Edit tour

Windows Analysis Report
3WgNXsWvMO.exe

Overview

General Information

Sample name:	3WgNXsWvMO.exe renamed because original name is a hash value
Original sample name:	12ba2968289b6481ff52ba0d28aedfabb961145072da218dd13c6b9353d1eb04.exe
Analysis ID:	1587838
MD5:	2dbe7f73969aefd74d6726907b3bd5c0
SHA1:	622071ca215a11bf95b0bcae37fdbb6bd0ce17e0
SHA256:	12ba2968289b6481ff52ba0d28aedfabb961145072da218dd13c6b9353d1eb04
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

3WgNXsWvMO.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\3WgNXsWvMO.exe" MD5: 2DBE7F73969AEFD74D6726907B3BD5C0)

RegSvcs.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\3WgNXsWvMO.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": "     j4YX(KT7UCZ1      ", "Server": "fiber13.dnsiaas.com", "To": "almightstephen@gmail.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2585750967.0000000002866000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefa7:$a1: get_encryptedPassword 0xf2cf:$a2: get_encryptedUsername 0xed42:$a3: get_timePasswordChanged 0xee63:$a4: get_passwordField 0xefbd:$a5: set_encryptedPassword 0x10919:$a7: get_logins 0x105ca:$a8: GetOutlookPasswords 0x103bc:$a9: StartKeylogger 0x10869:$a10: KeyLoggerEventArgs 0x10419:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
Process Memory Space: 3WgNXsWvMO.exe PID: 7560	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: 3WgNXsWvMO.exe PID: 7560	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 3WgNXsWvMO.exe PID: 7560	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 3WgNXsWvMO.exe PID: 7560	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x128a243:$a1: get_encryptedPassword 0x128a55c:$a2: get_encryptedUsername 0x1289ff2:$a3: get_timePasswordChanged 0x128a113:$a4: get_passwordField 0x128a259:$a5: set_encryptedPassword 0x128bb5c:$a7: get_logins 0x128b80d:$a8: GetOutlookPasswords 0x128b5ff:$a9: StartKeylogger 0x128baac:$a10: KeyLoggerEventArgs 0x128b65c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7656	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7656	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7656	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7656	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x40462:$a1: get_encryptedPassword 0x4077b:$a2: get_encryptedUsername 0x40211:$a3: get_timePasswordChanged 0x40332:$a4: get_passwordField 0x40478:$a5: set_encryptedPassword 0x41d7b:$a7: get_logins 0x41a2c:$a8: GetOutlookPasswords 0x4181e:$a9: StartKeylogger 0x41ccb:$a10: KeyLoggerEventArgs 0x4187b:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
3.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
1.2.3WgNXsWvMO.exe.cf0000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.3WgNXsWvMO.exe.cf0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.3WgNXsWvMO.exe.cf0000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.3WgNXsWvMO.exe.cf0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
1.2.3WgNXsWvMO.exe.cf0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bb7:$a4: \Orbitum\User Data\Default\Login Data 0x129af:$a5: \Kometa\User Data\Default\Login Data
1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
Click to see the 10 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:28:44.394635+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49735	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Server": "fiber13.dnsiaas.com", "To": "almightstephen@gmail.com", "Port": 587}

Multi AV Scanner detection for submitted file

Source: 3WgNXsWvMO.exe	Virustotal: Detection: 73%			Perma Link
Source: 3WgNXsWvMO.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 3WgNXsWvMO.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 3WgNXsWvMO.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49744 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: 3WgNXsWvMO.exe, 00000001.00000003.1357777646.0000000003220000.00000004.00001000.00020000.00000000.sdmp, 3WgNXsWvMO.exe, 00000001.00000003.1357420908.0000000003720000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 3WgNXsWvMO.exe, 00000001.00000003.1357777646.0000000003220000.00000004.00001000.00020000.00000000.sdmp, 3WgNXsWvMO.exe, 00000001.00000003.1357420908.0000000003720000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0019DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0019DBBE
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0016C2A2 FindFirstFileExW,	1_2_0016C2A2
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A68EE FindFirstFileW,FindClose,	1_2_001A68EE
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_001A698F
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0019D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0019D076
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0019D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0019D3A9
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_001A9642
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_001A979D
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_001A9B2B
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A5C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_001A5C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02589731h	3_2_02589480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02589E5Ah	3_2_02589A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02589E5Ah	3_2_02589D87

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49735 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49744 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001ACE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

1_2_001ACE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000003.00000002.2585750967.000000000277E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.2585750967.0000000002711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: 3WgNXsWvMO.exe, 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000003.00000002.2585750967.00000000027AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.2585750967.00000000027AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000003.00000002.2585750967.0000000002711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3WgNXsWvMO.exe, 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 3WgNXsWvMO.exe, 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_001AEAFF

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_001AED6A

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

1_2_001AEAFF

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_0019AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

1_2_0019AA57

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_001C9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.3WgNXsWvMO.exe.cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.3WgNXsWvMO.exe.cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: 3WgNXsWvMO.exe PID: 7560, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: 3WgNXsWvMO.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 3WgNXsWvMO.exe, 00000001.00000000.1320573885.00000000001F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3680ec7c-1
Source: 3WgNXsWvMO.exe, 00000001.00000000.1320573885.00000000001F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_83e943c4-c
Source: 3WgNXsWvMO.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5fb24aa3-0
Source: 3WgNXsWvMO.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ab6c5266-a

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_0019D5EB: CreateFileW,DeviceIoControl,CloseHandle,

1_2_0019D5EB

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_00191201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00191201

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_0019E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_0019E8F6

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0013BF40	1_2_0013BF40
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A2046	1_2_001A2046
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00138060	1_2_00138060
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00198298	1_2_00198298
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0016E4FF	1_2_0016E4FF
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0016676B	1_2_0016676B
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001C4873	1_2_001C4873
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0015CAA0	1_2_0015CAA0
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0013CAF0	1_2_0013CAF0
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0014CC39	1_2_0014CC39
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00166DD9	1_2_00166DD9
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0014B119	1_2_0014B119
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001391C0	1_2_001391C0
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00151394	1_2_00151394
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00151706	1_2_00151706
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0015781B	1_2_0015781B
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00137920	1_2_00137920
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0014997D	1_2_0014997D
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001519B0	1_2_001519B0
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00157A4A	1_2_00157A4A
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00151C77	1_2_00151C77
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00157CA7	1_2_00157CA7
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001BBE44	1_2_001BBE44
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00169EEE	1_2_00169EEE
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00151F32	1_2_00151F32
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00F3FDD0	1_2_00F3FDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0258C530	3_2_0258C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02582DD1	3_2_02582DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02589480	3_2_02589480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_025819B8	3_2_025819B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0258C521	3_2_0258C521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0258946F	3_2_0258946F

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: String function: 00139CB3 appears 31 times
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: String function: 00150A30 appears 46 times
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: String function: 0014F9F2 appears 40 times

Source: 3WgNXsWvMO.exe, 00000001.00000003.1357777646.0000000003343000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 3WgNXsWvMO.exe
Source: 3WgNXsWvMO.exe, 00000001.00000003.1358867985.000000000384D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 3WgNXsWvMO.exe
Source: 3WgNXsWvMO.exe, 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs 3WgNXsWvMO.exe

Source: 3WgNXsWvMO.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.3WgNXsWvMO.exe.cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.3WgNXsWvMO.exe.cf0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: 3WgNXsWvMO.exe PID: 7560, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001A37B5 GetLastError,FormatMessageW,

1_2_001A37B5

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001910BF AdjustTokenPrivileges,CloseHandle,		1_2_001910BF
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_001916C3

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_001A51CD

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001BA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_001BA67C

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

1_2_001A648E

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_001342A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut2230.tmp

Jump to behavior

Source: 3WgNXsWvMO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.2585750967.000000000282F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2585750967.0000000002823000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2585750967.000000000280F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2585750967.00000000027F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2585750967.0000000002800000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2586360303.000000000373D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 3WgNXsWvMO.exe	Virustotal: Detection: 73%
Source: 3WgNXsWvMO.exe	ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\3WgNXsWvMO.exe "C:\Users\user\Desktop\3WgNXsWvMO.exe"
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\3WgNXsWvMO.exe"
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\3WgNXsWvMO.exe"	Jump to behavior

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 3WgNXsWvMO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 3WgNXsWvMO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 3WgNXsWvMO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 3WgNXsWvMO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 3WgNXsWvMO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 3WgNXsWvMO.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 3WgNXsWvMO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 3WgNXsWvMO.exe, 00000001.00000003.1357777646.0000000003220000.00000004.00001000.00020000.00000000.sdmp, 3WgNXsWvMO.exe, 00000001.00000003.1357420908.0000000003720000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 3WgNXsWvMO.exe, 00000001.00000003.1357777646.0000000003220000.00000004.00001000.00020000.00000000.sdmp, 3WgNXsWvMO.exe, 00000001.00000003.1357420908.0000000003720000.00000004.00001000.00020000.00000000.sdmp

Source: 3WgNXsWvMO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 3WgNXsWvMO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 3WgNXsWvMO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 3WgNXsWvMO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 3WgNXsWvMO.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_001342DE

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00150A76 push ecx; ret	1_2_00150A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0258B3A8 push eax; iretd	3_2_0258B445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02583493 push ebx; retf	3_2_0258349A

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0014F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_0014F98E
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_001C1C41

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_1-99040

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

API/Special instruction interceptor: Address: F3F9F4

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

API coverage: 3.9 %

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0019DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0019DBBE
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0016C2A2 FindFirstFileExW,	1_2_0016C2A2
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A68EE FindFirstFileW,FindClose,	1_2_001A68EE
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_001A698F
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0019D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0019D076
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0019D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0019D3A9
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_001A9642
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_001A979D
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_001A9B2B
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001A5C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_001A5C97

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_001342DE

Source: RegSvcs.exe, 00000003.00000002.2585231841.0000000000A99000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllme

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001AEAA2 BlockInput,

1_2_001AEAA2

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_00162622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00162622

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_001342DE

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00154CE8 mov eax, dword ptr fs:[00000030h]	1_2_00154CE8
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00F3E660 mov eax, dword ptr fs:[00000030h]	1_2_00F3E660
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00F3FCC0 mov eax, dword ptr fs:[00000030h]	1_2_00F3FCC0
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00F3FC60 mov eax, dword ptr fs:[00000030h]	1_2_00F3FC60

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_00190B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

