruction ID: 1aa66b7094737d2a72707e7ddb6db4fc1b9989ad2949538c9f103dc07a735176
Opcode Fuzzy Hash: 972ca35f5cf0dbbf21f57e283f0c5576fa51793031d804701e479ac399d78982
Instruction Fuzzy Hash: 8BF0C932483A13BBDB525BA4EE89BD6BB29BF05706F402526F20290CA1C77594A5CFD0

Function 001701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001700D6
__allrem.LIBCMT ref: 001700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0017010B
__allrem.LIBCMT ref: 00170122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00170140

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: b66069b34239fb593b31ecedcfb2b6004b575121753df8204644e4c2b4274f5f
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 50812972A00706EBE725AF68DC81B6B73F8AF55364F24813EF515D7281EB70DA418B50

Function 001761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001682D9,001682D9,?,?,?,0017644F,00000001,00000001,8BE85006), ref: 00176258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0017644F,00000001,00000001,8BE85006,?,?,?), ref: 001762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001763D8
__freea.LIBCMT ref: 001763E5

Part of subcall function 00173820: RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

__freea.LIBCMT ref: 001763EE
__freea.LIBCMT ref: 00176413

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 64689ff0d3cee6541079243c9420c965cd5b6c9e9161f84ca9c956d899a361f7
Instruction ID: 316cde3967b888118ab99be07172af250fed35ca6b4497814ab1978f0315ec12
Opcode Fuzzy Hash: 64689ff0d3cee6541079243c9420c965cd5b6c9e9161f84ca9c956d899a361f7
Instruction Fuzzy Hash: 2B51E072A00A16ABEB298F64CC81EAF77B9EB58710F158629FC0DD6141EB34DC40D7A0

Function 001CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CC9F1
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA68
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001CBD25
RegCloseKey.ADVAPI32(00000000), ref: 001CBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001CBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001CBDF3
RegCloseKey.ADVAPI32(?), ref: 001CBDFF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 7ce1cbb6422e9594c2880d90c4a342ed9e8fb1ee139d07aad78f268d2fb67d2d
Instruction ID: a14a3b0b91426a912ee9e23068e8f323c201c63893b6292622aa09a8227caf66
Opcode Fuzzy Hash: 7ce1cbb6422e9594c2880d90c4a342ed9e8fb1ee139d07aad78f268d2fb67d2d
Instruction Fuzzy Hash: 5A817A70208241AFD714DF64C8C6E2ABBE5FF94308F14895DF45A8B2A2DB31ED45CB92

Function 0019F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0019F7B9
SysAllocString.OLEAUT32(00000001), ref: 0019F860
VariantCopy.OLEAUT32(0019FA64,00000000), ref: 0019F889
VariantClear.OLEAUT32(0019FA64), ref: 0019F8AD
VariantCopy.OLEAUT32(0019FA64,00000000), ref: 0019F8B1
VariantClear.OLEAUT32(?), ref: 0019F8BB

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 21a7fbc18639ee017a92dca59bacf3f358dbc5e4f3552c1de2af35919584506b
Instruction ID: fc2bc2319b07ae42df77af298a8b56f799503245bc1e1e084147d170d9d3f302
Opcode Fuzzy Hash: 21a7fbc18639ee017a92dca59bacf3f358dbc5e4f3552c1de2af35919584506b
Instruction Fuzzy Hash: 7F51C131600310FACF24AF65D895B69B3A8EF55324B24846FF806DF292DB70CC46CB96

Function 001B910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00147620: _wcslen.LIBCMT ref: 00147625

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001B94E5
_wcslen.LIBCMT ref: 001B9506
_wcslen.LIBCMT ref: 001B952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001B9585

Strings

X, xrefs: 001B9412

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 4668873f0e45675180872bb6b7db3755847cb4606c81a810925c4fd5a0ab46b5
Instruction ID: 1c728d131f191dae5faaf4d4a6b96bd8241c7f3d097ef284cb9c6d713fe3ffd5
Opcode Fuzzy Hash: 4668873f0e45675180872bb6b7db3755847cb4606c81a810925c4fd5a0ab46b5
Instruction Fuzzy Hash: 0CE1AF31908341CFD724DF24C885AAEB7E0BF95314F14896DF9999B2A2DB31DD06CB92

Function 0015920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

BeginPaint.USER32(?,?,?), ref: 00159241
GetWindowRect.USER32(?,?), ref: 001592A5
ScreenToClient.USER32(?,?), ref: 001592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001592D3
EndPaint.USER32(?,?,?,?,?), ref: 00159321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001971EA

Part of subcall function 00159339: BeginPath.GDI32(00000000), ref: 00159357

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 56f2443b5a2b27e95e3c2da249fb227a5a79e7e23c7562529c89cd88912b83ec
Instruction ID: 20186f4a64eb0482e4bc77d3d05a0de85db34e288e6a233ab7d8021b93973278
Opcode Fuzzy Hash: 56f2443b5a2b27e95e3c2da249fb227a5a79e7e23c7562529c89cd88912b83ec
Instruction Fuzzy Hash: 9E419F70105201EFDB11DF24DC88FBA7BB8EF65321F144669FA648B2E1C7319849DBA2

Function 001B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001B080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001B0847
EnterCriticalSection.KERNEL32(?), ref: 001B0863
LeaveCriticalSection.KERNEL32(?), ref: 001B08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001B08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001B0921

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 2fa4d86f812dff7366fff869e62d151aea65344f87fbe22515533d7f0530afb6
Instruction ID: 0dafaaaf3d78f8e631364f494d3261d669c39281e351c62efe325d4a91f05a46
Opcode Fuzzy Hash: 2fa4d86f812dff7366fff869e62d151aea65344f87fbe22515533d7f0530afb6
Instruction Fuzzy Hash: 16416771900205EFDF15AF54DC85AAAB7B8FF08300F1480A9ED04AE297DB30DE65DBA0

Function 001B581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00143AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00143A97,?,?,00142E7F,?,?,?,00000000), ref: 00143AC2

_wcslen.LIBCMT ref: 001B587B
CoInitialize.OLE32(00000000), ref: 001B5995
CoCreateInstance.OLE32(001DFCF8,00000000,00000001,001DFB68,?), ref: 001B59AE
CoUninitialize.OLE32 ref: 001B59CC

Strings

.lnk, xrefs: 001B5876, 001B58C1, 001B5985

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: d92b0d2b1fc2d4c34a1f594ddceedabe74a243db25a2a09acfd0db51eb603408
Instruction ID: 465dcef2bec761cc446729eb2e2aaa5828e7ffa1e4fcec2ecfde571fef14fffb
Opcode Fuzzy Hash: d92b0d2b1fc2d4c34a1f594ddceedabe74a243db25a2a09acfd0db51eb603408
Instruction Fuzzy Hash: 4DD15371A087019FC714DF25C480A6ABBE2FF99714F14885DF88A9B3A1DB31ED45CB92

Function 001A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001A0FCA
Part of subcall function 001A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001A0FD6
Part of subcall function 001A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001A0FE5
Part of subcall function 001A0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001A0FEC
Part of subcall function 001A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001A1002

GetLengthSid.ADVAPI32(?,00000000,001A1335), ref: 001A17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001A17BA
HeapAlloc.KERNEL32(00000000), ref: 001A17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001A17DA
GetProcessHeap.KERNEL32(00000000,00000000,001A1335), ref: 001A17EE
HeapFree.KERNEL32(00000000), ref: 001A17F5

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9fc60a273891cbe8f08ba23600f910ed88e668aa4fb8ec21fff32d14ee57d3bf
Instruction ID: 9233824b97e43039dd6206560ed50c20bf298fa234a953557d8246b5bb7bb808
Opcode Fuzzy Hash: 9fc60a273891cbe8f08ba23600f910ed88e668aa4fb8ec21fff32d14ee57d3bf
Instruction Fuzzy Hash: 0911BB7A602216FFDF109FE4CC49FAE7BA9EB46355F104419F481A7290C736A980CBA0

Function 001A14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001A14FF
OpenProcessToken.ADVAPI32(00000000), ref: 001A1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001A1515
CloseHandle.KERNEL32(00000004), ref: 001A1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001A154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 001A1563

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d8770f432cfb10d96dd1f8736415a29e02b905b25c58b5ba2b393aeba456dff3
Instruction ID: 751cece25b181282f6cc7389158ff1a0d4f230db5077c05fa69436e24f8fad9a
Opcode Fuzzy Hash: d8770f432cfb10d96dd1f8736415a29e02b905b25c58b5ba2b393aeba456dff3
Instruction Fuzzy Hash: A311297650620ABBDF118FA8DD49BDE7BA9EF4A744F044515FA05A20A0C375CEA0DBA0

Function 00163382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00163379,00162FE5), ref: 00163390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0016339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001633B7
SetLastError.KERNEL32(00000000,?,00163379,00162FE5), ref: 00163409

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: de923078f5e4a79dd154428cd1fb372f698848b67b2891b13e9d865f092bf6db
Instruction ID: 14213ea198344c4c2d10f5439ea8380d50ec1da46598180dd96340ed6a840bcf
Opcode Fuzzy Hash: de923078f5e4a79dd154428cd1fb372f698848b67b2891b13e9d865f092bf6db
Instruction Fuzzy Hash: 0901D432609311BEEA292775BC895776A95FB25379730032AF530812F1EF114E31D594

Function 00172D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00175686,00183CD6,?,00000000,?,00175B6A,?,?,?,?,?,0016E6D1,?,00208A48), ref: 00172D78
_free.LIBCMT ref: 00172DAB
_free.LIBCMT ref: 00172DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0016E6D1,?,00208A48,00000010,00144F4A,?,?,00000000,00183CD6), ref: 00172DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0016E6D1,?,00208A48,00000010,00144F4A,?,?,00000000,00183CD6), ref: 00172DEC
_abort.LIBCMT ref: 00172DF2

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: bb9f149a9a5b3820d6c0cbabfdab3c3d9fa29c76c9b97387269fec732e3031f2
Instruction ID: ca17791e81ac7f7d876e6cb6d0ed3a49a9a2120bda4251c7a95b7cfd6ed5e23b
Opcode Fuzzy Hash: bb9f149a9a5b3820d6c0cbabfdab3c3d9fa29c76c9b97387269fec732e3031f2
Instruction Fuzzy Hash: 99F0283190660137C63223B8FC0AE5A2679BFD67A0F25C519F82C932D2EF3088835160

Function 001D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00159639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00159693
Part of subcall function 00159639: SelectObject.GDI32(?,00000000), ref: 001596A2
Part of subcall function 00159639: BeginPath.GDI32(?), ref: 001596B9
Part of subcall function 00159639: SelectObject.GDI32(?,00000000), ref: 001596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001D8A4E
LineTo.GDI32(?,00000003,00000000), ref: 001D8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001D8A70
LineTo.GDI32(?,00000000,00000003), ref: 001D8A80
EndPath.GDI32(?), ref: 001D8A90
StrokePath.GDI32(?), ref: 001D8AA0

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 787e76599ef28169db259e38e70c7aa8e66302af84bb37a0f8376e7d78949290
Instruction ID: f2454bce6cc8d2b1fc4e116792ca53115b62eb05fd2c690babb87fb12f3a3368
Opcode Fuzzy Hash: 787e76599ef28169db259e38e70c7aa8e66302af84bb37a0f8376e7d78949290
Instruction Fuzzy Hash: 8911177600114DFFEF129F90EC88EEA7F6CEB08350F008422BA199A1A1C7719D95DFA0

Function 001A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001A5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 001A5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001A5230
ReleaseDC.USER32(00000000,00000000), ref: 001A5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001A524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 001A5261

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 23f0b48c61f35c91e09b09e30ed5611a233648a20efd3fd474a263bffc3adbc1
Instruction ID: f5fa2e34d23a33b80722e441425945392f7a5c14b67d42afff1e193793b6f10d
Opcode Fuzzy Hash: 23f0b48c61f35c91e09b09e30ed5611a233648a20efd3fd474a263bffc3adbc1
Instruction Fuzzy Hash: CF018F75A02719BBEB109BA59C49B4EBFB8EF48751F044466FA04A7680D6709800CBA0

Function 00141BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00141BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00141BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00141C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00141C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00141C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00141C22

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3df470a4c8971bf68d764f61c102369d32f54d12e3a180597862afff246dffa6
Instruction ID: 04f18855b94cbeee8cff9c74a0303c482cb0212186a562249e4aa1444964351e
Opcode Fuzzy Hash: 3df470a4c8971bf68d764f61c102369d32f54d12e3a180597862afff246dffa6
Instruction Fuzzy Hash: FB016CB090275A7DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 001AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001AEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001AEB46
GetWindowThreadProcessId.USER32(?,?), ref: 001AEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001AEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001AEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001AEB75

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: f6b43f29fd0ae545836bc3a053df73e543ec774e162d77a405ad738edfb1ba58
Instruction ID: 6d32b737476b859dd11ee4233c81d35ddbcd0b2afa69746fdacc5591ff5178e1
Opcode Fuzzy Hash: f6b43f29fd0ae545836bc3a053df73e543ec774e162d77a405ad738edfb1ba58
Instruction Fuzzy Hash: 79F09072143129BBEB205B529C0DEEF3B7CEFCAB11F00055AF601D1590D7A05A41C6F4

Function 001A1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001A187F
UnloadUserProfile.USERENV(?,?), ref: 001A188B
CloseHandle.KERNEL32(?), ref: 001A1894
CloseHandle.KERNEL32(?), ref: 001A189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001A18A5
HeapFree.KERNEL32(00000000), ref: 001A18AC

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a203ea22ef358bf600f5cf768a4c904509b866a0bc5525d59ecfe0985be25ade
Instruction ID: eac9086b978282eb27bd35878d80d1d2663d3aa78684909bb9b9442383c5fed9
Opcode Fuzzy Hash: a203ea22ef358bf600f5cf768a4c904509b866a0bc5525d59ecfe0985be25ade
Instruction Fuzzy Hash: AAE0ED36046112FBDB016FA1ED0C905BF39FF497227108A22F225818B0CB3254A0DF90

Function 0014BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0014BEB3

Strings

D%!, xrefs: 0014BE9A
D%!, xrefs: 0014BCA2
D%!, xrefs: 0014BDED, 0014BD91, 0014BD1B
D%!D%!, xrefs: 0014BCA5

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%!$D%!$D%!$D%!D%!
API String ID: 1385522511-4080940547
Opcode ID: 00fc5db57fa7c214ee4fd5667caf830a807294ff9bae606d2a33032af49ff0e7
Instruction ID: 0be75612581abf159567d1f67f6ddcf56f2f15a2cc3c0d32f5593f7d56d7d80c
Opcode Fuzzy Hash: 00fc5db57fa7c214ee4fd5667caf830a807294ff9bae606d2a33032af49ff0e7
Instruction Fuzzy Hash: 8C914D75A08206DFCB18CF98C0D06A9B7F2FF68314F658169E945AB360E731ED91CB90

Function 001AC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00147620: _wcslen.LIBCMT ref: 00147625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001AC6EE
_wcslen.LIBCMT ref: 001AC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001AC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001AC7CA

Strings

0, xrefs: 001AC6AF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e4eab5678fc74168b60c80201e63fce94c4e569ea39121595b9e05ac1557974d
Instruction ID: 76e270ea9cfa44f7fa059bc12ae472da7ccec0b29de54ffff4100a72940873a1
Opcode Fuzzy Hash: e4eab5678fc74168b60c80201e63fce94c4e569ea39121595b9e05ac1557974d
Instruction Fuzzy Hash: 895101796043019BD715DF68C885BAB77E8AF5A310F040A2DF9A5D32A0DB70D844CFD2

Function 001CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001CAEA3

Part of subcall function 00147620: _wcslen.LIBCMT ref: 00147625

GetProcessId.KERNEL32(00000000), ref: 001CAF38
CloseHandle.KERNEL32(00000000), ref: 001CAF67

Strings

<, xrefs: 001CAE6B
@, xrefs: 001CAE72

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: e8b2696b3cdee596c761e8ba4358e9dab51c1527bdf97cd8dee65393ff82388e
Instruction ID: e315f40b1c2bf45d4567b83897d07657b9ee98fbbfb829b9705240656f771995
Opcode Fuzzy Hash: e8b2696b3cdee596c761e8ba4358e9dab51c1527bdf97cd8dee65393ff82388e
Instruction Fuzzy Hash: 87714570A00619DFCB15DFA4D485A9EBBB0FF18318F44889DE816AB3A2C774ED45CB91

Function 001D6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0115D9E8,?), ref: 001D62E2
ScreenToClient.USER32(?,?), ref: 001D6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001D6382

Strings

@U=u, xrefs: 001D63DD

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: abd356eaccd988d4c34e105561bd75bc3ee036f10033c7fc6fcee41c9977729a
Instruction ID: b982cb899cb9af679a022a45213fc89b706688e0e672f8a7e86b6014c2347c61
Opcode Fuzzy Hash: abd356eaccd988d4c34e105561bd75bc3ee036f10033c7fc6fcee41c9977729a
Instruction Fuzzy Hash: 58512C75A00209AFCF14DF68D8849AE7BB5FF55360F10825AF959973A0D730ED91CB90

Function 001A2716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001A21D0,?,?,00000034,00000800,?,00000034), ref: 001AB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001A2760

Part of subcall function 001AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001AB3F8

Part of subcall function 001AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001AB355
Part of subcall function 001AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001A2194,00000034,?,?,00001004,00000000,00000000), ref: 001AB365
Part of subcall function 001AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001A2194,00000034,?,?,00001004,00000000,00000000), ref: 001AB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001A27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001A281A

Strings

@, xrefs: 001A2832
@U=u, xrefs: 001A2760, 001A27CD, 001A281A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: 08d33ada49225c7ee8b6a5afa9991417f3cb84114bb28f8d03a74277def9c077
Instruction ID: 749c1f983208ed85fa35b5715582d1531fc416ee48ea5c42dfdef7e1f5811108
Opcode Fuzzy Hash: 08d33ada49225c7ee8b6a5afa9991417f3cb84114bb28f8d03a74277def9c077
Instruction Fuzzy Hash: FB413D76901218BFDB10DFA4CD81AEEBBB8EF1A300F004055FA55B7191DB706E85CBA0

Function 001A719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001A7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001A723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001A724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001A72CF

Strings

DllGetClassObject, xrefs: 001A7242

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b2ea579c56065e2fde32426f4c42fcc7eb3a74434b02ab9b7f8caede35e8b531
Instruction ID: aa7e0097a290af099ba0943e1f4afdafb24857302925213d5e954f4b5481cd2a
Opcode Fuzzy Hash: b2ea579c56065e2fde32426f4c42fcc7eb3a74434b02ab9b7f8caede35e8b531
Instruction Fuzzy Hash: 85417F75605204EFDB15CF54CC84BAA7BA9EF46310F1580AEBD059F28AD7B0DA45CBA0

Function 001D52C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 001D5352
GetWindowLongW.USER32(?,000000F0), ref: 001D5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001D5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001D53A8

Strings

@U=u, xrefs: 001D5352

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: @U=u
API String ID: 3340791633-2594219639
Opcode ID: 9601c154b3b1dfc2a8fdc9b8e0f832a4f2c82d3f7880e2dd8e31315c02ec4032
Instruction ID: ae25d632e8096a5f84f41101dc23acbaf8574e5271a1ba6bf53005bc88b44796
Opcode Fuzzy Hash: 9601c154b3b1dfc2a8fdc9b8e0f832a4f2c82d3f7880e2dd8e31315c02ec4032
Instruction Fuzzy Hash: 6631A034A56A08FFEB349E14CC46BE97767BB143D0F584103FA11963E1C7B4A990DB82

Function 001CC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001CC9F1
_wcslen.LIBCMT ref: 001CCA68
_wcslen.LIBCMT ref: 001CCA9E
_wcslen.LIBCMT ref: 001CCAF9
_wcslen.LIBCMT ref: 001CCB2F
_wcslen.LIBCMT ref: 001CCB7F

Strings

HKLM, xrefs: 001CCA98, 001CCA9D
HKEY_LOCAL_MACHINE, xrefs: 001CCA62, 001CCA67

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 23babd145b554640c583cc7dc0e44af5f98f5a63d504c1b1a4cc2f3795ae5a65
Instruction ID: d6dd830afeab02cd03e26565f9c27452d094b78228f239482dfadbc4292316ec
Opcode Fuzzy Hash: 23babd145b554640c583cc7dc0e44af5f98f5a63d504c1b1a4cc2f3795ae5a65
Instruction Fuzzy Hash: 69312833A0056A4BCB20DF6CD844ABF33915BB1754B05402DE85EAB285FB71CD51C3E0

Function 001D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001D2F8D
LoadLibraryW.KERNEL32(?), ref: 001D2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001D2FA9
DestroyWindow.USER32(?), ref: 001D2FB1

Strings

SysAnimate32, xrefs: 001D2F68

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5b5c83e184013b0539e013550e1770318140807c8ed67a2b0488001b79f29278
Instruction ID: f4a21e3fae250efe555454abfa372c7e4b1ef116dab39c9baa9334b414df2060
Opcode Fuzzy Hash: 5b5c83e184013b0539e013550e1770318140807c8ed67a2b0488001b79f29278
Instruction Fuzzy Hash: 4B219D71204205AFEB104F64DC84EBB77BDEF69368F104A1AFA64D72A0D771DC91A760

Function 001D5660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001D56BB
_wcslen.LIBCMT ref: 001D56CD
_wcslen.LIBCMT ref: 001D56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 001D5816

Strings

@U=u, xrefs: 001D56BB, 001D5816

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: @U=u
API String ID: 455545452-2594219639
Opcode ID: 7a67e468f5b02eb0d94a754705ca2e393712d5410bccd5a856be6aedceef4dae
Instruction ID: 62e257a65f5c3aa068c61cd54e9b63701686403b82bc5f2afe58c233a2e42568
Opcode Fuzzy Hash: 7a67e468f5b02eb0d94a754705ca2e393712d5410bccd5a856be6aedceef4dae
Instruction Fuzzy Hash: 1B11D375A0161896DF209F65CC85AEE7BBCEF21764B10852BF915D6281EB70CA84CF60

Function 0014600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0014604C
GetStockObject.GDI32(00000011), ref: 00146060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0014606A

Strings

@U=u, xrefs: 0014606A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: 2750fbe99486142f832b1a47af18c1e6f0f3e3a547ccec292ebd17dad5c640e8
Instruction ID: 7cad1087c4379e5f857ffa487a2a79b1fac1f05d4f21aa3206c8b460decf9cb2
Opcode Fuzzy Hash: 2750fbe99486142f832b1a47af18c1e6f0f3e3a547ccec292ebd17dad5c640e8
Instruction Fuzzy Hash: F3116172502509BFEF125F94DC44EEABB69EF19359F040216FA1452120D736DCA0DB91

Function 00164D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00164D1E,001728E9,?,00164CBE,001728E9,002088B8,0000000C,00164E15,001728E9,00000002), ref: 00164D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00164DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00164D1E,001728E9,?,00164CBE,001728E9,002088B8,0000000C,00164E15,001728E9,00000002,00000000), ref: 00164DC3

Strings

CorExitProcess, xrefs: 00164D98
mscoree.dll, xrefs: 00164D86

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e637611abeb4145332be7343c73b41216a98dd9a7a7beafe9327de555506aa3b
Instruction ID: 86544713685fa0ff5a29202d56e132bbbd5f18b6d60a5fb7b2e94b324188014b
Opcode Fuzzy Hash: e637611abeb4145332be7343c73b41216a98dd9a7a7beafe9327de555506aa3b
Instruction Fuzzy Hash: 89F0AF30A02219FBDB119F90DC09BEEBBB9EF58751F0001A9F805A2660CF705A90CAD0

Function 00144E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00144EDD,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00144EAE
FreeLibrary.KERNEL32(00000000,?,?,00144EDD,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00144EA8
kernel32.dll, xrefs: 00144E94

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f445f8c4b39db2a83dc8b67c142f883d2a9b35872534c83c37c34ee1e40313ec
Instruction ID: e4603957b4ea70a44fbef1215d1484e31a3027cd14164c4b9b5fd79182ab8d70
Opcode Fuzzy Hash: f445f8c4b39db2a83dc8b67c142f883d2a9b35872534c83c37c34ee1e40313ec
Instruction Fuzzy Hash: CDE08635A03633DBD22117256C1CB9B6658AF81B627050516FC00E2261DF64CD41C4E4

Function 00144E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00183CDE,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00144E74
FreeLibrary.KERNEL32(00000000,?,?,00183CDE,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E87

Strings

kernel32.dll, xrefs: 00144E5B
Wow64RevertWow64FsRedirection, xrefs: 00144E6E

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: b3db7d5537931450275d3128aa5a242d7ee3cb2ae430db0c5980829f91da0558
Instruction ID: 416c1ee14c3a97bcd3e34482b7aa9318eb2d1228ee8edb31ab6c44eb28be443c
Opcode Fuzzy Hash: b3db7d5537931450275d3128aa5a242d7ee3cb2ae430db0c5980829f91da0558
Instruction Fuzzy Hash: 08D0123550363397AA221B256C18ECB6B1CAF85B513050A17B905F3165CF64CD41C5D0

Function 001CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001CA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001CA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001CA468
CloseHandle.KERNEL32(?), ref: 001CA63D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: cfa8482ddde0989381df944357ff9ce45107206ffa0e3b78ad22f3ce0a9c5b06
Instruction ID: 459b8f0e9ba944c1eed03ae40668bf748c302d47a2b2335143f54de1c30e3a31
Opcode Fuzzy Hash: cfa8482ddde0989381df944357ff9ce45107206ffa0e3b78ad22f3ce0a9c5b06
Instruction Fuzzy Hash: 2FA1B1716043019FD721DF28C886F2AB7E1AF98718F54881DF96A9B392D771EC45CB82

Function 0017BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001E3700), ref: 0017BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0021121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0017BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00211270,000000FF,?,0000003F,00000000,?), ref: 0017BC36
_free.LIBCMT ref: 0017BB7F

Part of subcall function 001729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 0017BD4B

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c98f79dc140429f3cfc5f78b6f84dc84c0220dc631eabd81b90122caea9db230
Instruction ID: 848cd77af235fae4ef79780425fedc6c0f43b3940f3ddfcb327472920e0b4d28
Opcode Fuzzy Hash: c98f79dc140429f3cfc5f78b6f84dc84c0220dc631eabd81b90122caea9db230
Instruction Fuzzy Hash: 53510971908219AFCB10EF65DCC5AAEB7BCEF54310F10C26AE918D7191EB305E81CB50

Function 001AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001ACF22,?), ref: 001ADDFD

Part of subcall function 001ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001ACF22,?), ref: 001ADE16

Part of subcall function 001AE199: GetFileAttributesW.KERNEL32(?,001ACF95), ref: 001AE19A

lstrcmpiW.KERNEL32(?,?), ref: 001AE473
MoveFileW.KERNEL32(?,?), ref: 001AE4AC
_wcslen.LIBCMT ref: 001AE5EB
_wcslen.LIBCMT ref: 001AE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001AE650

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2fe466882ab8938c04caf03284eefd6d8cb8f3c10a7316b4bcdc56fbc4d3958b
Instruction ID: c46419c78065040ceb723dfcee605ee0fc51b6527289aa40f54b454da4aef3f2
Opcode Fuzzy Hash: 2fe466882ab8938c04caf03284eefd6d8cb8f3c10a7316b4bcdc56fbc4d3958b
Instruction Fuzzy Hash: 1A5177B64083459BC724EBA4DC819DFB3ECAF95340F00491EF589D3191EF74A688C766