1_2_00190B62

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00162622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00162622
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_0015083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0015083F
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001509D5 SetUnhandledExceptionFilter,	1_2_001509D5
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_00150C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00150C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6C8008

Jump to behavior

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

1_2_00191201

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_00172BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00172BA5

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_0019B226 SendInput,keybd_event,

1_2_0019B226

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

1_2_001B22DA

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\3WgNXsWvMO.exe"

Jump to behavior

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

1_2_00190B62

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_00191663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00191663

Source: 3WgNXsWvMO.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 3WgNXsWvMO.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_00150698 cpuid

1_2_00150698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

1_2_001A8195

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_0018D27A GetUserNameW,

1_2_0018D27A

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_0016B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_0016B952

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe

Code function: 1_2_001342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_001342DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.3WgNXsWvMO.exe.cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3WgNXsWvMO.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.3WgNXsWvMO.exe.cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3WgNXsWvMO.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 3WgNXsWvMO.exe	Binary or memory string: WIN_81
Source: 3WgNXsWvMO.exe	Binary or memory string: WIN_XP
Source: 3WgNXsWvMO.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 3WgNXsWvMO.exe	Binary or memory string: WIN_XPe
Source: 3WgNXsWvMO.exe	Binary or memory string: WIN_VISTA
Source: 3WgNXsWvMO.exe	Binary or memory string: WIN_7
Source: 3WgNXsWvMO.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.3WgNXsWvMO.exe.cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2585750967.0000000002866000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3WgNXsWvMO.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.3WgNXsWvMO.exe.cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3WgNXsWvMO.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.3WgNXsWvMO.exe.cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.3WgNXsWvMO.exe.cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3WgNXsWvMO.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR

Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		1_2_001B1204
Source: C:\Users\user\Desktop\3WgNXsWvMO.exe	Code function: 1_2_001B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_001B1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	221 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3WgNXsWvMO.exe	73%	Virustotal		Browse
3WgNXsWvMO.exe	74%	ReversingLabs	Win32.Worm.DorkBot
3WgNXsWvMO.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.80.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	3WgNXsWvMO.exe, 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000003.00000002.2585750967.00000000027AD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.2585750967.00000000027AD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.2585750967.000000000277E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.2585750967.0000000002711000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	3WgNXsWvMO.exe, 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	3WgNXsWvMO.exe, 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2585750967.0000000002790000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.80.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587838
Start date and time:	2025-01-10 18:27:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3WgNXsWvMO.exe renamed because original name is a hash value
Original Sample Name:	12ba2968289b6481ff52ba0d28aedfabb961145072da218dd13c6b9353d1eb04.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 49 Number of non-executed functions: 288
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200, 4.175.87.197
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 7656 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
104.21.80.1	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/0hqe/
	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	clientservices.sgoogleapis.observer/api/index.php
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
checkip.dyndns.com	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	secured File__esperion.com.html	Get hash	malicious	Phisher	Browse	104.17.25.14
	secured File__esperion.com.html	Get hash	malicious	Phisher	Browse	104.17.25.14
	https://www.depoqq.win/geno	Get hash	malicious	Unknown	Browse	104.18.27.193
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	phish_alert_sp2_2.0.0.0 (1).eml	Get hash	malicious	Unknown	Browse	104.18.32.25
	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	104.21.64.1
	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	https://www.shinsengumiusa.com/mrloskie	Get hash	malicious	Unknown	Browse	104.16.79.73
UTMEMUS	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	SBkuP3ACSA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	ql8KpEHT7y.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	8kDIr4ZdNj.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1

Process:	C:\Users\user\Desktop\3WgNXsWvMO.exe
File Type:	data
Category:	dropped
Size (bytes):	57114
Entropy (8bit):	7.814712978119932
Encrypted:	false
SSDEEP:	768:/W4ftFvAW1MpxcEiVvFv02swtmMny70rm6ElHfqV41lOvqD5nzIbS7WK:O4ftF4PpazB02JTny7eqjtD5zIGiK
MD5:	70C332306A9BE161541EBE457A875D34
SHA1:	7BE9D0BFF38E5EAE333CA4B3288354CECDE8AE89
SHA-256:	033EE2BACFEBF5EE1B528670EE02E5A161BB7DD1A9F9451A23C0D870ACEF6E6A
SHA-512:	D75E17667AFABC555AD9B5E29CC1AA238DB04CBF2B3D44A67322EA279FC148B8E543502558B6F2983015FCA8BC5C76E0DF0716E78AA3CD02B3FBA5026F2CE1A1
Malicious:	false
Reputation:	low
Preview:	EA06..n.....ZM^qA.V(4>>..5........Q..i@.....}[...H.S...F:3.^p.kd..+...S..W:.H.3i\|..q..-RZl.!1....$VO8.I#.Ze&8....v.C.T.\..A..`..:.N.1...kV......t.....a.....p..V.49..Ff.....@. ..W.q&....qA.$e... .c..........1........Mh.!...g.x.......\j.X..'l.:....g&`....l.0....W.Hc......N@..\....@.>..b...H.U.,.qA..Zf.U.0&.....P..T\|{...&.'..b.C.g.....3.$,U.....Pq....&U.o.z.U/.....f.@.U....MQ...`..(p......W@..!.h..S.....a8.. ....0............K..5X...K.\....F.?.U...]..8.......e..Pi;..^kN.G(3....8....../a].4/p.'S...+..d...U8.@$.......+t.:.Z...AL..+Q.......$..t.[X..b.:..#..2..H..... @..j_D..q:.j.?.....U.5?..(4x.F...P@'........b.k..${y.O;..r.X...P..(3.......g`.......W{.>.....6.H.aJ..4.X..}.R.5y..7N....]2^..J.....j.0.=...F..._. ......@.+..ew........2..7.5.ep..$.y.&U...+.:=....PfR;m.qU..iUy..ep.. .....H.SZUGqp.V(..5F...@....}z...4.......v@....c....Sk..'.`..o\.[...^6OZ.[)Uy...../8I.........".5..5.gb2..R%.,..!......;.[@Z...*..$6Y.N.H........;.B.]...e#.......:.Sd@@..o

C:\Users\user\AppData\Local\Temp\sticket

Download File

Process:	C:\Users\user\Desktop\3WgNXsWvMO.exe
File Type:	data
Category:	modified
Size (bytes):	93696
Entropy (8bit):	6.712659869138927
Encrypted:	false
SSDEEP:	1536:i5gg1B9KI9OW5KYwWDC+2Xr4u+9ZZFbOxzunHSnyWEQi9/HRkgFx:cgmV9OojDC+a4Zxn3zTx
MD5:	21E71A758C15CBC824A9287DF435C0EE
SHA1:	EFAEED7384FF7EFAA2F049F78A5088DF89D80E52
SHA-256:	A7942F3BF1623C1AAC2C4FB472CCFD9195AAA5F05191D6009F867405782710BC
SHA-512:	1E668DC8BB4401735286DF5F8BF86DE4908C0F5FB55003FBA1CA38C11D0A292D0E3075F5320310596E677BAA94E55BC26A6F1B5FEF07B09FDF5FD10ED84BEBB8
Malicious:	false
Reputation:	low
Preview:	u..5IW8A4XAC.W5.W8A0XACxQW5JW8A0XAC8QW5JW8A0XAC8QW5JW8A0XAC.QW5DH.O0.H...Vy.vl)Y+a3J>0G+:."Q6/,Lq5Pj%M/.1/c\|...'8\$.ULI.QW5JW8A`.ACtPT5....0XAC8QW5.W:@;Y.C85V5J_8A0XAC..V5Jw8A0.@C8Q.5Jw8A0ZAC<QW5JW8A6XAC8QW5J.9A0ZAC8QW5HWX.0XQC8AW5JW(A0HAC8QW5ZW8A0XAC8QW5..9AgXAC8.V5.R8A0XAC8QW5JW8A0XAC8.V5FW8A0XAC8QW5JW8A0XAC8QW5JW8A0XAC8QW5JW8A0XAC8QW5JW8A0xAC0QW5JW8A0XAC0qW5.W8A0XAC8QW5d#]9DXAC.3V5Jw8A0<@C8SW5JW8A0XAC8QW5jW8!.21[QW5.R8A0.@C8WW5J19A0XAC8QW5JW8ApXA..#2Y%48A<XAC8.V5JU8A04@C8QW5JW8A0XACxQWwJW8A0XAC8QW5JW8A..@C8QW5.W8A2XDC\|.W5J.8A3XACbQW3.8A.XAC8QW5JW8A0XAC8QW5JW8A0XAC8QW5JW8A0XAC8QW5..N..*K..5JW8A0YC@<W_=JW8A0XACFQW5.W8ApXAC.QW5oW8A]XAC.QW54W8ANXAC\QW58W8AQXAC.QW5%W8A^XACFQW5TU.^0XKi.QU.jW8K0r.0.QW?.V8A4+cC8[.7JW<2.XAI.RW5N$.A0R.G8QSFoW8K.]AC<{.5I..G0XZ,.QW?JT.T6XAX.wW7bn8A:Xke8R. LW8Z.zAA.XW5N}n2-XAE..W5@#1A0Z.I8QS.TU..0XKi./D5JS.A.z?W8QS.J}.?%XAG.Q}.4A8A4sAi./@5JS.A.^k!8#.9J';.QXAE..W5@.xA0^Ai.Q);JW<C_.AC2w}.J.hA0^AkiQW3J}.ANkAC<}PKyW8E.N?r8QS.L/8A6+.C8[r.yW8E..AC2Q}.J.aA0^AktQW3

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.842387317873482
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3WgNXsWvMO.exe
File size:	1'040'384 bytes
MD5:	2dbe7f73969aefd74d6726907b3bd5c0
SHA1:	622071ca215a11bf95b0bcae37fdbb6bd0ce17e0
SHA256:	12ba2968289b6481ff52ba0d28aedfabb961145072da218dd13c6b9353d1eb04
SHA512:	2864c71c22d978e64d35924eb2dcf84fb43bfbd898122fa13ce07ff3c66b8457882837d72bc036d8c6badd14a6fa393fdd0c6f4440b687102549afbbc556139c
SSDEEP:	24576:1qDEvCTbMWu7rQYlBQcBiT6rprG8aO0Hlx/xM3:1TvC/MTQYxsWR7aO0Hlx/K
TLSH:	FA25AE0273C1C062FFAB92734B5AF6115BBC69260123E61F13A81D79BE705B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67635940 [Wed Dec 18 23:22:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F5050E387E3h
jmp 00007F5050E380EFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5050E382CDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5050E3829Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F5050E3AE8Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F5050E3AED8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F5050E3AEC1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x275ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfc000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x275ec	0x27600	f5d38071d40033f3f4c20033d133d701	False	0.8336309523809524	data	7.637901271360672	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfc000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1e8b3	data			1.0003676852614163
RT_GROUP_ICON	0xfb06c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xfb0e4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xfb0f8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xfb10c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xfb120	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xfb1fc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T18:28:44.394635+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49735	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:28:43.129677057 CET	49735	80	192.168.2.7	132.226.8.169
Jan 10, 2025 18:28:43.134542942 CET	80	49735	132.226.8.169	192.168.2.7
Jan 10, 2025 18:28:43.134788990 CET	49735	80	192.168.2.7	132.226.8.169
Jan 10, 2025 18:28:43.135173082 CET	49735	80	192.168.2.7	132.226.8.169
Jan 10, 2025 18:28:43.139976978 CET	80	49735	132.226.8.169	192.168.2.7
Jan 10, 2025 18:28:43.985285044 CET	80	49735	132.226.8.169	192.168.2.7
Jan 10, 2025 18:28:44.035290956 CET	49735	80	192.168.2.7	132.226.8.169
Jan 10, 2025 18:28:44.042176962 CET	49735	80	192.168.2.7	132.226.8.169
Jan 10, 2025 18:28:44.047032118 CET	80	49735	132.226.8.169	192.168.2.7
Jan 10, 2025 18:28:44.346955061 CET	80	49735	132.226.8.169	192.168.2.7
Jan 10, 2025 18:28:44.359673023 CET	49744	443	192.168.2.7	104.21.80.1
Jan 10, 2025 18:28:44.359723091 CET	443	49744	104.21.80.1	192.168.2.7
Jan 10, 2025 18:28:44.359795094 CET	49744	443	192.168.2.7	104.21.80.1
Jan 10, 2025 18:28:44.394634962 CET	49735	80	192.168.2.7	132.226.8.169
Jan 10, 2025 18:28:44.553061962 CET	49744	443	192.168.2.7	104.21.80.1
Jan 10, 2025 18:28:44.553100109 CET	443	49744	104.21.80.1	192.168.2.7
Jan 10, 2025 18:28:45.017880917 CET	443	49744	104.21.80.1	192.168.2.7
Jan 10, 2025 18:28:45.017976999 CET	49744	443	192.168.2.7	104.21.80.1
Jan 10, 2025 18:28:45.039568901 CET	49744	443	192.168.2.7	104.21.80.1
Jan 10, 2025 18:28:45.039599895 CET	443	49744	104.21.80.1	192.168.2.7
Jan 10, 2025 18:28:45.039987087 CET	443	49744	104.21.80.1	192.168.2.7
Jan 10, 2025 18:28:45.082127094 CET	49744	443	192.168.2.7	104.21.80.1
Jan 10, 2025 18:28:45.324863911 CET	49744	443	192.168.2.7	104.21.80.1
Jan 10, 2025 18:28:45.367340088 CET	443	49744	104.21.80.1	192.168.2.7
Jan 10, 2025 18:28:45.445789099 CET	443	49744	104.21.80.1	192.168.2.7
Jan 10, 2025 18:28:45.445858955 CET	443	49744	104.21.80.1	192.168.2.7
Jan 10, 2025 18:28:45.445919037 CET	49744	443	192.168.2.7	104.21.80.1
Jan 10, 2025 18:28:45.480431080 CET	49744	443	192.168.2.7	104.21.80.1
Jan 10, 2025 18:29:49.340559006 CET	80	49735	132.226.8.169	192.168.2.7
Jan 10, 2025 18:29:49.340617895 CET	49735	80	192.168.2.7	132.226.8.169
Jan 10, 2025 18:30:24.348953009 CET	49735	80	192.168.2.7	132.226.8.169
Jan 10, 2025 18:30:24.353867054 CET	80	49735	132.226.8.169	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:28:42.984050989 CET	61581	53	192.168.2.7	1.1.1.1
Jan 10, 2025 18:28:42.992465973 CET	53	61581	1.1.1.1	192.168.2.7
Jan 10, 2025 18:28:44.349139929 CET	52711	53	192.168.2.7	1.1.1.1
Jan 10, 2025 18:28:44.358824968 CET	53	52711	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 18:28:42.984050989 CET	192.168.2.7	1.1.1.1	0xa450	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:28:44.349139929 CET	192.168.2.7	1.1.1.1	0xf478	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:28:42.992465973 CET	1.1.1.1	192.168.2.7	0xa450	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:28:42.992465973 CET	1.1.1.1	192.168.2.7	0xa450	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:28:42.992465973 CET	1.1.1.1	192.168.2.7	0xa450	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:28:42.992465973 CET	1.1.1.1	192.168.2.7	0xa450	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:28:42.992465973 CET	1.1.1.1	192.168.2.7	0xa450	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:28:42.992465973 CET	1.1.1.1	192.168.2.7	0xa450	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:28:44.358824968 CET	1.1.1.1	192.168.2.7	0xf478	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:28:44.358824968 CET	1.1.1.1	192.168.2.7	0xf478	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:28:44.358824968 CET	1.1.1.1	192.168.2.7	0xf478	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:28:44.358824968 CET	1.1.1.1	192.168.2.7	0xf478	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:28:44.358824968 CET	1.1.1.1	192.168.2.7	0xf478	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:28:44.358824968 CET	1.1.1.1	192.168.2.7	0xf478	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:28:44.358824968 CET	1.1.1.1	192.168.2.7	0xf478	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49735	132.226.8.169	80	7656	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:28:43.135173082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 18:28:43.985285044 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:28:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 18:28:44.042176962 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 18:28:44.346955061 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:28:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49744	104.21.80.1	443	7656	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 17:28:45 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 17:28:45 UTC	849	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 17:28:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1844914 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D2EwpCqixipgkL3VaTqen3uXYvlxsyAGi0NOg3mHaxRgNZySWdHh0QC63kswmorUxbNUDnkt5KTTwqi04Sx0bkT7lb4Mzmi9LoiLIo64GfazKwVfbQRkFGuRC8LFttPekAr51GNk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe62a3a8c343ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1564&min_rtt=1550&rtt_var=609&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1756919&cwnd=228&unsent_bytes=0&cid=7662938933a5eb96&ts=439&x=0"
2025-01-10 17:28:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	1
Start time:	12:28:37
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\3WgNXsWvMO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3WgNXsWvMO.exe"
Imagebase:	0x130000
File size:	1'040'384 bytes
MD5 hash:	2DBE7F73969AEFD74D6726907B3BD5C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.1361663404.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:28:41
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3WgNXsWvMO.exe"
Imagebase:	0x460000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2585750967.0000000002866000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.2584740372.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	51

Executed Functions

Function 001342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0013430D

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

GetCurrentProcess.KERNEL32(?,001CCB64,00000000,?,?), ref: 00134422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00134429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00134454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00134466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00134474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0013447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001344A0

Strings

|O, xrefs: 001736F8
GetNativeSystemInfo, xrefs: 00134460
kernel32.dll, xrefs: 0013444F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: ffdf2a7178e51a9844b0d351ad22deda8adc28a6414bc192b91386bbf4badf6a
Instruction ID: bd9495c06523d1b0a13e63d3eb40a6e323dc594107103271b67d10f2733508ce
Opcode Fuzzy Hash: ffdf2a7178e51a9844b0d351ad22deda8adc28a6414bc192b91386bbf4badf6a
Instruction Fuzzy Hash: CDA1A36290A3C0DFC715C7797C896A57FF47B26340F0898E9E09593A63D3305AA8DB61

Function 001342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001350AA,?,?,00000000,00000000), ref: 001342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001350AA,?,?,00000000,00000000), ref: 001342C9
LoadResource.KERNEL32(?,00000000,?,?,001350AA,?,?,00000000,00000000,?,?,?,?,?,?,00134F20), ref: 001735BE
SizeofResource.KERNEL32(?,00000000,?,?,001350AA,?,?,00000000,00000000,?,?,?,?,?,?,00134F20), ref: 001735D3
LockResource.KERNEL32(001350AA,?,?,001350AA,?,?,00000000,00000000,?,?,?,?,?,?,00134F20,?), ref: 001735E6

Strings

SCRIPT, xrefs: 001342BF

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c6830bdd7a58e2db7f49193993d8423be1abb90fa8536ff6ef9957fcb895f124
Instruction ID: 58a6ba30794e66a2b4590f364275835a3a73f2ae6a401692987c98acde936e1b
Opcode Fuzzy Hash: c6830bdd7a58e2db7f49193993d8423be1abb90fa8536ff6ef9957fcb895f124
Instruction Fuzzy Hash: 6C118E70200700BFD7218BA6EC48F677BBDEBC6B51F14816DF456D6A50DB71EC408A60

Function 00172BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00132B6B

Part of subcall function 00133A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00201418,?,00132E7F,?,?,?,00000000), ref: 00133A78

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,001F2224), ref: 00172C10
ShellExecuteW.SHELL32(00000000,?,?,001F2224), ref: 00172C17

Strings

runas, xrefs: 00172C0B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 8603eca4d9a2b1c7717bdaf2bb878ae2baf63599e64f8377ed3f862fd7f3782a
Instruction ID: f1ad4b4322c43e72a04ee5a96316b0d3d82f90e7c77ceb3f7cc80dc020c68fec
Opcode Fuzzy Hash: 8603eca4d9a2b1c7717bdaf2bb878ae2baf63599e64f8377ed3f862fd7f3782a
Instruction Fuzzy Hash: 6811B631208345AAC718FF60E855DBEBBA4AFB1350F44542DF196570A3CF718A5AC752

Function 0019DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00175222), ref: 0019DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0019DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0019DBEE
FindClose.KERNEL32(00000000), ref: 0019DBFA

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 38f2b01b47925bf2d8d61ddf644ac7fda21a921825417b545afe0d538f55a0f2
Instruction ID: 6e77082e2a57ef4bb322096f8bd5c648cae5024dfac3b9d4c902d1a986d72105
Opcode Fuzzy Hash: 38f2b01b47925bf2d8d61ddf644ac7fda21a921825417b545afe0d538f55a0f2
Instruction Fuzzy Hash: 95F0A030810910578A206B78EC0D8AA7B6D9F02334B14470AF83AC28E0EBB09D9586D5