Function 001CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CC9F1
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA68
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001CBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001CBB63
RegCloseKey.ADVAPI32(?,?), ref: 001CBBA6
RegCloseKey.ADVAPI32(00000000), ref: 001CBBB3

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: d552b8af5698e4a5a00f29116718e6429a796deed8ee71f6da898d4f7d971c52
Instruction ID: 72d95ab3595897a5baead23a26cd3705e1a86980a4293510d4bbc0da26168f13
Opcode Fuzzy Hash: d552b8af5698e4a5a00f29116718e6429a796deed8ee71f6da898d4f7d971c52
Instruction Fuzzy Hash: 85614831209241AFD714DF24C4D1F2ABBE5BF94308F54895DF49A8B2A2DB31ED45CB92

Function 001A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001A8BCD
VariantClear.OLEAUT32 ref: 001A8C3E
VariantClear.OLEAUT32 ref: 001A8C9D
VariantClear.OLEAUT32(?), ref: 001A8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001A8D3B

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 7ebed7fc21fc50eb0b2cc193355692db47bd7876b280dbb972aa460ee9b4a7df
Instruction ID: 048c8e28eb2deb29c1415dd87a6122ce19330172609013ebe90f6b3d131b5f67
Opcode Fuzzy Hash: 7ebed7fc21fc50eb0b2cc193355692db47bd7876b280dbb972aa460ee9b4a7df
Instruction Fuzzy Hash: EE516AB5A0121AEFCB14CF68C894AAAB7F8FF89310B158559F905DB354E730E911CF90

Function 001B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001B8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001B8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001B8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001B8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001B8C5F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6ae1b49de9de15bfc947cf67360fd0b5ebbd415156805793e558de621da8ec8d
Instruction ID: 738a4f78af8089a40e3b549cb8c7be5e98ad8a94728736a62a3a9e58922b4337
Opcode Fuzzy Hash: 6ae1b49de9de15bfc947cf67360fd0b5ebbd415156805793e558de621da8ec8d
Instruction Fuzzy Hash: C1512875A002159FCB05DF65C881AAABBF5FF48314F088459E849AB3B2DB35ED51CB90

Function 001C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001C8F40
GetProcAddress.KERNEL32(00000000,?), ref: 001C8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 001C8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001C9032
FreeLibrary.KERNEL32(00000000), ref: 001C9052

Part of subcall function 0015F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001B1043,?,75B8E610), ref: 0015F6E6
Part of subcall function 0015F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0019FA64,00000000,00000000,?,?,001B1043,?,75B8E610,?,0019FA64), ref: 0015F70D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ce8d13a4050b1d7f0f5d254d45da252827499b6547bff89c8d586ae3e7067022
Instruction ID: 14fa0a7a4b2b2640e162c758637414073ca3406c4294e3050a6cd54f33537709
Opcode Fuzzy Hash: ce8d13a4050b1d7f0f5d254d45da252827499b6547bff89c8d586ae3e7067022
Instruction Fuzzy Hash: D2513534A05215DFCB05DF58C484DADBBB1FF69314B0980A9E80A9B762DB31ED86CB90

Function 00172051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001720C3
_free.LIBCMT ref: 001720E3

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ab8ae8fc89a6dfd9b0ce37625ec2355d6c357b6f443d29ba13e3b0529de5367d
Instruction ID: 511fc9405644cc3c8be0d579a4c476cf79d1799ccfefca453c055531b734c222
Opcode Fuzzy Hash: ab8ae8fc89a6dfd9b0ce37625ec2355d6c357b6f443d29ba13e3b0529de5367d
Instruction Fuzzy Hash: D041C472A002009FCB24DF78C881A5DB7F5FF99314F658569EA19EB352D731AD02CB91

Function 0015912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00159141
ScreenToClient.USER32(00000000,?), ref: 0015915E
GetAsyncKeyState.USER32(00000001), ref: 00159183
GetAsyncKeyState.USER32(00000002), ref: 0015919D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0c78fd69e341537e95090f969521461aee359297f8da3e9c0f3de2285a32b5f6
Instruction ID: cf3c5d04cdf6d6649ee2d0940100e0808dd794b2e223732ec346386997748ebf
Opcode Fuzzy Hash: 0c78fd69e341537e95090f969521461aee359297f8da3e9c0f3de2285a32b5f6
Instruction Fuzzy Hash: C6413D71A0861AEBDF199F64C884BEEB774FF15321F208226E835A62D0C7306954CB91

Function 001B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001B38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001B3922
TranslateMessage.USER32(?), ref: 001B394B
DispatchMessageW.USER32(?), ref: 001B3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001B3966

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: ffc6c4c8c4aca65f6e6c2dc88fb38cecc2bc6f1aadd4c6e081a5b555d55c9a92
Instruction ID: 6169710d6442e2d840355b458237d5f9afc364e468d29a0b7d910f21c35d30de
Opcode Fuzzy Hash: ffc6c4c8c4aca65f6e6c2dc88fb38cecc2bc6f1aadd4c6e081a5b555d55c9a92
Instruction Fuzzy Hash: E131C970905342EEEB39CB34EC4CBF637A8AB15308F44456DE572C21A0EBB5A6A5CB51

Function 001BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,001BC21E,00000000), ref: 001BCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001BCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001BC21E,00000000), ref: 001BCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001BC21E,00000000), ref: 001BCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001BC21E,00000000), ref: 001BCFF2

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: fb1c051991907e699af8912bbe281adfc880ddf74f5cc2037993b71753f07c9a
Instruction ID: 409c3da3017ef487ff03cd6fdf6860466e65024d0afdf95f022c9b8384eeebdb
Opcode Fuzzy Hash: fb1c051991907e699af8912bbe281adfc880ddf74f5cc2037993b71753f07c9a
Instruction Fuzzy Hash: 2A314A71A01206EFDB24DFA9C884ABBBBF9EB14351B1044AEF516D2140DB30EE41DBE0

Function 001A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001A1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001A19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001A19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001A19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001A19E2

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7eb3d221852dd1504be6157637e4e55cb36e725b6bb549375773801769f97274
Instruction ID: 7129e8bb277980fcbdf2716e68697975dffc3b8dae75db30350af627a778f020
Opcode Fuzzy Hash: 7eb3d221852dd1504be6157637e4e55cb36e725b6bb549375773801769f97274
Instruction Fuzzy Hash: 0C31BF76A0121AFFCB04CFA8CD99ADF3BB5EB05319F104629F921AB2D1C7709944CB90

Function 001C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001C0951
GetForegroundWindow.USER32 ref: 001C0968
GetDC.USER32(00000000), ref: 001C09A4
GetPixel.GDI32(00000000,?,00000003), ref: 001C09B0
ReleaseDC.USER32(00000000,00000003), ref: 001C09E8

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: dd68991fc65110b58f974b20f5167959b8c23c92481e12df93244074ea06b892
Instruction ID: 06abff5f4db7880bf46fd86864ab1dd2b96cab482a5d338267405614c1a7e305
Opcode Fuzzy Hash: dd68991fc65110b58f974b20f5167959b8c23c92481e12df93244074ea06b892
Instruction Fuzzy Hash: 5F216D35601214AFD704EF69D894AAEBBF9EF58700F04846DE84AD7762CB30EC44CB90

Function 0017CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0017CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0017CDE9

Part of subcall function 00173820: RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0017CE0F
_free.LIBCMT ref: 0017CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0017CE31

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a6d71c3c789eb4840dc6fa0122ea8ae842e790c6e3a578a66333b14603260342
Instruction ID: 2896922f7597f20aead732477500c8189541378f21f8869c9c66a1f78ee66317
Opcode Fuzzy Hash: a6d71c3c789eb4840dc6fa0122ea8ae842e790c6e3a578a66333b14603260342
Instruction Fuzzy Hash: EF0184726076267F272116BA6C88D7B6E7DEFC6BA1315812EF909C7201EF618D0291F0

Function 00159639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00159693
SelectObject.GDI32(?,00000000), ref: 001596A2
BeginPath.GDI32(?), ref: 001596B9
SelectObject.GDI32(?,00000000), ref: 001596E2

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b5017d9f9ce28acf6cf9b66b53fdaf7e7d58804ba2aeab299a8a7e63d4b62fdf
Instruction ID: 4c4216d9843a8d482bf6d12be46c74766313349f713eb1e277dcaa4787e630cd
Opcode Fuzzy Hash: b5017d9f9ce28acf6cf9b66b53fdaf7e7d58804ba2aeab299a8a7e63d4b62fdf
Instruction Fuzzy Hash: 07219270802346EFDB119F24EC197E97BA9BF20316F108616F930AA1B0D77458A9CFD1

Function 001A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001A5726
_memcmp.LIBVCRUNTIME ref: 001A5744
_memcmp.LIBVCRUNTIME ref: 001A5757
_memcmp.LIBVCRUNTIME ref: 001A576F
_memcmp.LIBVCRUNTIME ref: 001A5787

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2daf661379563ecf5d41d4441b0b11d30eb02da1052cb25b747733112563a002
Instruction ID: 1eaab63fb4e31776fdbd0f8182779a1821fed5a5ac948935331f3bd3e3c22a90
Opcode Fuzzy Hash: 2daf661379563ecf5d41d4441b0b11d30eb02da1052cb25b747733112563a002
Instruction Fuzzy Hash: 8B01F969245A05FBD31851509D42FBB735FAB323B4F844025FD16BA341F720EE2182A0

Function 00172DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0016F2DE,00173863,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6), ref: 00172DFD
_free.LIBCMT ref: 00172E32
_free.LIBCMT ref: 00172E59
SetLastError.KERNEL32(00000000,00141129), ref: 00172E66
SetLastError.KERNEL32(00000000,00141129), ref: 00172E6F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 11bef305e79861f097167cdfa5eeb988d30b745a7be8f4db9664268ac17dbafe
Instruction ID: 365a92885f1505d1bea3dc619ccf034290e41947a028d632bdb814cb034c71b6
Opcode Fuzzy Hash: 11bef305e79861f097167cdfa5eeb988d30b745a7be8f4db9664268ac17dbafe
Instruction Fuzzy Hash: F901283220660077CA2367347C49D2B267DABE53B5B35C529F82DA32D3EF708C835060

Function 001A000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?,?,001A035E), ref: 001A002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?), ref: 001A0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0070

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3e1443d3ae695b44ecbc2305535419a29d1f26805d93b5360452a5e2387e7954
Instruction ID: d49d50932769904c480542d777875eff261b5772db05a32a7e48dfe1e1202699
Opcode Fuzzy Hash: 3e1443d3ae695b44ecbc2305535419a29d1f26805d93b5360452a5e2387e7954
Instruction Fuzzy Hash: D101F27A602205BFDB124F68DD04FAABBEEEF48391F104529F901D2210D770CD80DBA0

Function 001AE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 001AE997
QueryPerformanceFrequency.KERNEL32(?), ref: 001AE9A5
Sleep.KERNEL32(00000000), ref: 001AE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 001AE9B7
Sleep.KERNEL32 ref: 001AE9F3

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b32fc3f218b8e1b3138e89ae8873a42bcbb3fb547bc835d9c665b419d39f6e9b
Instruction ID: db1c8caa1e2102530ea7501b3dee6dddc860311284dbe74bec94bc30cec00fb1
Opcode Fuzzy Hash: b32fc3f218b8e1b3138e89ae8873a42bcbb3fb547bc835d9c665b419d39f6e9b
Instruction Fuzzy Hash: CA012D35C0262ADBCF04AFE5DC59AEEBBB8FF0A705F010556E502B2141CB309595CBA1

Function 001A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001A1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001A114D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cde9b4f19e60568cc8a9ed165c8b14532787b8bf578c5716537d771718e99ead
Instruction ID: ef5ae7a19fccac4a53a8549c562b17593cd2aff11d7541275e48e24880e3444c
Opcode Fuzzy Hash: cde9b4f19e60568cc8a9ed165c8b14532787b8bf578c5716537d771718e99ead
Instruction Fuzzy Hash: 46011D79102216FFDB114F75DC49A6A3B6EEF86364B144815FA45D7350DB31DC40DAA0

Function 001A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001A0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001A0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001A0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001A0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001A1002

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7dbab17680c4c3a629cbe0d5a65dc6fa1cd06d32e488a280efcaecc1d674e19e
Instruction ID: 36eecdb303f24a5080bf07d7fee4d4d44e64a6f04fb4b02385b1ca37fae30a35
Opcode Fuzzy Hash: 7dbab17680c4c3a629cbe0d5a65dc6fa1cd06d32e488a280efcaecc1d674e19e
Instruction Fuzzy Hash: 42F04F39142312FBDB214FA49D49F563B6DEF8A761F114815F945C6291CA70DC80CAA0

Function 001A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001A102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001A1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001A1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001A104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001A1062

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fabe85b325c16d688c742479f256530f24b35262516c1a1a91faf79f8ad9d7bb
Instruction ID: 729f6a2802812dce4a6cae013d444cf7baf37c0e6f94bfc4944f4a241ab00c36
Opcode Fuzzy Hash: fabe85b325c16d688c742479f256530f24b35262516c1a1a91faf79f8ad9d7bb
Instruction Fuzzy Hash: A2F06239142312FBDB215FA4ED49F563B6DFF8A761F210815F945C7290CB70D880CAA0

Function 001B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B0324
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B0331
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B033E
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B034B
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B0358
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B0365

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4139a9aaaeba43733d9d6db862cf46174b5ecc8183b672567fa7364dc07c1c32
Instruction ID: 453291862663ee58c0ed70cd700c3788c9a45f121f702e46ace81d0ab0337ce6
Opcode Fuzzy Hash: 4139a9aaaeba43733d9d6db862cf46174b5ecc8183b672567fa7364dc07c1c32
Instruction Fuzzy Hash: 6901EA72801B059FCB32AF66D880843FBF9BF603053058A3FD19252930C3B1A988CF80