Function 0013BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p# , xrefs: 001807CE

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#
API String ID: 3964851224-779609835
Opcode ID: 59d46f766de6ea53b59f3b4fec815dfe83ccbfbf16b4a037b5ffa3e84533a3b8
Instruction ID: c21920c408dea0e310525788fd7e4d8fdaf7d1e80912a8d1e9fd9dbfdc86727a
Opcode Fuzzy Hash: 59d46f766de6ea53b59f3b4fec815dfe83ccbfbf16b4a037b5ffa3e84533a3b8
Instruction Fuzzy Hash: 08A27870A083018FD755DF28C480B2ABBE1BF99304F15896DE89A9B352D771ED49CF92

Function 0013D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0013D807
timeGetTime.WINMM ref: 0013DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0013DB28
TranslateMessage.USER32(?), ref: 0013DB7B
DispatchMessageW.USER32(?), ref: 0013DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0013DB9F
Sleep.KERNEL32(0000000A), ref: 0013DBB1

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 22500d97b9195754595fe0980447ae9a3d34fa855d9b1ef6646e5024d9f7afd6
Instruction ID: cb67f45df47328697853dbfb1ea5ae08df020de23b7a9540ef30073ef94f2d03
Opcode Fuzzy Hash: 22500d97b9195754595fe0980447ae9a3d34fa855d9b1ef6646e5024d9f7afd6
Instruction Fuzzy Hash: 23420230608341EFD729DF24E888BAABBE4FF56304F55855DE456872A1D770E984CF82

Function 00132CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00132D07
RegisterClassExW.USER32(00000030), ref: 00132D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00132D42
InitCommonControlsEx.COMCTL32(?), ref: 00132D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00132D6F
LoadIconW.USER32(000000A9), ref: 00132D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00132D94

Strings

+, xrefs: 00132CF0
AutoIt v3 GUI, xrefs: 00132D23
0, xrefs: 00132CE9
TaskbarCreated, xrefs: 00132D37

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: def8e41ca50848e61465627168446f73244a87fb15355424760dce9394e1ba9a
Instruction ID: 925db3465b67a27e6204b1a4350fec61e78c482e840d30743d3e6e58809ff723
Opcode Fuzzy Hash: def8e41ca50848e61465627168446f73244a87fb15355424760dce9394e1ba9a
Instruction Fuzzy Hash: 9321B2B5D01318AFDB00DFA4E949B9DBFB4FB08B04F00411AF615A66A0D7B189948F91

Function 0017065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0017039A: CreateFileW.KERNELBASE(00000000,00000000,?,00170704,?,?,00000000,?,00170704,00000000,0000000C), ref: 001703B7

GetLastError.KERNEL32 ref: 0017076F
__dosmaperr.LIBCMT ref: 00170776
GetFileType.KERNELBASE(00000000), ref: 00170782
GetLastError.KERNEL32 ref: 0017078C
__dosmaperr.LIBCMT ref: 00170795
CloseHandle.KERNEL32(00000000), ref: 001707B5
CloseHandle.KERNEL32(?), ref: 001708FF
GetLastError.KERNEL32 ref: 00170931
__dosmaperr.LIBCMT ref: 00170938

Strings

H, xrefs: 001708BD

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 0193104ad6a9c99eccc5d10ba0e21631153d256ee3c57c6191e5f559757d011a
Instruction ID: aa2162b731ebbfd8ba0a450f220d691fad7fa0d55bbc1bca23acba04662224ae
Opcode Fuzzy Hash: 0193104ad6a9c99eccc5d10ba0e21631153d256ee3c57c6191e5f559757d011a
Instruction Fuzzy Hash: 93A11632A10244CFDF1A9F68D855BAD3BB0AB1A324F14815DF8599F392CB319D16CB91

Function 0013344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00133A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00201418,?,00132E7F,?,?,?,00000000), ref: 00133A78

Part of subcall function 00133357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00133379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0013356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0017318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001731CE
RegCloseKey.ADVAPI32(?), ref: 00173210
_wcslen.LIBCMT ref: 00173277
_wcslen.LIBCMT ref: 00173286

Strings

Include, xrefs: 00173184, 001731C5
Software\AutoIt v3\AutoIt, xrefs: 00133560
\Include\, xrefs: 00133527
\, xrefs: 0017328C

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: b2545d0d5ecc863ac32f7979507e63f787387838457b5260109c0353d4468f66
Instruction ID: 95544b34bc0e5ceda1fee6e6365bc7c0ffb7539af70b97c16e1d5c713864a84a
Opcode Fuzzy Hash: b2545d0d5ecc863ac32f7979507e63f787387838457b5260109c0353d4468f66
Instruction Fuzzy Hash: 40719F71404301DEC304EF65EC8A95BBBF8FFA4740F40486EF559971A2EB749A48CB52

Function 00132B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00132B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00132B9D
LoadIconW.USER32(00000063), ref: 00132BB3
LoadIconW.USER32(000000A4), ref: 00132BC5
LoadIconW.USER32(000000A2), ref: 00132BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00132BEF
RegisterClassExW.USER32(?), ref: 00132C40

Part of subcall function 00132CD4: GetSysColorBrush.USER32(0000000F), ref: 00132D07
Part of subcall function 00132CD4: RegisterClassExW.USER32(00000030), ref: 00132D31
Part of subcall function 00132CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00132D42
Part of subcall function 00132CD4: InitCommonControlsEx.COMCTL32(?), ref: 00132D5F
Part of subcall function 00132CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00132D6F
Part of subcall function 00132CD4: LoadIconW.USER32(000000A9), ref: 00132D85
Part of subcall function 00132CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00132D94

Strings

#, xrefs: 00132C16
AutoIt v3, xrefs: 00132C2F
0, xrefs: 00132C0F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b708283e62a9c7032bb75d76f7811dc3e075d00f670b3659dd343e9d48da1bad
Instruction ID: 994271c3fe7f04397ef86143548cf2682e309df8428a8f49b155ee4ddc93ba63
Opcode Fuzzy Hash: b708283e62a9c7032bb75d76f7811dc3e075d00f670b3659dd343e9d48da1bad
Instruction Fuzzy Hash: BB212970E00318ABDB109FA5FC59BA97FF4FB48B50F04009AF504A66A1D7B14960CF94

Function 00133170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0013316A,?,?), ref: 001331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0013316A,?,?), ref: 00133204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00133227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0013316A,?,?), ref: 00133232
CreatePopupMenu.USER32 ref: 00133246
PostQuitMessage.USER32(00000000), ref: 00133267

Strings

TaskbarCreated, xrefs: 0013322D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: dfb1810e7437d7fffa63ed673dd522db911aa1e24234cb812d2fe57caf5a738a
Instruction ID: c3b1b362ed9fea80a5c6a29af79a5c3493b61b4b1f0ed72b2e1d3c5f8f446706
Opcode Fuzzy Hash: dfb1810e7437d7fffa63ed673dd522db911aa1e24234cb812d2fe57caf5a738a
Instruction Fuzzy Hash: 25416935610304ABDF282B78ED0DF7A3A29EB05340F044125F52A866E2CB71CEA197A9

Function 0013DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D% , xrefs: 00182FDA
D% , xrefs: 0018302D
D% , xrefs: 0013E4B1
D% D% , xrefs: 0013E27E
D% , xrefs: 0013E1E0
Variable must be of type 'Object'., xrefs: 001832B7

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID: D% $D% $D% $D% $D% D% $Variable must be of type 'Object'.
API String ID: 0-3193118911
Opcode ID: afbd84e38d96698a01fd109735e910bf4f784f8e70be55c89f3ce85d3ab0274f
Instruction ID: 3516e578f054718c5d54b91406e96cf15aa71a05d3170da8994ca46defdeec71
Opcode Fuzzy Hash: afbd84e38d96698a01fd109735e910bf4f784f8e70be55c89f3ce85d3ab0274f
Instruction Fuzzy Hash: 5FC27975E00204CFCB28DF98C884AADB7F1BF19710F258169E956AB3A1D375EE41CB91

Function 00168D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc073374358d5020fad1d82f152cc48d184f525dece1f3506171157e88106528
Instruction ID: fb242f5df69bc7b675c684e5f09bbd52edbfa672d42728ef498527ddc45db39b
Opcode Fuzzy Hash: fc073374358d5020fad1d82f152cc48d184f525dece1f3506171157e88106528
Instruction Fuzzy Hash: 09C1E3B4904249EFDF11DFA8DC45BADBBB8AF19310F044199F815AB392CB309952CB61

Function 00F3EDB0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F3EE81
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F3F0A7

Memory Dump Source

Source File: 00000001.00000002.1361962556.0000000000F3C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F3C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f3c000_3WgNXsWvMO.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction ID: 08d42abda2773c1cb1c98cd3e90ab18aa5b2d0323b917108de0b16c6f4b070bd
Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction Fuzzy Hash: BAA12B75E00209EBDB14CFA4C894BEEBBB5FF48324F208169E505BB281C7759A84DF94

Function 00132C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00132C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00132CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00131CAD,?), ref: 00132CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00131CAD,?), ref: 00132CCF

Strings

AutoIt v3, xrefs: 00132C89, 00132C8E, 00132C8F
edit, xrefs: 00132CAC

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 998f6763a5d7846f5031b225f0629136b1a4ef74c6c1a8e760e38b4730afea76
Instruction ID: 088d444500af24a66ecea9d6b5f43bb04904bc88888d1e739d357f6caafd9b01
Opcode Fuzzy Hash: 998f6763a5d7846f5031b225f0629136b1a4ef74c6c1a8e760e38b4730afea76
Instruction Fuzzy Hash: B0F0DA755403907AEB311717BC0DE773EBDD7C6F50B00109EF904A29A1C6715C61DAB0

Function 00F3EBA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F3EA90: Sleep.KERNELBASE(000001F4), ref: 00F3EAA1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F3EC9F

Strings

8QW5JW8A0XAC, xrefs: 00F3ED02, 00F3ED05

Memory Dump Source

Source File: 00000001.00000002.1361962556.0000000000F3C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F3C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f3c000_3WgNXsWvMO.jbxd