Function 0017D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0017D752

Part of subcall function 001729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 0017D764
_free.LIBCMT ref: 0017D776
_free.LIBCMT ref: 0017D788
_free.LIBCMT ref: 0017D79A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dbc1e45fc0c0881bf4e9ccf3235187f37d02c9ebddf08927e560bceabeae277d
Instruction ID: 91e9830c22ce2dfae0f5f954200b9d5d88e3e6221c7eddfcf762b7f6a86b3b2d
Opcode Fuzzy Hash: dbc1e45fc0c0881bf4e9ccf3235187f37d02c9ebddf08927e560bceabeae277d
Instruction Fuzzy Hash: 20F04F72540318ABC625EB78F9C6C16B7FDBF44318BA88805F14CE7502C730FC818664

Function 001722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001722BE

Part of subcall function 001729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 001722D0
_free.LIBCMT ref: 001722E3
_free.LIBCMT ref: 001722F4
_free.LIBCMT ref: 00172305

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f3f48c3bebc11e85c1243938bc4d2c1065e58b317cb11f5e8427c1262b8373c8
Instruction ID: 9f4cf643265d4b048a2883b88d2e7d46626ad17dcfb32c570f7eeb5e2434eafe
Opcode Fuzzy Hash: f3f48c3bebc11e85c1243938bc4d2c1065e58b317cb11f5e8427c1262b8373c8
Instruction Fuzzy Hash: ABF030B04012308BC712AF64BC4A8887B74B738750B25C606F518D32B2CF7504A39BA4

Function 001595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001595D4
StrokeAndFillPath.GDI32(?,?,001971F7,00000000,?,?,?), ref: 001595F0
SelectObject.GDI32(?,00000000), ref: 00159603
DeleteObject.GDI32 ref: 00159616
StrokePath.GDI32(?), ref: 00159631

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d7340321d79ebb2286abc6f703fc636fc4db473c6bcdedc89a0d3abb955c1fb9
Instruction ID: c75c8f9f451ff6bad523055e8a3fe5321e563a94fd3cd5504cce3c80d8931b84
Opcode Fuzzy Hash: d7340321d79ebb2286abc6f703fc636fc4db473c6bcdedc89a0d3abb955c1fb9
Instruction Fuzzy Hash: 9EF03C34007385EBDB165F69FD1C7A43B61AB10322F04C215FA35594F0CB3089A9DFA1

Function 00170F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001710F9
__freea.LIBCMT ref: 00171117

Part of subcall function 00171537: _free.LIBCMT ref: 0017154F

Strings

a/p, xrefs: 001711DE
am/pm, xrefs: 0017117A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: c4c50930bb9c7eb98bb061fd4971f7b9ebab1a2297cad578519205c51eaa33be
Instruction ID: 6c0b2c099d87182f4ff16dc7ebffa8ca8cc38285531f0bc0942887707fb801ee
Opcode Fuzzy Hash: c4c50930bb9c7eb98bb061fd4971f7b9ebab1a2297cad578519205c51eaa33be
Instruction Fuzzy Hash: 60D11231900206EADB289F6CC895BFEB7B5FF05720F29C159E90DAB651D3359D80CBA1

Function 001C61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00160242: EnterCriticalSection.KERNEL32(0021070C,00211884,?,?,0015198B,00212518,?,?,?,001412F9,00000000), ref: 0016024D
Part of subcall function 00160242: LeaveCriticalSection.KERNEL32(0021070C,?,0015198B,00212518,?,?,?,001412F9,00000000), ref: 0016028A

Part of subcall function 001600A3: __onexit.LIBCMT ref: 001600A9

__Init_thread_footer.LIBCMT ref: 001C6238

Part of subcall function 001601F8: EnterCriticalSection.KERNEL32(0021070C,?,?,00158747,00212514), ref: 00160202
Part of subcall function 001601F8: LeaveCriticalSection.KERNEL32(0021070C,?,00158747,00212514), ref: 00160235

Part of subcall function 001B359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001B35E4
Part of subcall function 001B359C: LoadStringW.USER32(00212390,?,00000FFF,?), ref: 001B360A

Strings

x#!, xrefs: 001C636F
x#!, xrefs: 001C633A
x#!, xrefs: 001C6353

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#!$x#!$x#!
API String ID: 1072379062-1188481307
Opcode ID: 965e11a561b9f2fc4be15c527edab38eb9c4b5720245e9d458087bd95a6887da
Instruction ID: 6640d66aa173ab0a0f924f4637b7b6b256548efe18c225b5c36e23d2762b4752
Opcode Fuzzy Hash: 965e11a561b9f2fc4be15c527edab38eb9c4b5720245e9d458087bd95a6887da
Instruction Fuzzy Hash: E2C16971A00109ABCB24DF98C891EAEB7B9EF68340F14806DF9159B291DB70ED55CB90

Function 001C7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00160242: EnterCriticalSection.KERNEL32(0021070C,00211884,?,?,0015198B,00212518,?,?,?,001412F9,00000000), ref: 0016024D
Part of subcall function 00160242: LeaveCriticalSection.KERNEL32(0021070C,?,0015198B,00212518,?,?,?,001412F9,00000000), ref: 0016028A

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001600A3: __onexit.LIBCMT ref: 001600A9

__Init_thread_footer.LIBCMT ref: 001C7BFB

Part of subcall function 001601F8: EnterCriticalSection.KERNEL32(0021070C,?,?,00158747,00212514), ref: 00160202
Part of subcall function 001601F8: LeaveCriticalSection.KERNEL32(0021070C,?,00158747,00212514), ref: 00160235

Strings

Variable must be of type 'Object'., xrefs: 001C7C3A
G, xrefs: 001C7C7F
5, xrefs: 001C7C78

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 0538d1913fc9cd931088610a91fd9318a311e1c2af9a1e1a658480f7e2bfa935
Instruction ID: 409989bda0903a0f302c15e717b2f7a3a37e254df0e2d2e3e9c74889ca42df0a
Opcode Fuzzy Hash: 0538d1913fc9cd931088610a91fd9318a311e1c2af9a1e1a658480f7e2bfa935
Instruction Fuzzy Hash: 77915A70A04209AFCB14EF94D891EBDB7B2AF69300F54805DF8069B292DBB1EE45DB51

Function 0017172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\VsTfsPVrfA.exe,00000104), ref: 00171769
_free.LIBCMT ref: 00171834
_free.LIBCMT ref: 0017183E

Strings

C:\Users\user\Desktop\VsTfsPVrfA.exe, xrefs: 00171760, 00171767, 00171796, 001717CE

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\VsTfsPVrfA.exe
API String ID: 2506810119-893075015
Opcode ID: 08d7852d25cec00e960b4283675515078ac58d08f7642d51255db3fdebae6fd8
Instruction ID: fce55722430450fa2887245692c80eaf782a493cd68275f2ef630f8c73db744c
Opcode Fuzzy Hash: 08d7852d25cec00e960b4283675515078ac58d08f7642d51255db3fdebae6fd8
Instruction Fuzzy Hash: 2E316F71A40218BBDB25DF999885D9EBBFCEBA5310B14816AE90897211DB708A41CB91

Function 001AC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001AC306
DeleteMenu.USER32(?,00000007,00000000), ref: 001AC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00211990,011553C8), ref: 001AC395

Strings

0, xrefs: 001AC2DF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 64e57ecb694033376104d46c54aa31e7701561c6e94279b43821aab5ab378cb9
Instruction ID: dcb35d537a9338c044de16deb91eecc945f4c4132f54ed1fb575526816807746
Opcode Fuzzy Hash: 64e57ecb694033376104d46c54aa31e7701561c6e94279b43821aab5ab378cb9
Instruction Fuzzy Hash: CA41C5352083019FDB24DF25D884B6BBBE4BF96310F008A1DF965972D1D770E904CB92

Function 001D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001DCC08,00000000,?,?,?,?), ref: 001D44AA
GetWindowLongW.USER32 ref: 001D44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001D44D7

Strings

SysTreeView32, xrefs: 001D447C

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: f6bcb5ae5029a9092c618e4b3bdccdc48eae330685aa43be84136e485ab53025
Instruction ID: 8e42c2e49ac225311bd2e7b0bfa6f2bdd94db44df63a4ec09883645e99bfebeb
Opcode Fuzzy Hash: f6bcb5ae5029a9092c618e4b3bdccdc48eae330685aa43be84136e485ab53025
Instruction Fuzzy Hash: 77319E31210206AFDF208F38DC45BEA77A9EB09334F204716F975922E0D770EC909750

Function 001C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001C3077,?,?), ref: 001C3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001C307A
_wcslen.LIBCMT ref: 001C309B
htons.WSOCK32(00000000,?,?,00000000), ref: 001C3106

Strings

255.255.255.255, xrefs: 001C3095, 001C309A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 06a0bb487772afe906e6444c99d9217cb0a448d186d216e34b932f46e3e281fc
Instruction ID: 173945ad76c0ba0ad476d1e40bf2277cf21ce2eb61041209446e18ccbed591fd
Opcode Fuzzy Hash: 06a0bb487772afe906e6444c99d9217cb0a448d186d216e34b932f46e3e281fc
Instruction Fuzzy Hash: 8731E7362002059FCB10CF68C485FAA77E0EF64318F29C05DE9268B792DB32DE41C761

Function 001D4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001D4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001D4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001D471A

Strings

msctls_updown32, xrefs: 001D4684

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4f4987ad6de79eb9d83c8f24e51d908e53108001302b15b80841cf8238937817
Instruction ID: de7d3403f66670bc92df98a2b06595a1a37971c619ebfcbacf42dd74421514e7
Opcode Fuzzy Hash: 4f4987ad6de79eb9d83c8f24e51d908e53108001302b15b80841cf8238937817
Instruction Fuzzy Hash: 0E216DB5601209AFDB10DF64DCC5DB737ADEF5A3A4B04055AFA009B3A1CB31EC61CAA0

Function 001A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A961D

Strings

#notrayicon, xrefs: 001A95B7
#requireadmin, xrefs: 001A95D9
#OnAutoItStartRegister, xrefs: 001A95F3

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 34fcb9ab1692cc79862a8a97a77751d04a0d9aa18255a0c7b5494787ef41afb3
Instruction ID: bfa7f76497f60578d843411cb2261d364b948ef7a0b605d2d22b3fe719605d73
Opcode Fuzzy Hash: 34fcb9ab1692cc79862a8a97a77751d04a0d9aa18255a0c7b5494787ef41afb3
Instruction Fuzzy Hash: F021573660422066D335AB349C03FBB73D89FA6300F11442BF94E97181EB51AED6C2D5

Function 001D37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001D3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001D3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001D3876

Strings

Listbox, xrefs: 001D380F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 315006e30887a9a4f5ac27230553c22aa549127b93415c6da5b67dad42bd81e7
Instruction ID: 5887ea9ba604a68a86806f2a913e453fd3b31b56180094e4b1aeb51c1bc63702
Opcode Fuzzy Hash: 315006e30887a9a4f5ac27230553c22aa549127b93415c6da5b67dad42bd81e7
Instruction Fuzzy Hash: 8021BE72610219BBEF218F54DC85FAB376AEF89750F118126FA109B290CB71EC5297A0

Function 001A223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001A2258

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001A228A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001A22CA

Strings

@U=u, xrefs: 001A2258, 001A228A, 001A22CA

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: af92841172fbeabc47d1cd144fb2a742c52ffc77f85e1579f6b9e1ecf61604a1
Instruction ID: 456ea3c0e53963d8a1e8fc4f358344434a8d414caa7c8c46db05704f9d234673
Opcode Fuzzy Hash: af92841172fbeabc47d1cd144fb2a742c52ffc77f85e1579f6b9e1ecf61604a1
Instruction Fuzzy Hash: A721C935701204ABDF149B598D49FEE3BA9EF5B710F044025FA05DB291DB74C945C7A1

Function 001B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001B4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001B4A5C
SetErrorMode.KERNEL32(00000000,?,?,001DCC08), ref: 001B4AD0

Strings

%lu, xrefs: 001B4A6F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 6599b33f3124f64663e4d78b99c4bc344553561b1f02643f0e2e9d1b0fed99fb
Instruction ID: b31b5ab45a94ccba4ff775f5d0f440f77945fea0f93d498c7855ddd872fecf07
Opcode Fuzzy Hash: 6599b33f3124f64663e4d78b99c4bc344553561b1f02643f0e2e9d1b0fed99fb
Instruction Fuzzy Hash: 78315075A00119EFD710DF64C885EAA77F8EF05308F148495F909DB262D771ED46CBA1

Function 001A1B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001A1B4F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001A1B61
SendMessageW.USER32(?,0000000D,?,00000000), ref: 001A1B99

Strings

@U=u, xrefs: 001A1B99

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 2f2d7d038b7125b8cff746a5a23def573f9027f8ddb152fb4e2757629111dd18
Instruction ID: 63b95fc850cab565b432a954b3139e8d127481c95af0b8c5f18905468696baf2
Opcode Fuzzy Hash: 2f2d7d038b7125b8cff746a5a23def573f9027f8ddb152fb4e2757629111dd18
Instruction Fuzzy Hash: B3219036600119BFDB15DBA8C842DFEB7FEEF45344F11046AE505E72A0EB71AE448BA4

Function 001C0CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 001C0D24
SendMessageW.USER32(0000000C,00000000,?), ref: 001C0D65
SendMessageW.USER32(0000000C,00000000,?), ref: 001C0D8D