Similarity

API ID: CreateFileSleep
String ID: 8QW5JW8A0XAC
API String ID: 2694422964-2819131455
Opcode ID: cb7f2e3c2e964af4738868c8101a58315f93113b595e17eeef89b29170dd73c1
Instruction ID: d9643c4e096e62f010fb828d3cdfd15456485f5ade3aa953a868e65dfe191aa4
Opcode Fuzzy Hash: cb7f2e3c2e964af4738868c8101a58315f93113b595e17eeef89b29170dd73c1
Instruction Fuzzy Hash: 4A519231D04349EBEF20DBA4C819BEEBB78AF08310F004599E609BB2C0D7795B45DBA5

Function 001A2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A2C05
DeleteFileW.KERNEL32(?), ref: 001A2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001A2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A2CC0

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c4e649ce356884ae5959b8f8189dce832ca7b11364b2d2db971ddf69d3f581a4
Instruction ID: 082b82e1e57e3d6ccaaf5bb87387102a9321dbb25e66f555237b421f54af5c68
Opcode Fuzzy Hash: c4e649ce356884ae5959b8f8189dce832ca7b11364b2d2db971ddf69d3f581a4
Instruction Fuzzy Hash: B4B16C75900119ABDF25DBA8CC85EDEBBBDEF59310F1040A6FA09E6141EB319A488B61

Function 00133B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00133B0F,SwapMouseButtons,00000004,?), ref: 00133B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00133B0F,SwapMouseButtons,00000004,?), ref: 00133B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00133B0F,SwapMouseButtons,00000004,?), ref: 00133B83

Strings

Control Panel\Mouse, xrefs: 00133B3E

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: dd9008b10b80f2bcbf13617e404ba862e39edca43a59bb26439c4d48af7b569c
Instruction ID: 2c1b24e2b059aee572532e5fb89cf6c8381a4c2305bbbb396d5d5f5cc7bf84b8
Opcode Fuzzy Hash: dd9008b10b80f2bcbf13617e404ba862e39edca43a59bb26439c4d48af7b569c
Instruction Fuzzy Hash: 3F1127B5610208FFDB218FA5DC84EAEBBB8EF44744F10846AF815E7114E331DE509BA4

Function 00F3DA90 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F3E2BD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F3E2E1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F3E303

Memory Dump Source

Source File: 00000001.00000002.1361962556.0000000000F3C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F3C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f3c000_3WgNXsWvMO.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: fc310a6135c3389c0587bc6629e9838c2c50d5be0bfc8bfa2df8a04cac11b1e3
Instruction ID: 60f203df2624f6d5bda8971791a7c5bd6936f43c30f5914288395c89c171eedb
Opcode Fuzzy Hash: fc310a6135c3389c0587bc6629e9838c2c50d5be0bfc8bfa2df8a04cac11b1e3
Instruction Fuzzy Hash: C262F930A14258DBEB24CFA4C841BDEB376EF58310F1091A9D10DEB2E0E7799E85DB59

Function 00133923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001733A2

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00133A04

Strings

Line: , xrefs: 001733EB

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 442c8527527ee57541bb058497b369d8166b7f4ccc3d9c6ef8990719a730be2a
Instruction ID: 0177edafdd93c7c0ad406b9458f70fd5e97b825be9f9bb3cf86a658ebe977ad2
Opcode Fuzzy Hash: 442c8527527ee57541bb058497b369d8166b7f4ccc3d9c6ef8990719a730be2a
Instruction Fuzzy Hash: FE31D271408304EBC725EB20DC49BEBB7E8AF54714F00856EF5A983092EB709A59C7C6

Function 0014FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00150668

Part of subcall function 001532A4: RaiseException.KERNEL32(?,?,?,0015068A,?,00201444,?,?,?,?,?,?,0015068A,00131129,001F8738,00131129), ref: 00153304

__CxxThrowException@8.LIBVCRUNTIME ref: 00150685

Strings

Unknown exception, xrefs: 00150692

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b69027634a65c313c51866d04899c4fc97d88c8fa3555d32cf3f85ef01baf8ee
Instruction ID: c071c3c5652a783d88b207355c3c0d96ff1578a9b44f6f1a3761567617d9c17d
Opcode Fuzzy Hash: b69027634a65c313c51866d04899c4fc97d88c8fa3555d32cf3f85ef01baf8ee
Instruction Fuzzy Hash: 21F0223090020DF3CB04BAE4D846CAE7B6C5E10351B604534BD34DA5E1EFB1DA6EC580

Function 001A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001A302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 001A3044

Strings

aut, xrefs: 001A3038

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 9bbfcc6ea3c12e601f002a64fc8efe7eef9cb0714fc340d314bf74c872c68a81
Instruction ID: ae2b63708382758c9d4b4d2d3078f61475d19f80e06eb3c4cd9abac213eae188
Opcode Fuzzy Hash: 9bbfcc6ea3c12e601f002a64fc8efe7eef9cb0714fc340d314bf74c872c68a81
Instruction Fuzzy Hash: 3CD05E7250032867DA20E7A4AC0EFDB7E7CDB04750F0002A1B659E2491DAB0D984CAD0

Function 001B7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001B82F5
TerminateProcess.KERNEL32(00000000), ref: 001B82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 001B84DD

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 9982af5a2bfabab6aea1d9ebb4b2578396815bdd98209bc84163f6769b6ec569
Instruction ID: 59ac37e02aa51425dcc2f70910531c2250b184f6e28736e9648589a5f4ae8bb6
Opcode Fuzzy Hash: 9982af5a2bfabab6aea1d9ebb4b2578396815bdd98209bc84163f6769b6ec569
Instruction Fuzzy Hash: DD126B719083419FC724DF28C484B6ABBE5BF99714F04895DF8898B292DB31ED45CF92

Function 00165AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a075a919a85ea0718729dcc7a4fca7c388b81e44008150cb80add9d567a14f
Instruction ID: ec2634fa49842ccc3a17ee2636122425d5157f25f4532c142113245138aedf33
Opcode Fuzzy Hash: f7a075a919a85ea0718729dcc7a4fca7c388b81e44008150cb80add9d567a14f
Instruction Fuzzy Hash: 3551C171D0060AEFDB149FA8CC49FAE7FBAEF15310F150059F805AB291DB719A22DB61

Function 001310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00131BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00131BF4
Part of subcall function 00131BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00131BFC
Part of subcall function 00131BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00131C07
Part of subcall function 00131BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00131C12
Part of subcall function 00131BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00131C1A
Part of subcall function 00131BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00131C22

Part of subcall function 00131B4A: RegisterWindowMessageW.USER32(00000004,?,001312C4), ref: 00131BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0013136A
OleInitialize.OLE32 ref: 00131388
CloseHandle.KERNEL32(00000000,00000000), ref: 001724AB

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 21c80a5885359cb632126b04ad6fc4ddc21a80dd92f29b398820bddd297ae2c7
Instruction ID: 8702dceb551304eca0f81b77187a9062d2cbfa6550d3d54d41fe3f35c69dfd11
Opcode Fuzzy Hash: 21c80a5885359cb632126b04ad6fc4ddc21a80dd92f29b398820bddd297ae2c7
Instruction Fuzzy Hash: 647199B49113008FD388EF79BD89A557EE4FB98354794822EE04ADB2B3EB308565CF41

Function 0019C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00133923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00133A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0019C259
KillTimer.USER32(?,00000001,?,?), ref: 0019C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0019C270

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: b0a3be82af7d0abcc3e0d80925b055a94126bc9c2e4a9345fb8d8283b20a9e7f
Instruction ID: 320384c19b16bcf57e5228401b6d990e22bf4f9fe8a26360cbb4974de498ce28
Opcode Fuzzy Hash: b0a3be82af7d0abcc3e0d80925b055a94126bc9c2e4a9345fb8d8283b20a9e7f
Instruction Fuzzy Hash: 3E319370904384AFEF229F648855BE7BBECAB16308F00449AD5DE97241C7746A84CB91

Function 001686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001685CC,?,001F8CC8,0000000C), ref: 00168704
GetLastError.KERNEL32(?,001685CC,?,001F8CC8,0000000C), ref: 0016870E
__dosmaperr.LIBCMT ref: 00168739

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 5d339fc588a8fdb0c5cfad099be66ccd55b11b6ffefd489fddb8a73ed05e1be4
Instruction ID: 3aeb1add48dbb616afbee2e57741e41899dcd26d1240a86caefec638595fda5b
Opcode Fuzzy Hash: 5d339fc588a8fdb0c5cfad099be66ccd55b11b6ffefd489fddb8a73ed05e1be4
Instruction Fuzzy Hash: 5D014933A0566026D7346338EC49B7E6B4A5B92B74F390319F9188B2D3DFA0CC918190

Function 0013DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0013DB7B
DispatchMessageW.USER32(?), ref: 0013DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0013DB9F
Sleep.KERNEL32(0000000A), ref: 0013DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00181CC9

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 9620b6aaf8806d2e5278365d7303ca80ff039e3fe2e927d67bc4efc2ff6c63ab
Instruction ID: f7a263aa8e6e72fcc00cbda15b878704a8d2f460ccba686b51d9ad60c1f95ad9
Opcode Fuzzy Hash: 9620b6aaf8806d2e5278365d7303ca80ff039e3fe2e927d67bc4efc2ff6c63ab
Instruction Fuzzy Hash: 72F05E316443809BE730DBA0EC89FAA77BCEB45310F104918E60A834D0DB30A5988F55

Function 001A2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,001A2CD4,?,?,?,00000004,00000001), ref: 001A2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,001A2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001A3006
CloseHandle.KERNEL32(00000000,?,001A2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001A300D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: b1b799ffc40f237ec9c1f5c180ae6c199a2afc2de1c871accdc4fab59c842183
Instruction ID: 5aa6c22b85ccbf11139f8ca1e53150b63081c40b3e3b2aefa2da7d76a41a5a4e
Opcode Fuzzy Hash: b1b799ffc40f237ec9c1f5c180ae6c199a2afc2de1c871accdc4fab59c842183
Instruction Fuzzy Hash: D2E0863668031077D2312756BC0DF8B3E1CE786B71F144210F72D754D046A0594142E8

Function 00141310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001417F6

Strings

CALL, xrefs: 001417C6

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 31353961e6625a33abce05bf827bfb0cf078366d024d241fec0cc45aaa40d87a
Instruction ID: 1f34546c9756e1c06f65afda9c1aa7d6bef4d263594e90689c85725dd204cb70
Opcode Fuzzy Hash: 31353961e6625a33abce05bf827bfb0cf078366d024d241fec0cc45aaa40d87a
Instruction Fuzzy Hash: 3A227A70608301AFC714DF14C494B6ABBF1BF95314F19895DF89A8B3A2D771E985CB82

Function 001A6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A6F6B

Part of subcall function 00134ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 001A6F5A, 001A6F63

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 7f54e344b84c03d50ba5f0736b5f14deb247e7acff45a8ec0ced3410d465238f
Instruction ID: 3727b5c279e5f18512cad92a6187eae57d9ea2126131e55894117222edd6d985
Opcode Fuzzy Hash: 7f54e344b84c03d50ba5f0736b5f14deb247e7acff45a8ec0ced3410d465238f
Instruction Fuzzy Hash: 88B1C4751083019FCB14EF24D89196EB7E5BFA5314F04886DF496972A2EF30EE49CB92

Function 00132DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00172C8C

Part of subcall function 00133AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00133A97,?,?,00132E7F,?,?,?,00000000), ref: 00133AC2

Part of subcall function 00132DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00132DC4

Strings

X, xrefs: 00172C5A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: cd32f1270e56024eff2482e576c84808cdb21da671942f8c23d6a32340f318f6
Instruction ID: cf4e6b013f348d343312d1ba5c1ec3ca80eea996eaada8e81cae90d3d9ade3e0
Opcode Fuzzy Hash: cd32f1270e56024eff2482e576c84808cdb21da671942f8c23d6a32340f318f6
Instruction Fuzzy Hash: 3821A571A0025C9FDB01EF94C849BEE7BF8AF59304F008059E509B7241DBB45A898FA1

Function 001A2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 001A2587

Strings

EA06, xrefs: 001A25B9

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: a2671568cf4dda9d1cb861dc348026572b093b5f69645690b5ca6968e41e7e27
Instruction ID: 2a7be9aa186f30ddcdb5fee7b41e3b7225beefca98e477dc5bfba3e3e7d7c19e
Opcode Fuzzy Hash: a2671568cf4dda9d1cb861dc348026572b093b5f69645690b5ca6968e41e7e27
Instruction Fuzzy Hash: 6901B572D04258BEDF19C7A8C856EEEBBF8DB15305F00455AE552D6181E6B4E7088B60

Function 00133837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00133908

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 16360b1fbdbf2371aac83b99e7d8ff4a93bcb687cada86e62b717faca9804e75
Instruction ID: bf2d229363a9a796afb87c9b19d6b8afdd99b1c2a260f7be30155f74ac6ef71c
Opcode Fuzzy Hash: 16360b1fbdbf2371aac83b99e7d8ff4a93bcb687cada86e62b717faca9804e75
Instruction Fuzzy Hash: 8A31B470504301DFD720DF24D888797BBF8FB49709F00096EF5A987281E771AA54CB96

Function 00F3DA8D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F3E2BD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F3E2E1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F3E303

Memory Dump Source

Source File: 00000001.00000002.1361962556.0000000000F3C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F3C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f3c000_3WgNXsWvMO.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: 2c1b1aedb7f8ef54f8bb5f3d22d1373dcce35158064ba09754a9a51782c350dd
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: 3612CF24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 0014FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0014FD1F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 99e5f4cb93467ce9260ec4ae315fd2e8ce78fdf25a76960afdfaa32c40ac7f25
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: E831D375A00109DBC718CF99D4C0A69FBA5FF49310B2586A9E80ACB766D731EDC2DBD0

Function 00134ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00134E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00134EDD,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134E9C
Part of subcall function 00134E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00134EAE
Part of subcall function 00134E90: FreeLibrary.KERNEL32(00000000,?,?,00134EDD,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134EFD

Part of subcall function 00134E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00173CDE,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134E62
Part of subcall function 00134E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00134E74
Part of subcall function 00134E59: FreeLibrary.KERNEL32(00000000,?,?,00173CDE,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134E87

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: e35188e8755ea9244337bba377cb5bd09fc918ab238c6eaac7b04d436cbb7bfa
Instruction ID: 0091a6398a984ade8314ad1b03846d52c28938e7c31d55ec8a6c5ddf09068e00
Opcode Fuzzy Hash: e35188e8755ea9244337bba377cb5bd09fc918ab238c6eaac7b04d436cbb7bfa
Instruction Fuzzy Hash: 11112332600205ABCB14AB68DC02FAD77A9AF60B10F14842EF542AA1C1EF74EE059B90

Function 00168402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00168440

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 43aa9bcb56a0076a663d050ead42864111de74b8790bd08da73ee7e7309a4e9d
Instruction ID: 766c1bfb3d017f580bac24ef364d4a48ce6cf92bab02ae6f240ed5ca2b3ed86d
Opcode Fuzzy Hash: 43aa9bcb56a0076a663d050ead42864111de74b8790bd08da73ee7e7309a4e9d
Instruction Fuzzy Hash: 6A11187590420AAFCB05DF58E941A9A7BF5EF48314F118199F808AB312DB31EA21CBA5

Function 00165000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00164C7D: RtlAllocateHeap.NTDLL(00000008,00131129,00000000,?,00162E29,00000001,00000364,?,?,?,0015F2DE,00163863,00201444,?,0014FDF5,?), ref: 00164CBE

_free.LIBCMT ref: 0016506C

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 9078ee1a4e9d3fece89c9d3060e31a1380af72247637bd051e9404644eefc6a0
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 750122722047056BE3218F69DC81A9AFBE9FB89370F25062DF19483280EB30A805C6B4

Function 0015E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 24329932d0a050ad57b194eeb89ee0011428d0d67428a422fc3abf4bd3c08329
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 81F02832910E10DBC7393A699C05B5A33D99F723B7F100719FC319B1D2DB70D90A8AA5

Function 00164C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00131129,00000000,?,00162E29,00000001,00000364,?,?,?,0015F2DE,00163863,00201444,?,0014FDF5,?), ref: 00164CBE

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25b9635e2749d620fad664bce3aaf99d3592fa5aabb4aede2bb7596de2ea5d5d
Instruction ID: 984c41ac65ba32c4eb262cbcaa03a1021064a57534461900ec1a47b9496cb4d8
Opcode Fuzzy Hash: 25b9635e2749d620fad664bce3aaf99d3592fa5aabb4aede2bb7596de2ea5d5d
Instruction Fuzzy Hash: 51F0E931602224A7DB215F669C09F5A3788BF917A1B154115FC19EA381CB70DC2196E0

Function 00163820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00201444,?,0014FDF5,?,?,0013A976,00000010,00201440,001313FC,?,001313C6,?,00131129), ref: 00163852

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2cd60464548c79f5d54f25e0f2e6958db5b1603dd6a02d883ecffad8eacad833
Instruction ID: 8366b40dfcc4891d398bb3dda61628d346a9c90651fb9d58acf00cda1d15f733
Opcode Fuzzy Hash: 2cd60464548c79f5d54f25e0f2e6958db5b1603dd6a02d883ecffad8eacad833
Instruction Fuzzy Hash: 0BE0E53110122497E62126679C05BDA364DAB427B1F050225BC35978D1CB60DD2282E0

Function 00134F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134F6D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a0507637d64b6e4a91ee34200e34afb51105937962017f61328bc35775f0fb33
Instruction ID: 3bbff4fb9abc74aa4d8136b1b7953b4ff681e86bbc4f60ab3cc82697c728df7a
Opcode Fuzzy Hash: a0507637d64b6e4a91ee34200e34afb51105937962017f61328bc35775f0fb33
Instruction Fuzzy Hash: BDF03071505751CFDB389F69D490812BBE8EF1432971989BEE1EA82611C731A844DF50

Function 00132DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00132DC4

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: fd6fb75de5ed66bd991cf5a3466e0b3523182c8e9b3e9cd519d6df853fef70e5
Instruction ID: eedd07a54f37493997b4b9a44e94d3f60a71276f82090b08f6b2fdfd866ebb38
Opcode Fuzzy Hash: fd6fb75de5ed66bd991cf5a3466e0b3523182c8e9b3e9cd519d6df853fef70e5
Instruction Fuzzy Hash: A9E0CD72A001246BC71092589C05FDA77EDDFC8790F044071FD0DD7248DA60ED848690

Function 001A2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 001A26B5

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: b3b47ad91388f76b29b378d234fe96a91c36e2b0c1838c2371810087e3a89ec5
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 8DE048B46097005FDF3D5A28A9517B677E49F4A301F00045EF99F87352E6726845864D

Function 00132B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00133837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00133908

Part of subcall function 0013D730: GetInputState.USER32 ref: 0013D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00132B6B

Part of subcall function 001330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0013314E

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 3431c9bb7ce5bb46297249d419f28c2dc4cc6ee4ea1b1fe4eed5ec74d542189f
Instruction ID: 154dd4ed2bbca783330f89c3033a0618dda56045a19e56ec52c835aa68dfd1f5
Opcode Fuzzy Hash: 3431c9bb7ce5bb46297249d419f28c2dc4cc6ee4ea1b1fe4eed5ec74d542189f
Instruction Fuzzy Hash: B3E02C2230424802CA08BB70B8528ADBB499BF1321F40157EF192831B3CF208AA98252

Function 0017039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00170704,?,?,00000000,?,00170704,00000000,0000000C), ref: 001703B7

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 58f8882c27ad7bc1d4d39116f5b2ef45b6d1c8a25ca773e185e65905d989f6ed
Instruction ID: 76d23c251ee0a7430b70fb7143802aac241952d4a33ea09ac28d9ccb1667152e
Opcode Fuzzy Hash: 58f8882c27ad7bc1d4d39116f5b2ef45b6d1c8a25ca773e185e65905d989f6ed
Instruction Fuzzy Hash: AFD06C3204010DFBDF029F85DD06EDA3FAAFB48714F014000FE1856420C732E861AB91

Function 00131CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00131CBC

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: eb94680362c6e7533870ea3740dd500c4f7bc5306296d0b7e3ec853605610fff
Instruction ID: 002d407696461cda05d488e07cdde7ac23587d229b3a4f35af1255dbc3f49bf1
Opcode Fuzzy Hash: eb94680362c6e7533870ea3740dd500c4f7bc5306296d0b7e3ec853605610fff
Instruction Fuzzy Hash: 8CC09236380305EFF3188B80BC4EF147B64A348B00F448002F60DA99E3C3A26861EA94

Function 00F3EA90 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F3EAA1

Memory Dump Source

Source File: 00000001.00000002.1361962556.0000000000F3C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F3C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f3c000_3WgNXsWvMO.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: a1d8e1cc51422968d4777ac5be452b195d83faf1240fbb188a4f4604083504da
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: FFE0E67494010EDFDB00EFB4D54969E7FB4FF04301F100165FD01D2280D6309D509A62