Strings

@U=u, xrefs: 001C0D24, 001C0D65, 001C0D8D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: bc2c96b7a777b98d6808797df363db32bc36e26f79285ffb299efbc7d374a36e
Instruction ID: 2dd75546b70894ec338f83429b534006d01ef1dd0d59c8b9221d0b9a2c4a33f1
Opcode Fuzzy Hash: bc2c96b7a777b98d6808797df363db32bc36e26f79285ffb299efbc7d374a36e
Instruction Fuzzy Hash: CA216A35204511EFD711EBA4E985EBAB7E6FF29310B018859F91A9BA71CB30FC50CB90

Function 001D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001D424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001D4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001D4271

Strings

msctls_trackbar32, xrefs: 001D4226

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: f011bb83809de0c5b0c311d7096a49e06ab6e47ae2c3bcdf924b5c7a2d7bcb45
Instruction ID: 2e719307480e14e0b4d0381848db33416e8804f314b8ebe5ee63e306457a8b47
Opcode Fuzzy Hash: f011bb83809de0c5b0c311d7096a49e06ab6e47ae2c3bcdf924b5c7a2d7bcb45
Instruction Fuzzy Hash: 1411E072240208BFEF209E28DC06FAB3BACEF95B64F110525FA55E21A0D771D8619B20

Function 001A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

Part of subcall function 001A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001A2DC5
Part of subcall function 001A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 001A2DD6
Part of subcall function 001A2DA7: GetCurrentThreadId.KERNEL32 ref: 001A2DDD
Part of subcall function 001A2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001A2DE4

GetFocus.USER32 ref: 001A2F78

Part of subcall function 001A2DEE: GetParent.USER32(00000000), ref: 001A2DF9

GetClassNameW.USER32(?,?,00000100), ref: 001A2FC3
EnumChildWindows.USER32(?,001A303B), ref: 001A2FEB

Strings

%s%d, xrefs: 001A2FFF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 710d5472d9ea923a56d2fdc177f1298bd36ceb90e5121f50aa459475b7956805
Instruction ID: baf566782493350b7025b0c3497a79246045fd9981e7ec0d60f3d0977a9ec3c5
Opcode Fuzzy Hash: 710d5472d9ea923a56d2fdc177f1298bd36ceb90e5121f50aa459475b7956805
Instruction Fuzzy Hash: A911A279700205ABCF147FA48C85FEE376AAFA6308F044075FD199B292DF309949CB60

Function 001D3429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001D34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001D34BA

Strings

@U=u, xrefs: 001D34BA
edit, xrefs: 001D348F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 6fb16ae88c82e252dc0f7657912d5097931449a780b19e77422f509b5ae61877
Instruction ID: 1f1964c8c35dc84e7e6df508088c55b38d3552c03a3f9c4bf653667300c3e960
Opcode Fuzzy Hash: 6fb16ae88c82e252dc0f7657912d5097931449a780b19e77422f509b5ae61877
Instruction Fuzzy Hash: 69118F71101108AFEF124E68EC44AEB376AEB15378F504726F971932E0C779DC91D752

Function 001A1BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001A3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 001A1C46

Strings

@U=u, xrefs: 001A1C46
ListBox, xrefs: 001A1C10
ComboBox, xrefs: 001A1BE5

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 4c4863927ae73134d95519e7f1db3e04e720c47301d38017e8de8e2204d50f66
Instruction ID: b3bf7d1e7e98e051b8a3d97d8da8d148f036717e3793c4cc7e78043f45ec7c27
Opcode Fuzzy Hash: 4c4863927ae73134d95519e7f1db3e04e720c47301d38017e8de8e2204d50f66
Instruction Fuzzy Hash: BE01A779AC121976CB08EBA0DD51AFF77A89F23350F14001AB416672D6EB209F18D6B1

Function 001D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001D58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001D58EE
DrawMenuBar.USER32(?), ref: 001D58FD

Strings

0, xrefs: 001D588F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 8471d87845ee56924232132d4df3f360ebc5e3831332ef188b1342ef14c8c91e
Instruction ID: 388d49f354aea0c43a4c3182e049f0de67b55ee934e057a3a864726af393f383
Opcode Fuzzy Hash: 8471d87845ee56924232132d4df3f360ebc5e3831332ef188b1342ef14c8c91e
Instruction Fuzzy Hash: 2101C031600218EFDB209F15EC45BAEBBB9FF45361F00809AE848DA251DB308A85DF21

Function 001D7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,002118B0,001DA364,000000FC,?,00000000,00000000,?,?,?,001976CF,?,?,?,?,?), ref: 001D7805
GetFocus.USER32 ref: 001D780D

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

Part of subcall function 00159944: GetWindowLongW.USER32(?,000000EB), ref: 00159952

SendMessageW.USER32(0115D9E8,000000B0,000001BC,000001C0), ref: 001D787A

Strings

@U=u, xrefs: 001D787A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 32f170457242c004778ebf8833aab0d93c4166c0f3c827e5fafc06356d0d989f
Instruction ID: 383ad7c75bef9ecfb45bcc2cb5a326b11280da9c15dd060a8f0446c5068a4ba1
Opcode Fuzzy Hash: 32f170457242c004778ebf8833aab0d93c4166c0f3c827e5fafc06356d0d989f
Instruction Fuzzy Hash: 50017531505140CFD725DB28F85CAA633E5EF95320F14466AE525873E0DB356C56CB80

Function 0019D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0019D3BF
FreeLibrary.KERNEL32 ref: 0019D3E5

Strings

X64, xrefs: 0019D2A8
GetSystemWow64DirectoryW, xrefs: 0019D3B9

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 28feff0ee3426bfcc4d5010bd25c7d6a2f38430cb224143079815edde21938fe
Instruction ID: cb5326269a2c2e966aceee3a7f4d4ff281f1b98660161e2d45574c09d0915009
Opcode Fuzzy Hash: 28feff0ee3426bfcc4d5010bd25c7d6a2f38430cb224143079815edde21938fe
Instruction Fuzzy Hash: 42F02BB1406723DBDF3C6B24AD489AA3318BF11742B95875AF423F10D5DB70CE86C682

Function 001A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c5ccb5473f9f4e7c3eee5605f9242c698286ee98afed27a0fcb4d1d3e3b258
Instruction ID: 1debe85afaceadc88d4a9c85c6ae1f9b2ef1a6574f129f8e36797e3d6c1f0733
Opcode Fuzzy Hash: f5c5ccb5473f9f4e7c3eee5605f9242c698286ee98afed27a0fcb4d1d3e3b258
Instruction Fuzzy Hash: 18C15B79A0020AEFDB15CFA4C894BAEB7B5FF49304F218599E505EB251D731EE81CB90

Function 001C342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001C3459
CoUninitialize.OLE32 ref: 001C3463
VariantInit.OLEAUT32(?), ref: 001C346E
VariantClear.OLEAUT32(?), ref: 001C371B

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: adce8c404174f8da7cd34172c1ae5eb09afb688c7a584a0007ed96f2b69e17fa
Instruction ID: 5a0974e35b6748edc973ba36270812cc5c5de39003b712b53f3b959dff0903d3
Opcode Fuzzy Hash: adce8c404174f8da7cd34172c1ae5eb09afb688c7a584a0007ed96f2b69e17fa
Instruction Fuzzy Hash: 1BA114756042109FCB14DF28C485E2AB7E5FF98714F05885DF99A9B3A2DB30EE05CB92

Function 001A0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001DFC08,?), ref: 001A05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001DFC08,?), ref: 001A0608
CLSIDFromProgID.OLE32(?,?,00000000,001DCC40,000000FF,?,00000000,00000800,00000000,?,001DFC08,?), ref: 001A062D
_memcmp.LIBVCRUNTIME ref: 001A064E

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 4112446c38f2c423a1a1bbec3c8df8235400c3c71c1db751350619ea875a8c6b
Instruction ID: 597e065fed8a34c4878cca2b6e8af00dca11112a40910a25f5937b9328cdaf1b
Opcode Fuzzy Hash: 4112446c38f2c423a1a1bbec3c8df8235400c3c71c1db751350619ea875a8c6b
Instruction Fuzzy Hash: C7811A75A00109EFCB05DF94C988EEEB7B9FF8A315F204558E506EB250DB71AE46CB60

Function 00181391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001814C0

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 80d969e5acbbe3072d136cdab1be6bb555934799ec456128bba353f77374e972
Instruction ID: c1028a7e8015a5469842e718d5686b00af1b8583a992edaeff6a5b68546b70f8
Opcode Fuzzy Hash: 80d969e5acbbe3072d136cdab1be6bb555934799ec456128bba353f77374e972
Instruction Fuzzy Hash: BF413A33A00500BBDB257BB99C45ABE3BADEF61330F144229F819D2191E7748A539F61

Function 001C1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001C1AFD
WSAGetLastError.WSOCK32 ref: 001C1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001C1B8A
WSAGetLastError.WSOCK32 ref: 001C1B94

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 2d628aac1900364692552d05848229afd27fe0148e6a82e36426ea5c2fda7933
Instruction ID: 1012104c957695cd8d7190eea263dc0d4315dcddb4132ecce167fcaa02e5e313
Opcode Fuzzy Hash: 2d628aac1900364692552d05848229afd27fe0148e6a82e36426ea5c2fda7933
Instruction Fuzzy Hash: B941B234640201AFE720AF24C886F2977E5AB55718F54844CF92A9F7D3D772DD42CB90

Function 0017B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1052beb42853ecc95dea6d39624b2704f7d998e83a32dffc2011e9515d120e6
Instruction ID: 7e893bd5fa564953d64bedd7fa7348031a3544199d9f998c30598db354f2ac9b
Opcode Fuzzy Hash: e1052beb42853ecc95dea6d39624b2704f7d998e83a32dffc2011e9515d120e6
Instruction Fuzzy Hash: AE411B72A04704BFD7249F38CC81B6A7BF9EB98710F10852EF54BDB282D77199118B80

Function 001B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001B5783
GetLastError.KERNEL32(?,00000000), ref: 001B57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001B57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001B57FA

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1db8a3a8f64a913b0ed80aae8d43aad218f486822c97807e2b69e9d1b6948999
Instruction ID: ac4eea02900b73831ee2386fc33be73f5472c8509567f1100753ada4b29edd1c
Opcode Fuzzy Hash: 1db8a3a8f64a913b0ed80aae8d43aad218f486822c97807e2b69e9d1b6948999
Instruction Fuzzy Hash: 6B411D39600611DFCB11DF55D544A5EBBE2EF99320B198888E84AAF372CB35FD40CB91

Function 0017D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00166D71,00000000,00000000,001682D9,?,001682D9,?,00000001,00166D71,8BE85006,00000001,001682D9,001682D9), ref: 0017D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0017D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0017D9AB
__freea.LIBCMT ref: 0017D9B4

Part of subcall function 00173820: RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 90ec978d2fc0f84f691a45b375e549cad0c8eb1893f52d9b885917cbb9c56784
Instruction ID: 717fb07c240f8cdacf47b091976436b71b0feff291d4613a4ab5b9803fe272da
Opcode Fuzzy Hash: 90ec978d2fc0f84f691a45b375e549cad0c8eb1893f52d9b885917cbb9c56784
Instruction Fuzzy Hash: F231CD72A0021AABDF259F64EC41EAE7BB5EF40314F158268FD08D7250EB35CD50CB90

Function 001AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 001AABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 001AAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 001AAC74
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 001AACC6

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b9afa054a639aade496884fe15731407f80baec0c532f73bf15424a2caca7cee
Instruction ID: 334beef9445980ec1954ea1bdd381796fecca5f3304c883953411ce4c7fc4b8b
Opcode Fuzzy Hash: b9afa054a639aade496884fe15731407f80baec0c532f73bf15424a2caca7cee
Instruction Fuzzy Hash: B1313934A007186FFF35CB648C087FA7BA6AF86330F84471AE481962D9C3759981C792

Function 001D7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001D769A
GetWindowRect.USER32(?,?), ref: 001D7710
PtInRect.USER32(?,?,001D8B89), ref: 001D7720
MessageBeep.USER32(00000000), ref: 001D778C

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ad8e3b1d70c8430a9b236663aa9b8335aefa9cd8de7a28242f2882166640ae8f
Instruction ID: 1eeaf14b54c4e8e9a833c041d864844497d18a1ee3500814a5edf8f1795d6ff1
Opcode Fuzzy Hash: ad8e3b1d70c8430a9b236663aa9b8335aefa9cd8de7a28242f2882166640ae8f
Instruction Fuzzy Hash: C641BF38A09255DFCB01CF58D898EA977F4FF58310F1585AAE5249B3A1E730E941CF90

Function 001D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001D16EB

Part of subcall function 001A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001A3A57
Part of subcall function 001A3A3D: GetCurrentThreadId.KERNEL32 ref: 001A3A5E
Part of subcall function 001A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001A25B3), ref: 001A3A65

GetCaretPos.USER32(?), ref: 001D16FF
ClientToScreen.USER32(00000000,?), ref: 001D174C
GetForegroundWindow.USER32 ref: 001D1752

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6d4eaf41881ff02ebf0fe100d8779ed266834753e0243123e70b345b834c5b72
Instruction ID: b149354743e585cfd81a010cac04de2787e8d840bf2c9b14dee90c1b9fcc1647
Opcode Fuzzy Hash: 6d4eaf41881ff02ebf0fe100d8779ed266834753e0243123e70b345b834c5b72
Instruction Fuzzy Hash: 93317075D01249AFC700EFA9C881CEEBBF9EF59304B5080AAE415E7211D731DE45CBA0

Function 001AD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001AD501
Process32FirstW.KERNEL32(00000000,?), ref: 001AD50F
Process32NextW.KERNEL32(00000000,?), ref: 001AD52F
CloseHandle.KERNEL32(00000000), ref: 001AD5DC

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 3fb3191ca27854aa311f8d0963a4cccef375fcad43dbde884772bd08b19ba109
Instruction ID: 38396b62cad367146a7ec13e9bd23a5c2b3ec33c5ff696117d39a27fb28a640e
Opcode Fuzzy Hash: 3fb3191ca27854aa311f8d0963a4cccef375fcad43dbde884772bd08b19ba109
Instruction Fuzzy Hash: CB31A4721083019FD301EF54D885AAFBBF8EFA9354F14092DF586861A2EB719949CB92