Non-executed Functions

Function 001C9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001C961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001C965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001C969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001C96C9
SendMessageW.USER32 ref: 001C96F2
GetKeyState.USER32(00000011), ref: 001C978B
GetKeyState.USER32(00000009), ref: 001C9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001C97AE
GetKeyState.USER32(00000010), ref: 001C97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001C97E9
SendMessageW.USER32 ref: 001C9810
SendMessageW.USER32(?,00001030,?,001C7E95), ref: 001C9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001C992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001C9941
SetCapture.USER32(?), ref: 001C994A
ClientToScreen.USER32(?,?), ref: 001C99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001C99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001C99D6
ReleaseCapture.USER32 ref: 001C99E1
GetCursorPos.USER32(?), ref: 001C9A19
ScreenToClient.USER32(?,?), ref: 001C9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 001C9A80
SendMessageW.USER32 ref: 001C9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 001C9AEB
SendMessageW.USER32 ref: 001C9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001C9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001C9B4A
GetCursorPos.USER32(?), ref: 001C9B68
ScreenToClient.USER32(?,?), ref: 001C9B75
GetParent.USER32(?), ref: 001C9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 001C9BFA
SendMessageW.USER32 ref: 001C9C2B
ClientToScreen.USER32(?,?), ref: 001C9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001C9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 001C9CDE
SendMessageW.USER32 ref: 001C9D01
ClientToScreen.USER32(?,?), ref: 001C9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001C9D82

Part of subcall function 00149944: GetWindowLongW.USER32(?,000000EB), ref: 00149952

GetWindowLongW.USER32(?,000000F0), ref: 001C9E05

Strings

@GUI_DRAGID, xrefs: 001C997D
F, xrefs: 001C9D07
p# , xrefs: 001C9990

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#
API String ID: 3429851547-3496453445
Opcode ID: 37f1aa558166adaf6cc8ffe98f8e39b08ea641b00602364f25820cc661affdc6
Instruction ID: 07a3d3e3017a26e3a48615be3b7aa091a252a96b12208eb74276bdc86f6cba0d
Opcode Fuzzy Hash: 37f1aa558166adaf6cc8ffe98f8e39b08ea641b00602364f25820cc661affdc6
Instruction Fuzzy Hash: BC427875204251AFDB24CF64C888FAABBE5EF68310F10061DF699876A1D731E960CF92

Function 001C4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001C48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001C4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001C4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001C494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001C495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001C497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001C49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001C49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001C4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001C4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001C4A7E
IsMenu.USER32(?), ref: 001C4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001C4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001C4B20
GetWindowLongW.USER32(?,000000F0), ref: 001C4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001C4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001C4C82
wsprintfW.USER32 ref: 001C4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001C4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 001C4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001C4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001C4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 001C4D5A

Strings

%d/%02d/%02d, xrefs: 001C4CA8

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: d1b45b7adf9a0d94124d60fea60810c3987a9aa1cf5f24827de2feed363d8f95
Instruction ID: 632baeaffc223406b3cf8783e2aa31a32c8db21b4820ed3e37cea829a3dcc3bd
Opcode Fuzzy Hash: d1b45b7adf9a0d94124d60fea60810c3987a9aa1cf5f24827de2feed363d8f95
Instruction Fuzzy Hash: D612ED71A04254ABEB248F68CC59FEE7BB8AF65310F10412DF51AEB2E1DB74D941CB90

Function 0014F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0014F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0018F474
IsIconic.USER32(00000000), ref: 0018F47D
ShowWindow.USER32(00000000,00000009), ref: 0018F48A
SetForegroundWindow.USER32(00000000), ref: 0018F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0018F4AA
GetCurrentThreadId.KERNEL32 ref: 0018F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0018F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0018F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0018F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0018F4DE
SetForegroundWindow.USER32(00000000), ref: 0018F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0018F4F6
keybd_event.USER32(00000012,00000000), ref: 0018F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0018F50B
keybd_event.USER32(00000012,00000000), ref: 0018F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0018F519
keybd_event.USER32(00000012,00000000), ref: 0018F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0018F528
keybd_event.USER32(00000012,00000000), ref: 0018F52D
SetForegroundWindow.USER32(00000000), ref: 0018F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0018F557

Strings

Shell_TrayWnd, xrefs: 0018F46F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: bd85e1a13eada3a009d0b93330a331e323df2f24c2b4768021a78c2eb0818b71
Instruction ID: dd3a67216aaca2ead4ffafae09ce07480bcd5a32f0f2e7a52b8cd0ef44a36db8
Opcode Fuzzy Hash: bd85e1a13eada3a009d0b93330a331e323df2f24c2b4768021a78c2eb0818b71
Instruction Fuzzy Hash: 52315271B40218BBEB206BB55C4AFBF7E6CEB44B50F11002AF605E61D1C7B09E41AFA0

Function 00191201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0019170D
Part of subcall function 001916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0019173A
Part of subcall function 001916C3: GetLastError.KERNEL32 ref: 0019174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00191286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001912A8
CloseHandle.KERNEL32(?), ref: 001912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001912D1
GetProcessWindowStation.USER32 ref: 001912EA
SetProcessWindowStation.USER32(00000000), ref: 001912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00191310

Part of subcall function 001910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001911FC), ref: 001910D4
Part of subcall function 001910BF: CloseHandle.KERNEL32(?,?,001911FC), ref: 001910E9

Strings

winsta0, xrefs: 001912CC
default, xrefs: 0019130B
, xrefs: 0019125A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 5c4fdc8990b2dcbe653183b2cc821d17d0faef7ff6fa1e2e1fcfa0a19180836b
Instruction ID: 73e58df042644f7e51b301cab0265fe3ed32d81a97300a33a463a88d9592bffe
Opcode Fuzzy Hash: 5c4fdc8990b2dcbe653183b2cc821d17d0faef7ff6fa1e2e1fcfa0a19180836b
Instruction Fuzzy Hash: 84818A7190020ABFEF219FA4DC49FEE7BB9EF08704F144129FA15A62A0C7318995CB61

Function 00190B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00191114
Part of subcall function 001910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 00191120
Part of subcall function 001910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 0019112F
Part of subcall function 001910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 00191136
Part of subcall function 001910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0019114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00190BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00190C00
GetLengthSid.ADVAPI32(?), ref: 00190C17
GetAce.ADVAPI32(?,00000000,?), ref: 00190C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00190C6D
GetLengthSid.ADVAPI32(?), ref: 00190C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00190C8C
HeapAlloc.KERNEL32(00000000), ref: 00190C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00190CB4
CopySid.ADVAPI32(00000000), ref: 00190CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00190CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00190D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00190D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00190D45
HeapFree.KERNEL32(00000000), ref: 00190D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00190D55
HeapFree.KERNEL32(00000000), ref: 00190D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00190D65
HeapFree.KERNEL32(00000000), ref: 00190D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00190D78
HeapFree.KERNEL32(00000000), ref: 00190D7F

Part of subcall function 00191193: GetProcessHeap.KERNEL32(00000008,00190BB1,?,00000000,?,00190BB1,?), ref: 001911A1
Part of subcall function 00191193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00190BB1,?), ref: 001911A8
Part of subcall function 00191193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00190BB1,?), ref: 001911B7

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9e4b20eecf7e9d67153ad76731e97f91adc4c376aba4b3e17d8d7fba56d40535
Instruction ID: 3e8bd2158ad85ec7e5751bf1d4c0f5f3fc28f8226994971c0bc847cb04d5df87
Opcode Fuzzy Hash: 9e4b20eecf7e9d67153ad76731e97f91adc4c376aba4b3e17d8d7fba56d40535
Instruction Fuzzy Hash: C771467690020AAFDF119FE5DC48FAEBBB8AF08314F044555F918A6291D771EE45CBA0

Function 001AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001CCC08), ref: 001AEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001AEB37
GetClipboardData.USER32(0000000D), ref: 001AEB43
CloseClipboard.USER32 ref: 001AEB4F
GlobalLock.KERNEL32(00000000), ref: 001AEB87
CloseClipboard.USER32 ref: 001AEB91
GlobalUnlock.KERNEL32(00000000), ref: 001AEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001AEBC9
GetClipboardData.USER32(00000001), ref: 001AEBD1
GlobalLock.KERNEL32(00000000), ref: 001AEBE2
GlobalUnlock.KERNEL32(00000000), ref: 001AEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001AEC38
GetClipboardData.USER32(0000000F), ref: 001AEC44
GlobalLock.KERNEL32(00000000), ref: 001AEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001AEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001AEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001AECD2
GlobalUnlock.KERNEL32(00000000), ref: 001AECF3
CountClipboardFormats.USER32 ref: 001AED14
CloseClipboard.USER32 ref: 001AED59

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 3859e74ab347bb24c0772e39064bfc9658a5bad8d5173504512e9774efc99b15
Instruction ID: d2ff0a7a12362f1e16a76f58c36c610a7b9734ec294f053e81f972f6257ff009
Opcode Fuzzy Hash: 3859e74ab347bb24c0772e39064bfc9658a5bad8d5173504512e9774efc99b15
Instruction Fuzzy Hash: 0261E038204301AFD300EF64D889F6ABBE4AF95714F04455DF45A976A2CB31ED86CBA2

Function 001A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001A69BE
FindClose.KERNEL32(00000000), ref: 001A6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001A6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001A6A75

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001A6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001A6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 001A6B32
%4d%02d%02d%02d%02d%02d, xrefs: 001A6B6A
%02d, xrefs: 001A6C00, 001A6C0A, 001A6C5A, 001A6CAA, 001A6CFA, 001A6D4A
%03d, xrefs: 001A6DA2
%4d, xrefs: 001A6BB1

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: e742db4d21950c681364c001279ba7ed55527ff577b8678aa9f26f8060aecb4b
Instruction ID: d6871e378993644abb71b067c7e7bbebf54564e1f41042d6daf5557f3a7c1df6
Opcode Fuzzy Hash: e742db4d21950c681364c001279ba7ed55527ff577b8678aa9f26f8060aecb4b
Instruction Fuzzy Hash: 39D183B2508304AFC314EBA4C885EAFB7ECAF99704F04491DF589D7291EB74DA44CB62

Function 001A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 001A9663
GetFileAttributesW.KERNEL32(?), ref: 001A96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001A96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001A96D3
FindClose.KERNEL32(00000000), ref: 001A96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001A96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001A974A
SetCurrentDirectoryW.KERNEL32(001F6B7C), ref: 001A9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001A9772
FindClose.KERNEL32(00000000), ref: 001A977F
FindClose.KERNEL32(00000000), ref: 001A978F

Strings

*.*, xrefs: 001A96F5

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 3895403aacff668c79a87685adc6d976e48a7cced621bd0b135c412b1010300f
Instruction ID: 21e0c5935299c21ac2dce6e675039fa5238774aa6dbaf5e200960fac6a8d1352
Opcode Fuzzy Hash: 3895403aacff668c79a87685adc6d976e48a7cced621bd0b135c412b1010300f
Instruction Fuzzy Hash: B631B336640219AADB14EFF4EC49EEE77ACAF4A321F144155F919E2090DB34DDC48FA4

Function 001A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 001A97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001A9819
FindClose.KERNEL32(00000000), ref: 001A9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001A9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001A9890
SetCurrentDirectoryW.KERNEL32(001F6B7C), ref: 001A98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001A98B8
FindClose.KERNEL32(00000000), ref: 001A98C5
FindClose.KERNEL32(00000000), ref: 001A98D5

Part of subcall function 0019DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0019DB00

Strings

*.*, xrefs: 001A983B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 97b0bc20aa8509e9b5d510c29c2529c3b34de9908894cab68b9aacd8a6097561
Instruction ID: bcbd38cab0f9da35e0af8e6e1d234daef2aee2946a1a23fc70e5d41832a6cad0
Opcode Fuzzy Hash: 97b0bc20aa8509e9b5d510c29c2529c3b34de9908894cab68b9aacd8a6097561
Instruction Fuzzy Hash: 6131C13550021DAADB10EFB4EC48EEE77ACAF07320F144195E954A2091DB38DEC98F64

Function 001A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001A8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001A8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001A8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001A8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001A838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8395

Strings

*.*, xrefs: 001A839B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 57419e7638d08dd5fedbb665897a3ec2de0b3d2326a9fec00f94f9bc2638ea85
Instruction ID: 2e9c6fa7a4b89a75583332aff5e91ca9efe9604d20869059238d202ce8509650
Opcode Fuzzy Hash: 57419e7638d08dd5fedbb665897a3ec2de0b3d2326a9fec00f94f9bc2638ea85
Instruction Fuzzy Hash: 58618B765083059FCB10EF64D840AAEB7E8FF99310F04881EF999C7251EB31E945CB92

Function 0019D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00133AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00133A97,?,?,00132E7F,?,?,?,00000000), ref: 00133AC2

Part of subcall function 0019E199: GetFileAttributesW.KERNEL32(?,0019CF95), ref: 0019E19A

FindFirstFileW.KERNEL32(?,?), ref: 0019D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0019D1DD
MoveFileW.KERNEL32(?,?), ref: 0019D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0019D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0019D237

Part of subcall function 0019D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0019D21C,?,?), ref: 0019D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0019D253
FindClose.KERNEL32(00000000), ref: 0019D264

Strings

\*.*, xrefs: 0019D0CD, 0019D0D6, 0019D0EB

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 62dd3a9e947c6d6627ea3c2f5a3f428468b48ebc7d6c82bb3281b026791043dd
Instruction ID: 532c460b8ff2e22277f887011fb795e53745760c02acf822809f2e0ea9110f02
Opcode Fuzzy Hash: 62dd3a9e947c6d6627ea3c2f5a3f428468b48ebc7d6c82bb3281b026791043dd
Instruction Fuzzy Hash: B2616C31C0510DAFCF05EBE0EA929EDBBB5AF65300F6441A5E446771A1EB30AF09CB60

Function 001AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001AED91
EmptyClipboard.USER32 ref: 001AED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001AEDAC
CloseClipboard.USER32 ref: 001AEEA3

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f9195811df34be95c83f82ac814d882f1011326e8285b6a840c8f8016ae16a38
Instruction ID: d13b468accfaad7f7657dae6c3bcbc0ad27400045ee0190deaba1b54bf4d4e7c
Opcode Fuzzy Hash: f9195811df34be95c83f82ac814d882f1011326e8285b6a840c8f8016ae16a38
Instruction Fuzzy Hash: 0B417B39604611AFE720DF19E888F19BBE5EF45319F14C099E4198BB62C735EC82CBD0

Function 0019E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0019170D
Part of subcall function 001916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0019173A
Part of subcall function 001916C3: GetLastError.KERNEL32 ref: 0019174A

ExitWindowsEx.USER32(?,00000000), ref: 0019E932

Strings

, xrefs: 0019E920
@, xrefs: 0019E925
, xrefs: 0019E95C
SeShutdownPrivilege, xrefs: 0019E902

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 1fd375eb3bb6c8cac3b532e41f703fcabcae74f92f569098b3cb9853703a0d9e
Instruction ID: 39842bff269ae724ad16dba8f8b5813d3bf5845b815aacf483a11b0d5937b588
Opcode Fuzzy Hash: 1fd375eb3bb6c8cac3b532e41f703fcabcae74f92f569098b3cb9853703a0d9e
Instruction Fuzzy Hash: FD01D672A10211AFEF54A6B4DC86FBB76ACA714758F150421FD03E21D1DBA19C8085D0

Function 001B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001B1276
WSAGetLastError.WSOCK32 ref: 001B1283
bind.WSOCK32(00000000,?,00000010), ref: 001B12BA
WSAGetLastError.WSOCK32 ref: 001B12C5
closesocket.WSOCK32(00000000), ref: 001B12F4
listen.WSOCK32(00000000,00000005), ref: 001B1303
WSAGetLastError.WSOCK32 ref: 001B130D
closesocket.WSOCK32(00000000), ref: 001B133C

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: a2cd64acef6f2df838106e910fc2c1c06284b53f908917f01a942b05d1cf2c7a
Instruction ID: e23ee6317068938a341380531dd3849ac5ce1aaeb0542ef7fc263b28a678916a
Opcode Fuzzy Hash: a2cd64acef6f2df838106e910fc2c1c06284b53f908917f01a942b05d1cf2c7a
Instruction Fuzzy Hash: 4B41B531600100AFD710DF64C494B6ABBE6BF46314F698098D8569F3D2C771ED81CBE0

Function 0016B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0016B9D4
_free.LIBCMT ref: 0016B9F8
_free.LIBCMT ref: 0016BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001D3700), ref: 0016BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0020121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0016BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00201270,000000FF,?,0000003F,00000000,?), ref: 0016BC36
_free.LIBCMT ref: 0016BD4B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 83363836ae33575c13f7e0d2770e49851ef38edacc699ceecfa4d06e2efa8786
Instruction ID: 866235a2d27ca162ae99d6ecd6ccbf534c6414e5ba013591972978265e234dea
Opcode Fuzzy Hash: 83363836ae33575c13f7e0d2770e49851ef38edacc699ceecfa4d06e2efa8786
Instruction Fuzzy Hash: 13C13971A08214AFCB24DF78DCC1BAE7BB9EF51350F14419AE894D7252E7308EA1CB90

Function 0019D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00133AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00133A97,?,?,00132E7F,?,?,?,00000000), ref: 00133AC2

Part of subcall function 0019E199: GetFileAttributesW.KERNEL32(?,0019CF95), ref: 0019E19A

FindFirstFileW.KERNEL32(?,?), ref: 0019D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0019D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0019D481
FindClose.KERNEL32(00000000), ref: 0019D498
FindClose.KERNEL32(00000000), ref: 0019D4A1

Strings

\*.*, xrefs: 0019D3F2

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 22d20d167cfc4261a9db32d838210550a7f49014ac0b3ed3f80a557bf2a8e8e7
Instruction ID: 34af4006d0474bf3ed4def871d662f8b7b194f63b2be4ed4d8cbbebfc469a3b4
Opcode Fuzzy Hash: 22d20d167cfc4261a9db32d838210550a7f49014ac0b3ed3f80a557bf2a8e8e7
Instruction Fuzzy Hash: EE3160710083459BC704EF64E8919AFBBE8BEA1314F444A1DF4D593191EB30EA09CBA3

Function 0016E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0016E645

Strings

1#INF, xrefs: 0016F852
1#QNAN, xrefs: 0016F84B
1#IND, xrefs: 0016F83D
1#SNAN, xrefs: 0016F844

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 5786af92bf780d2739fa4478e3816096d07398a86d3e5ea31deadf0960fa097b
Instruction ID: 749bc19574cb35b996734fb5d9f88e2ff3780fa98464e3ad12997ca94203b951
Opcode Fuzzy Hash: 5786af92bf780d2739fa4478e3816096d07398a86d3e5ea31deadf0960fa097b
Instruction Fuzzy Hash: 16C24C75E046288FDB29CE28DD407EAB7F5EB44305F1542EAD84EE7240E774AE958F40

Function 001A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A64DC
CoInitialize.OLE32(00000000), ref: 001A6639
CoCreateInstance.OLE32(001CFCF8,00000000,00000001,001CFB68,?), ref: 001A6650
CoUninitialize.OLE32 ref: 001A68D4

Strings

.lnk, xrefs: 001A64BA, 001A6524, 001A65E0

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 725884ea93e829ea2eb817da354a4e067cdd5d80ec2c61673124bb671efb04e8
Instruction ID: 7d9e107c694baed1ccc3da51638e6f789b6c28c16f1bbf0c4212234574e8b7ae
Opcode Fuzzy Hash: 725884ea93e829ea2eb817da354a4e067cdd5d80ec2c61673124bb671efb04e8
Instruction Fuzzy Hash: F3D12775508201AFD314EF24C881A6BB7E9FFA9704F04496DF5958B2A1EB70ED09CB92

Function 001B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001B22E8

Part of subcall function 001AE4EC: GetWindowRect.USER32(?,?), ref: 001AE504

GetDesktopWindow.USER32 ref: 001B2312
GetWindowRect.USER32(00000000), ref: 001B2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001B2355
GetCursorPos.USER32(?), ref: 001B2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001B23DF

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 64ee4f06ba2fb355ba4fc089c76217f5b1cfd0576cc0173f479de16434a15e4b
Instruction ID: 498d1b62e2f09224e2c506ceea3d9880b5dc09485ccf9f1f08d96820edef2dae
Opcode Fuzzy Hash: 64ee4f06ba2fb355ba4fc089c76217f5b1cfd0576cc0173f479de16434a15e4b
Instruction Fuzzy