Function 001D8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

GetCursorPos.USER32(?), ref: 001D9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00197711,?,?,?,?,?), ref: 001D9016
GetCursorPos.USER32(?), ref: 001D905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00197711,?,?,?), ref: 001D9094

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c86bf970ccb812d098fa61fa7da794076ab099082cc9bf39025d528e09bc1f53
Instruction ID: ab969b958e063aed55e7c193c532e46b66267f7c0dc74ea114f5069e8e1d17d8
Opcode Fuzzy Hash: c86bf970ccb812d098fa61fa7da794076ab099082cc9bf39025d528e09bc1f53
Instruction Fuzzy Hash: FF21D131601018EFDB259F94EC58EFA3BB9EF49350F048156F9058B261C73599A0DBA0

Function 001AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001DCB68), ref: 001AD2FB
GetLastError.KERNEL32 ref: 001AD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 001AD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001DCB68), ref: 001AD376

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a21036e8e5ffa5d1d2c2858a2b593536433f171c3284328963c794731703895d
Instruction ID: f4f5899e157f8388eedcfe4df49a5bd2898db71773b270453b86327aff61ea3d
Opcode Fuzzy Hash: a21036e8e5ffa5d1d2c2858a2b593536433f171c3284328963c794731703895d
Instruction Fuzzy Hash: 352183B45056029F8B10DF28D88146EB7E4FF57364F104A1EF4AAC76A1D731D945CB93

Function 001A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001A102A
Part of subcall function 001A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001A1036
Part of subcall function 001A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001A1045
Part of subcall function 001A1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001A104C
Part of subcall function 001A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001A1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001A15BE
_memcmp.LIBVCRUNTIME ref: 001A15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A1617
HeapFree.KERNEL32(00000000), ref: 001A161E

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: e73d0edc1abb02aff5b3685989606b3e4486fb2f3b6ff4f868146043d3f52666
Instruction ID: 751d3f6e0f2b61ea8d284d40f47befb184b96ff40c752c06be381aa18f7933f6
Opcode Fuzzy Hash: e73d0edc1abb02aff5b3685989606b3e4486fb2f3b6ff4f868146043d3f52666
Instruction Fuzzy Hash: B0219A75E41209FFDF00DFA4C945BEEB7B8EF46354F088859E445AB241E770AA45CBA0

Function 001D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001D280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001D2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001D2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001D2840

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 949ea264268bd0d391463c80106561ec5dee5f0a6627672b52cd146a084868b7
Instruction ID: d3425d8cffbc1f823f49516f34f0a7029d180c42adf815a2eb072248c6c1f39d
Opcode Fuzzy Hash: 949ea264268bd0d391463c80106561ec5dee5f0a6627672b52cd146a084868b7
Instruction Fuzzy Hash: 2421D331309111AFD7149B24D884FAA7B95EF65324F14825AF42A8B7E2C771FC82C7D0

Function 001A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001A790A,?,000000FF,?,001A8754,00000000,?,0000001C,?,?), ref: 001A8D8C
Part of subcall function 001A8D7D: lstrcpyW.KERNEL32(00000000,?,?,001A790A,?,000000FF,?,001A8754,00000000,?,0000001C,?,?,00000000), ref: 001A8DB2
Part of subcall function 001A8D7D: lstrcmpiW.KERNEL32(00000000,?,001A790A,?,000000FF,?,001A8754,00000000,?,0000001C,?,?), ref: 001A8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001A8754,00000000,?,0000001C,?,?,00000000), ref: 001A7923
lstrcpyW.KERNEL32(00000000,?,?,001A8754,00000000,?,0000001C,?,?,00000000), ref: 001A7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,001A8754,00000000,?,0000001C,?,?,00000000), ref: 001A7984

Strings

cdecl, xrefs: 001A797B

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 495b7da6d39bcbc36d385fa1289c5b2b21309fa36b2790da0b3d4c13f9e564ae
Instruction ID: b0f9679e31fbcca8ab186aa5f9bb4ed07c34725ed0639469fe5b70be65eaa835
Opcode Fuzzy Hash: 495b7da6d39bcbc36d385fa1289c5b2b21309fa36b2790da0b3d4c13f9e564ae
Instruction Fuzzy Hash: 3111063E201342ABCB156F34CC45D7B77A9FF56364B00402BF802CB2A4EB319911C791

Function 001A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001A1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001A1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001A1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001A1A8A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 101513a081d6ebab7764af8ea91754c1ce3ac3731eca1699b0581c54db4255cf
Instruction ID: 72a9af8f8fb1db717b0be27f620b0b4ae2b77884714e4b8448a25d522c4e2409
Opcode Fuzzy Hash: 101513a081d6ebab7764af8ea91754c1ce3ac3731eca1699b0581c54db4255cf
Instruction Fuzzy Hash: CE113C3AD01219FFEB10DBA4CD85FADBB79EB04750F200091E600B7290D7716E50DB94

Function 001AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001AE1FD
MessageBoxW.USER32(?,?,?,?), ref: 001AE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001AE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001AE24D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d91e48f40ee49e88dbabf040b5bd7ec8589e9ae2d831e784cf3e43479b0db210
Instruction ID: 077a847b03c5dbc1467d8c7bf20598f3feb7611fb6913fc166ad25d6db3f0e53
Opcode Fuzzy Hash: d91e48f40ee49e88dbabf040b5bd7ec8589e9ae2d831e784cf3e43479b0db210
Instruction Fuzzy Hash: 48110876905259BBC7019FA8AC09BDE7FACEB46310F008656F925D3294D7708900C7A0

Function 0016D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0016CFF9,00000000,00000004,00000000), ref: 0016D218
GetLastError.KERNEL32 ref: 0016D224
__dosmaperr.LIBCMT ref: 0016D22B
ResumeThread.KERNEL32(00000000), ref: 0016D249

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 34223a482e1388c2a064256b58349c974abcb1166992c9a4ccc6d1736af324d6
Instruction ID: 21cb7982f37cc88a7c2411b7896db8132233e347fafd999b75ea5992bd0df2ff
Opcode Fuzzy Hash: 34223a482e1388c2a064256b58349c974abcb1166992c9a4ccc6d1736af324d6
Instruction Fuzzy Hash: 4D01F536E06205BBCB115BA9EC09BAF7B69EF92330F11421DF925921D0CF71C961C6E0

Function 00163B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00163B56

Part of subcall function 00163AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00163AD2
Part of subcall function 00163AA3: ___AdjustPointer.LIBCMT ref: 00163AED

_UnwindNestedFrames.LIBCMT ref: 00163B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00163B7C
CallCatchBlock.LIBVCRUNTIME ref: 00163BA4

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: fd5582462925d18449fa0a7daaa8daf82291ba45aaa651b3f4888fe70ac4298f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: EF010832100149BBDF126E95CC46EEB7F6EEFA9754F044018FE58A6121C732E971EBA0

Function 00173073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001413C6,00000000,00000000,?,0017301A,001413C6,00000000,00000000,00000000,?,0017328B,00000006,FlsSetValue), ref: 001730A5
GetLastError.KERNEL32(?,0017301A,001413C6,00000000,00000000,00000000,?,0017328B,00000006,FlsSetValue,001E2290,FlsSetValue,00000000,00000364,?,00172E46), ref: 001730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0017301A,001413C6,00000000,00000000,00000000,?,0017328B,00000006,FlsSetValue,001E2290,FlsSetValue,00000000), ref: 001730BF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4b22338b428c2f52aa2fe402a82fb1afbddfd39a22fb8cb037f13b248c2ac7e0
Instruction ID: da732492a210482fc94ce615119fa091c00f402b77a3fa111e55bbd8d14fb1b4
Opcode Fuzzy Hash: 4b22338b428c2f52aa2fe402a82fb1afbddfd39a22fb8cb037f13b248c2ac7e0
Instruction Fuzzy Hash: 3B012032353333ABCB314B789C4895777A8AF05761B118720F92DD7140DB21D981D6E0

Function 001A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 001A747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001A7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001A74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001A74CA

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 58a4140ec6c088bfb7660f6d16dbb1320d5978e8fb013305239cb622cb75cc91
Instruction ID: d1af6292444f21981fc726b26f53bf7ed9ec2b12b1119876212313db93c82275
Opcode Fuzzy Hash: 58a4140ec6c088bfb7660f6d16dbb1320d5978e8fb013305239cb622cb75cc91
Instruction Fuzzy Hash: 9F11C4B920A3119FE7208F14DC08FD27FFCEB05B00F10896AA616D6591D770EA44DB90

Function 001AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001AACD3,?,00008000), ref: 001AB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001AACD3,?,00008000), ref: 001AB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001AACD3,?,00008000), ref: 001AB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001AACD3,?,00008000), ref: 001AB126

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 8cc6f8a32ea1a7fde43f4d03b134c46c0efc883e69eae6f685cd22b98708fb6c
Instruction ID: 66d34676667986ddb3db1a4b3756674a44254dcb2f60ab69306639a72d3fb8f9
Opcode Fuzzy Hash: 8cc6f8a32ea1a7fde43f4d03b134c46c0efc883e69eae6f685cd22b98708fb6c
Instruction Fuzzy Hash: 2F116D75C0666DE7CF04AFE4E9A86EEBF78FF0A711F114496E941B2182CB305650CB91

Function 001A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001A2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 001A2DD6
GetCurrentThreadId.KERNEL32 ref: 001A2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001A2DE4

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: af17a1000fa4928e070a51ebfaec0bfcda257eba46847e18728ab2110589c627
Instruction ID: 70b927f17055e72d22d9d6b5e67bbde3eeafa786b2bfa4ae85d5fcf61f57a055
Opcode Fuzzy Hash: af17a1000fa4928e070a51ebfaec0bfcda257eba46847e18728ab2110589c627
Instruction Fuzzy Hash: ADE06D71103225BADB201BA69C0DEEB3F6CEF43BA1F000416F505D15819AA4C880C6F0

Function 001D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00159639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00159693
Part of subcall function 00159639: SelectObject.GDI32(?,00000000), ref: 001596A2
Part of subcall function 00159639: BeginPath.GDI32(?), ref: 001596B9
Part of subcall function 00159639: SelectObject.GDI32(?,00000000), ref: 001596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001D8887
LineTo.GDI32(?,?,?), ref: 001D8894
EndPath.GDI32(?), ref: 001D88A4
StrokePath.GDI32(?), ref: 001D88B2

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 5972598863771347024d7ecb5e83b5da2e19f153e91eedbd9d7645405c2582ab
Instruction ID: 9378d8a142e007910f83493a8c1b00e891066800d780456f1f2909d8200b8f03
Opcode Fuzzy Hash: 5972598863771347024d7ecb5e83b5da2e19f153e91eedbd9d7645405c2582ab
Instruction Fuzzy Hash: B4F03A3A046299FADB125F94AC0DFCA3B59AF16311F048002FA11651E1CB755561DFE5

Function 001598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001598CC
SetTextColor.GDI32(?,?), ref: 001598D6
SetBkMode.GDI32(?,00000001), ref: 001598E9
GetStockObject.GDI32(00000005), ref: 001598F1

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 3418e80532398347235d1ac238895dc4385aca7fbbc96b99a09d582552087ebb
Instruction ID: bd73a60f5cafb77630cdbaa122297ca273fc1f9e3a5397edc2a2b14d23a5b62c
Opcode Fuzzy Hash: 3418e80532398347235d1ac238895dc4385aca7fbbc96b99a09d582552087ebb
Instruction Fuzzy Hash: C8E06D31246291EAEF215B74BC0DBE83F21AB52336F04871AF6FA584E1C3714680DB11

Function 001A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001A1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001A11D9), ref: 001A163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001A11D9), ref: 001A1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001A11D9), ref: 001A164F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 66ad14f2796259376129af5997427e640f3aee19375349e381345db5394a2b72
Instruction ID: 03398e7d9fc27fdaf1273539c10448ca221e33a86297dbd0844ff1dad2326a1d
Opcode Fuzzy Hash: 66ad14f2796259376129af5997427e640f3aee19375349e381345db5394a2b72
Instruction Fuzzy Hash: 6BE08635603212EBD7201FF09E0DB473B7CAF557A1F144C09F245C9080D7744480C790

Function 0019D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0019D858
GetDC.USER32(00000000), ref: 0019D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0019D882
ReleaseDC.USER32(?), ref: 0019D8A3

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2d7110bddd3612dbe3324d80481a8101e310fb9602983ec747d4b2b797cad437
Instruction ID: 440fbc9afcbe89b910fb8ee4d88f1fc10cf8eaeedc8292e3416fa4e7ea6b9ff9
Opcode Fuzzy Hash: 2d7110bddd3612dbe3324d80481a8101e310fb9602983ec747d4b2b797cad437
Instruction Fuzzy Hash: BAE01AB4802206DFCF419FA4D80866DBBB1FB08311F15880AF806E7750C7389985EF80

Function 0019D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0019D86C
GetDC.USER32(00000000), ref: 0019D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0019D882
ReleaseDC.USER32(?), ref: 0019D8A3

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ec0e2d33c0415f80698f0f1a1646f5be5802a584069800bb54cc9b999dac4ddd
Instruction ID: fa30728835824eee6c17c608ebbdb1ac2f17e4b52fc3c376c1403429ec368ebd
Opcode Fuzzy Hash: ec0e2d33c0415f80698f0f1a1646f5be5802a584069800bb54cc9b999dac4ddd
Instruction Fuzzy Hash: 1FE01A74802201DFCB509FA4D80866DBBB1FB08311B14880AF806E7750C7389945DF80

Function 001B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00147620: _wcslen.LIBCMT ref: 00147625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001B4ED4

Strings

LPT, xrefs: 001B4DFB
*, xrefs: 001B4E10

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 5fb7ff5abcd4dc2e122bdc367b0d3b39fa365e491b4243a1e3b666ba4bd4b052
Instruction ID: edf992a8f91b6359f39ecbf46afe38b3249f2554dbaac33e98868413c299c199
Opcode Fuzzy Hash: 5fb7ff5abcd4dc2e122bdc367b0d3b39fa365e491b4243a1e3b666ba4bd4b052
Instruction Fuzzy Hash: 73914B75A002149FDB14DF58C484EAABBF1AF49304F19C09DE84A9F3A2D735EE85CB91

Function 0016E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0016E30D

Strings

pow, xrefs: 0016E2E5, 0016E302

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: e53fa85134740f383c9a41b6f870271c8ef5a8a431d35bfaa7107712ee169eec
Instruction ID: 2c9060c557a36ac11a8cea32a0421c579a67994569cd23ad372f1f13c60e4844
Opcode Fuzzy Hash: e53fa85134740f383c9a41b6f870271c8ef5a8a431d35bfaa7107712ee169eec
Instruction Fuzzy Hash: 1D518C65A0C20296CB297764CD513BD3BF8EB50740F30CA58E0D9863E8EF308CE59A86

Function 001C7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0019569E,00000000,?,001DCC08,?,00000000,00000000), ref: 001C78DD

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

CharUpperBuffW.USER32(0019569E,00000000,?,001DCC08,00000000,?,00000000,00000000), ref: 001C783B

Strings

<s , xrefs: 001C77C8

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s
API String ID: 3544283678-3981233947
Opcode ID: 73794bb3ba6d0fed2879eb5608b8d2d41f0d587ad6ff1f9730c5a4dd31e25bff
Instruction ID: 79dcd3f0ebccd62e6a4644d38705aea9e85817070d1dacfff80994505d432fe5
Opcode Fuzzy Hash: 73794bb3ba6d0fed2879eb5608b8d2d41f0d587ad6ff1f9730c5a4dd31e25bff
Instruction Fuzzy Hash: E2612C72914219AACF04EFA4DC91EFDB378BF38704B444529E642A71A1EB749A05DBA0

Function 0015E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0015E1B1

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 42fade8ab753c932c0527542617677b1c3baca34b3a32f5e0a853e85b3ebeb6e
Instruction ID: 4fd751cba138a7330bc0acd0be9d1aa34a5b009be2be51fcd19d8e376f29c185
Opcode Fuzzy Hash: 42fade8ab753c932c0527542617677b1c3baca34b3a32f5e0a853e85b3ebeb6e
Instruction Fuzzy Hash: A051F175904246DFDF1DDFA8C481ABA7BE8EF25310F244055ECA19B2D0D7349E86CBA1

Function 0015F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0015F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0015F2BB

Strings

@, xrefs: 0015F2AF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 863f091553ad633069fae15b091466f19517cfc7ddd43567f04c4c81fda5f47b
Instruction ID: 659161b1cd7652ae21756b8b40f7e5be5de4ae2daea8594422abecc8d1c7ea3f
Opcode Fuzzy Hash: 863f091553ad633069fae15b091466f19517cfc7ddd43567f04c4c81fda5f47b
Instruction Fuzzy Hash: 47515671409744ABD320AF54DC86BABBBF8FF95300F81884DF1D9421A5EB318569CB67

Function 001A2999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001A29EB
SendMessageW.USER32(?,0000110A,00000001,?), ref: 001A2A8D

Part of subcall function 001A2C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 001A2CE0

Strings

@U=u, xrefs: 001A29EB, 001A2A8D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 8eec5d76b8f65401f2cb2f389555089c8cd4e49165ae9a9ed89ce8bc92a63dcf
Instruction ID: d36c27d29d4d21f1a81cce72f7763af874b35aafe4a336db51aa1180721725b5
Opcode Fuzzy Hash: 8eec5d76b8f65401f2cb2f389555089c8cd4e49165ae9a9ed89ce8bc92a63dcf
Instruction Fuzzy Hash: D5419275A00209ABEF25EF58CC45BFE7BB9EF55714F040029F906A3291DB709E45CBA2

Function 001C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001C57E0
_wcslen.LIBCMT ref: 001C57EC

Strings

CALLARGARRAY, xrefs: 001C57E6, 001C57EB

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 29541a9aacc07588b2d3e0043cc4b4fb3296117683be6cadb3d731adf42d2c05
Instruction ID: 379e4c822782dd35716905ba69c05f0e43dc12fd52167ab200217ec40317c00e
Opcode Fuzzy Hash: 29541a9aacc07588b2d3e0043cc4b4fb3296117683be6cadb3d731adf42d2c05
Instruction Fuzzy Hash: 0E418E31E002099FCB14DFA9C885DAEBBB6EF69354F14406DF515AB291E730ED81CBA0

Function 001BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001BD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001BD13A

Strings

|, xrefs: 001BD10B

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6fa9f0f0f6c970f267d9c186d920203ecd45f833ada8c66928e2d97ecb5aa5e8
Instruction ID: 6a7bd4e7d086c8662589adf74576558c44498e963331e79414c19ebbb02d119c
Opcode Fuzzy Hash: 6fa9f0f0f6c970f267d9c186d920203ecd45f833ada8c66928e2d97ecb5aa5e8
Instruction Fuzzy Hash: D1313C71D01219ABCF15EFA4DC85AEEBFB9FF19304F100059F815B6162EB31AA56CB60

Function 001D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001D3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001D365C

Strings

static, xrefs: 001D35BC

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: dd487996f42383aededa0d7049326bff6c47e96a8f31b214ff618bdb7a80a186
Instruction ID: cb7f381069775604c49a01d96454f3bf01bb6bcfe29fa577e6d49c0204f64b55
Opcode Fuzzy Hash: dd487996f42383aededa0d7049326bff6c47e96a8f31b214ff618bdb7a80a186
Instruction Fuzzy Hash: 3531BC71100204AEDB209F28DC80EFB73A9FF98760F00861AF8A597290DB31ED81D7A1

Function 001D4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 001D461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001D4634

Strings

', xrefs: 001D458E

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 38ea29b4d31ddc00a1ca803a8631c5d401984aeb55b878dc4379c2779c31fd6b
Instruction ID: aee73bf6bab2029c860e0b673304cc6a80c798a655c974afcac832b749f32750
Opcode Fuzzy Hash: 38ea29b4d31ddc00a1ca803a8631c5d401984aeb55b878dc4379c2779c31fd6b
Instruction Fuzzy Hash: EC312574A0130A9FDB14CFA9D981BDABBB6FF09300F10406AE905AB391D770E941CF90

Function 001A286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 001A2884
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001A28B6

Strings

@U=u, xrefs: 001A2884, 001A28B6

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: de997aff6a0e759101af0e9ef7e36296cdb07d6947f3e36025b8e668f0e9b910
Instruction ID: 565fcc5e90692a8901639542aec8f6bdcd00ebe0cd05af334f6ba7156c2bdf70
Opcode Fuzzy Hash: de997aff6a0e759101af0e9ef7e36296cdb07d6947f3e36025b8e668f0e9b910
Instruction Fuzzy Hash: 2021383AE00215ABCB11AF98C880DFFB7B9EF9AB14F144019F915A7290EB749D41C7A0

Function 001A3BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A3D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001A3D18

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001A3C23
_strlen.LIBCMT ref: 001A3C2E

Strings

@U=u, xrefs: 001A3C23

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 6de454e25e7d3c79e4c08033a57bc01b2584f4aff4423d8212a149bcfb02e87c
Instruction ID: 6c9efaafc11642f4dba6c95e2c236cab2fdb2c55e35d2d3868b3f2b50c1ae393
Opcode Fuzzy Hash: 6de454e25e7d3c79e4c08033a57bc01b2584f4aff4423d8212a149bcfb02e87c
Instruction Fuzzy Hash: 5F110D35700115678B296A7C9C92AFF77548F67B60F11003EF916AB296DF109E4286E4

Function 001D336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001AED19: GetLocalTime.KERNEL32 ref: 001AED2A
Part of subcall function 001AED19: _wcslen.LIBCMT ref: 001AED3B
Part of subcall function 001AED19: _wcslen.LIBCMT ref: 001AED79
Part of subcall function 001AED19: _wcslen.LIBCMT ref: 001AEDAF
Part of subcall function 001AED19: _wcslen.LIBCMT ref: 001AEDDF
Part of subcall function 001AED19: _wcslen.LIBCMT ref: 001AEDEF
Part of subcall function 001AED19: _wcslen.LIBCMT ref: 001AEE2B

SendMessageW.USER32(?,00001002,00000000,?), ref: 001D340A

Strings

SysDateTimePick32, xrefs: 001D33C7
@U=u, xrefs: 001D340A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2216836867-2530228043
Opcode ID: 06f3abfcfdfe0dff2b1b31d9efe927c1feda64dcdc87b4ab2be6b4ff35dc0277
Instruction ID: fb5e2c5c753f5d6be026f1250d6d451bae57c3ea63af9c291a8ec78db59f8244
Opcode Fuzzy Hash: 06f3abfcfdfe0dff2b1b31d9efe927c1feda64dcdc87b4ab2be6b4ff35dc0277
Instruction Fuzzy Hash: 3F21D2312502097BEF219E54DC82FEE33AAEB54754F10451AF950A72D0DBB5EC518760

Function 001A215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001A2178

Part of subcall function 001AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001AB355
Part of subcall function 001AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001A2194,00000034,?,?,00001004,00000000,00000000), ref: 001AB365
Part of subcall function 001AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001A2194,00000034,?,?,00001004,00000000,00000000), ref: 001AB37B

Part of subcall function 001AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001A21D0,?,?,00000034,00000800,?,00000034), ref: 001AB42D

SendMessageW.USER32(?,00001073,00000000,?), ref: 001A21DF

Part of subcall function 001AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001AB3F8

Strings

@U=u, xrefs: 001A2178, 001A21DF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: cb30c30afc189f13e271241fa63917f7b6852475c3af987b43551679eaade6cd
Instruction ID: 4c81231ddc9ec9e99be6b77c608d1937b1619f3ffc929863496c520471a37056
Opcode Fuzzy Hash: cb30c30afc189f13e271241fa63917f7b6852475c3af987b43551679eaade6cd
Instruction Fuzzy Hash: 8A217135901129ABEF11EFA8DC81FDDBBB8FF19350F100196F549A7191EB705A84CB90

Function 001D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001D327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001D3287

Strings

Combobox, xrefs: 001D3249

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 46d1c70c3a34c8c9a761fd1e470ec8220453c5e11ee4a8d1d421fa254d1a5b35
Instruction ID: a694430c8b82da6dbf0c2e29f4bb3b96782ac6010dd070609ad1bdd72f90dd8b
Opcode Fuzzy Hash: 46d1c70c3a34c8c9a761fd1e470ec8220453c5e11ee4a8d1d421fa254d1a5b35
Instruction Fuzzy Hash: 7011B271B002087FFF259E54DC85EFB3B6AEB943A4F10412AF92897390D7719D518761

Function 001D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0014600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0014604C
Part of subcall function 0014600E: GetStockObject.GDI32(00000011), ref: 00146060
Part of subcall function 0014600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0014606A

GetWindowRect.USER32(00000000,?), ref: 001D377A
GetSysColor.USER32(00000012), ref: 001D3794

Strings

static, xrefs: 001D3757

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 579583ca90fb1c9dccc968f06c04f6ed08f0e3cc4c70fe6937f5eae64e466c4d
Instruction ID: 0a8c7f53e4ceb40714af694478847ac6d8098c6d7ee18f057249c2e47e2994a2
Opcode Fuzzy Hash: 579583ca90fb1c9dccc968f06c04f6ed08f0e3cc4c70fe6937f5eae64e466c4d
Instruction Fuzzy Hash: 2A113AB261060AAFDF01DFA8CC46EEA7BB8FB08354F014916F965E3250D735E851DB60

Function 001D6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001D61FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 001D6225

Strings

@U=u, xrefs: 001D61FC, 001D6225

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: cbab15216624219d6368f762a9627864e7f2f19ef854a1d4cb36ce1d8164f1e2
Instruction ID: 2086c796ce8081f5fce3aa9b85341736181f91db10396bc4c3f78262ddacbd06
Opcode Fuzzy Hash: cbab15216624219d6368f762a9627864e7f2f19ef854a1d4cb36ce1d8164f1e2
Instruction Fuzzy Hash: 8D11C132140214BEEB148F68DC59FFA3BA5EB0A310F004116FA16AA2E1D7B0DA50DB50

Function 001BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001BCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001BCDA6

Strings

<local>, xrefs: 001BCD66

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ae05a815d39d979dc19507aef3a3835fe3c05545b210632ede5ecdbd8f3d1944
Instruction ID: d8f93eabb95142019fd16a26bf92ec38239a1e359d82f522369b809bbd949d7d
Opcode Fuzzy Hash: ae05a815d39d979dc19507aef3a3835fe3c05545b210632ede5ecdbd8f3d1944
Instruction Fuzzy Hash: 9E11C279205632BAD7384BA6CC89FE7BEACEF527A4F40422AF14983080D7709840D6F0

Function 001D4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 001D4FCC

Strings

@U=u, xrefs: 001D4FCC, 001D5008

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 430f3cbeeafb181b10028b35c18aec1ad9a81d01bd4ab7e1c35767113083a247
Instruction ID: 63c1094153f52e9594ae5f7bef8895df5478d6ad02824d38f96da6a8a06335f0
Opcode Fuzzy Hash: 430f3cbeeafb181b10028b35c18aec1ad9a81d01bd4ab7e1c35767113083a247
Instruction Fuzzy Hash: CA21D37A60011AEFCB15CFA8C940CEA7BBAFB4D340B014555FA05A7320D731E961DB90

Function 001D30D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 001D3147

Strings

@U=u, xrefs: 001D3147
button, xrefs: 001D311E

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: d08d6da14e930280f65cf1103c0353019b4c91f2b942ddf8399c012027e24a3a
Instruction ID: c8d5fad6c19c3b64e9a27a3e68f9e0ea3ed1a9c6a194375aa7a654a58b7cc2d3
Opcode Fuzzy Hash: d08d6da14e930280f65cf1103c0353019b4c91f2b942ddf8399c012027e24a3a
Instruction Fuzzy Hash: 9A11C432250206ABDF118F64DC41FEB3B6AFF18354F104215FE64A7290CB76E8A1A750

Function 001A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

CharUpperBuffW.USER32(?,?,?), ref: 001A6CB6
_wcslen.LIBCMT ref: 001A6CC2

Strings

STOP, xrefs: 001A6CBC, 001A6CC1

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 7ed3e84a33a13d059d72506ed13189488a9be8b49161f0dec706e7fe43d83e2b
Instruction ID: ac738b012c733a1938f1894a8e184de461aeac5aa144fce53687f49515b3278e
Opcode Fuzzy Hash: 7ed3e84a33a13d059d72506ed13189488a9be8b49161f0dec706e7fe43d83e2b
Instruction Fuzzy Hash: 230126366005278BCB209FFDDC808BF33B4EF727607050524E86297199EB31D900C650

Function 001A23DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001A21D0,?,?,00000034,00000800,?,00000034), ref: 001AB42D

SendMessageW.USER32(?,0000102B,?,00000000), ref: 001A243B
SendMessageW.USER32(?,0000102B,?,00000000), ref: 001A245E

Strings

@U=u, xrefs: 001A243B, 001A245E

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 96bfd7ceb1250089e4b8400634318137cb768bf8fdc3f81ba26f34d2887f21c7
Instruction ID: b46fa0c05a92bff438b040d7701c7f25295ceaf7074f8a307fe961b9e85497e2
Opcode Fuzzy Hash: 96bfd7ceb1250089e4b8400634318137cb768bf8fdc3f81ba26f34d2887f21c7
Instruction Fuzzy Hash: 2201F936900219EBEB116F68DC86FEEBB79DF29310F104026F515A61D1DB705E84CB60

Function 001D4366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 001D43AF
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 001D4408

Strings

@U=u, xrefs: 001D43AF

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 2caa5230af3183eb45a023796dc032fd72e5f341e65f15ac9a4557516d4b6f2b
Instruction ID: 8ef6c75b1fbb1c89d7d64b354e606a4fda60e95a1f8ec6a837391e8dc0f2bc77
Opcode Fuzzy Hash: 2caa5230af3183eb45a023796dc032fd72e5f341e65f15ac9a4557516d4b6f2b
Instruction Fuzzy Hash: 0A119D30500744AFE721CF28C891BE7BBE4BF05310F10891EE8AA97381CB70A941CB90

Function 001A250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 001A2531
SendMessageW.USER32(?,0000040D,?,00000000), ref: 001A2564

Part of subcall function 001AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001AB3F8

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

Strings

@U=u, xrefs: 001A2531, 001A2564

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_wcslen
String ID: @U=u
API String ID: 1083363909-2594219639
Opcode ID: 1f7ea6829cd523a917c25754841950a3803a0f86e0e1fa29d01e42b401257413
Instruction ID: 7974525f5f5a043bec14feaefb45cecd70d948d88348ae39eec8f766c1b3f6e1
Opcode Fuzzy Hash: 1f7ea6829cd523a917c25754841950a3803a0f86e0e1fa29d01e42b401257413
Instruction Fuzzy Hash: 19015776901128AFDB50AF94CC91EE977A8FF25344F8080A6F649A6150EF705E88CB90

Function 001D90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0019769C,?,?,?), ref: 001D9111

Part of subcall function 00159944: GetWindowLongW.USER32(?,000000EB), ref: 00159952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 001D90F7

Strings

@U=u, xrefs: 001D90F7

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: 1919b94075e21a2f58c410b3d04ad0e4fd44ea471d5a7030c780bce85f60d39f
Instruction ID: 87a2186da3ca63e816dd2337227ba5d029e47be1b464200a341efe9b3673e577
Opcode Fuzzy Hash: 1919b94075e21a2f58c410b3d04ad0e4fd44ea471d5a7030c780bce85f60d39f
Instruction Fuzzy Hash: 9201F130201204EBDB209F14DC49EA63BA6FB95335F00021AF9151B3E0CB726851CB50

Function 001D8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00213018,0021305C), ref: 001D81BF
CloseHandle.KERNEL32 ref: 001D81D1

Strings

\0!, xrefs: 001D818A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0!
API String ID: 3712363035-164112491
Opcode ID: e74e039740a4d91f20489b1c354c304c66225294e0d22c71fb63f5188a3d9d27
Instruction ID: 9df83eb801d096974f8937d6466b1690e5375bb548a1a16386e61746f3f64d2b
Opcode Fuzzy Hash: e74e039740a4d91f20489b1c354c304c66225294e0d22c71fb63f5188a3d9d27
Instruction Fuzzy Hash: 1FF05EB2641300BEE620AB65AC49FF73ADDEB2C750F004421FB08D51A2DB758B5082F8

Function 001A246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001A2480
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001A2497

Part of subcall function 001A23DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 001A243B

Strings

@U=u, xrefs: 001A2480, 001A2497

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a7f4118e0b574baf6c531b50dea37001e7c8bc7a493e50ea6c3f56822971737a
Instruction ID: 06e86b53565a12f89695cfaeab6cdf5b77d8db1f6c5d6880d177618f30ba227b
Opcode Fuzzy Hash: a7f4118e0b574baf6c531b50dea37001e7c8bc7a493e50ea6c3f56822971737a
Instruction Fuzzy Hash: 6DF0E234602121BAEB211B1ACC0ACDFBF6DDF5A760B100015F405A2151CAB09D81C6E0

Function 001C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001C7493
_wcslen.LIBCMT ref: 001C74B9

Strings

3, 3, 16, 1, xrefs: 001C7483

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9219cbad763a18f53fe582cf218f58476ee704bff2619c29a94df3e727192d1f
Instruction ID: 31c8778d193ad774edceb5731ac2ba9c7f57cf9144b20c706d7cbf611cdeb6df
Opcode Fuzzy Hash: 9219cbad763a18f53fe582cf218f58476ee704bff2619c29a94df3e727192d1f
Instruction Fuzzy Hash: 27E02B0265472011A33512799CC1F7F568ADFF9750710182FF981C22E6EBD4CDA193A0

Function 001A2BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001A2BFA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 001A2C2A

Strings

@U=u, xrefs: 001A2BFA, 001A2C2A

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 39438a5519f224b41b71ccc8b13f04f9b8890793d81e3aeb01f7354a56bd3062
Instruction ID: 60ebeb9abcfa8a3ceee401f23b440afdf81abed40e6e6799b4549317457e5a15
Opcode Fuzzy Hash: 39438a5519f224b41b71ccc8b13f04f9b8890793d81e3aeb01f7354a56bd3062
Instruction Fuzzy Hash: 47F0A079340305BFFA156B84DC46FEA7B58EB2AB65F000415F7055A1E0CAE25C4097A0

Function 001A2D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 001A2884
Part of subcall function 001A286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001A28B6

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 001A2D80
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001A2D90

Strings

@U=u, xrefs: 001A2D80, 001A2D90

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 8bcb0a7bfdec1d0fe5b905f92a6efe9cc08c0c15e380d41fef957ef4b1520e57
Instruction ID: 4c84194c700a191074d63053be7b3ce538279a236e17ee8bafd4c1fd38c9eea0
Opcode Fuzzy Hash: 8bcb0a7bfdec1d0fe5b905f92a6efe9cc08c0c15e380d41fef957ef4b1520e57
Instruction Fuzzy Hash: 71E0D83D3443057FF6350A959C46EE3375DD75A751F100427F30465592DFB2CC509560

Function 001D5829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133D,?,?), ref: 001D5855
InvalidateRect.USER32(?,?,00000001), ref: 001D5877

Strings

@U=u, xrefs: 001D5855

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 96f2114b2e857f6408007e35bb222ce83b5f14d9fa86ee208d783ded1d139ea6
Instruction ID: f849827f852c8757f81c4735ea44d5d5cefa980b4a857e89df96e3714c31d6d3
Opcode Fuzzy Hash: 96f2114b2e857f6408007e35bb222ce83b5f14d9fa86ee208d783ded1d139ea6
Instruction Fuzzy Hash: 7CF0E232604044AECB208B65CC04FEEBFF8EB81365F0445B7E51AD9251D7308A81CF60

Function 001A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001A0B23

Strings

AutoIt, xrefs: 001A0B17
Error allocating memory., xrefs: 001A0B1C

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: d908e5516e75e966dbe722015a5fa98ce5549c78d39da0fbf17f7227035ecd80
Instruction ID: 195a88de5975f8624879f2c016e132932459fc7a95a19e04891a9686813ee987
Opcode Fuzzy Hash: d908e5516e75e966dbe722015a5fa98ce5549c78d39da0fbf17f7227035ecd80
Instruction Fuzzy Hash: 02E0D83124531966D2143794BC03FC97B848F16B25F10082BFB58595C38BD224A086E9

Function 00160D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0015F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00160D71,?,?,?,0014100A), ref: 0015F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0014100A), ref: 00160D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0014100A), ref: 00160D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00160D7F

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 78630259d3aad55394a1a5f2f66189c708c4b3af4a89876acaf4adf546276de6
Instruction ID: 8b0d07bfc05fd925af3341857fdefebf93bd8972346b0c49060d384bd9a36091
Opcode Fuzzy Hash: 78630259d3aad55394a1a5f2f66189c708c4b3af4a89876acaf4adf546276de6
Instruction Fuzzy Hash: DAE06D742013018BD3219FB8E908342BBE5AB18745F018A2EE496C6B55DBB0E585CB91

Function 0015E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0015E3D5

Strings

0%!, xrefs: 0015E3B5
8%!, xrefs: 0015E3CA

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%!$8%!
API String ID: 1385522511-1065198821
Opcode ID: 837148ef5c32b636cf358924d3da68580e2fa536bc2938f4ddbf88812af61c96
Instruction ID: c3f22c9e5228aa34614b65f391388ad547562bd53b1df859a7a6ad4caa45320a
Opcode Fuzzy Hash: 837148ef5c32b636cf358924d3da68580e2fa536bc2938f4ddbf88812af61c96
Instruction Fuzzy Hash: 24E02631C10910EBCA0D971CFBE8ACA33D7BB39321B904168F8228F1D1DF7029AD8644

Function 0019D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0019D220

Strings

%.3d, xrefs: 0019D22B
X64, xrefs: 0019D2A8

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 60798cbe7507f406b0a734a7a3379160fa831d857a87def05267856782d29101
Instruction ID: 638605dd74c88080b8afcde245ab66bbefd96b768a5aed5b859270ef346d07ff
Opcode Fuzzy Hash: 60798cbe7507f406b0a734a7a3379160fa831d857a87def05267856782d29101
Instruction Fuzzy Hash: 09D01275C09109E9CF5897D0EC458BAB37CAB18341F518452FC1691080D724D548A761

Function 001D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001D232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001D233F

Part of subcall function 001AE97B: Sleep.KERNEL32 ref: 001AE9F3

Strings

Shell_TrayWnd, xrefs: 001D2325

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 45a3655f77d9e994e6cdcbe92510fd0d71065c1ccd3c86e273eabaf9d636ce81
Instruction ID: 1f5c3b3dfcdc74140179a91cb3c60adf7f460ca5ea7da740c5ba58013d3e8876
Opcode Fuzzy Hash: 45a3655f77d9e994e6cdcbe92510fd0d71065c1ccd3c86e273eabaf9d636ce81
Instruction Fuzzy Hash: 41D0C9363D6311B6EA64A770AC4FFC6BA589B11B14F004916B645AA1E1CAA0A851CA94

Function 001D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001D236C
PostMessageW.USER32(00000000), ref: 001D2373

Part of subcall function 001AE97B: Sleep.KERNEL32 ref: 001AE9F3

Strings

Shell_TrayWnd, xrefs: 001D2365

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c442392a913a66af7c6099cd8c848a9489e3a1b71e291ebcf66852794659d983
Instruction ID: 494339cda6569f6227e580b88a0df4951fc2fbf3fb72253d93059f796da22e0a
Opcode Fuzzy Hash: c442392a913a66af7c6099cd8c848a9489e3a1b71e291ebcf66852794659d983
Instruction Fuzzy Hash: 9FD0C9363D23117AEA64A770AC4FFC6B6589B15B14F004916B645AA1E1CAA0A851CA94

Function 001A2313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001A231F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 001A232D

Strings

@U=u, xrefs: 001A231F, 001A232D

Memory Dump Source

Source File: 00000000.00000002.1464891657.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.1464843218.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1464980162.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465040154.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465061757.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_VsTfsPVrfA.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 155c7a952e922df419cc249ec9df0394e859e1c9a4e2aa6449544fa383673afc
Instruction ID: d3b6b5ed2a3a0c5a9d44ea20fdabb436b8045c7352d4afc45a21b052153e4920
Opcode Fuzzy Hash: 155c7a952e922df419cc249ec9df0394e859e1c9a4e2aa6449544fa383673afc
Instruction Fuzzy Hash: 6EC08C311021C1BAF7300B23BC0CCC73F3DE7CBF01300040DB204844A58A604080C630

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VsTfsPVrfA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autDC5D.tmp

C:\Users\user\AppData\Local\Temp\leucoryx

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
VsTfsPVrfA.exe

Function 001442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00182BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00142CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0018065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0014344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00142B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00143170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 011D5498 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00142C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 011D5288 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137
fileCOMMON

Function 001B2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00143B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 011D4178 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON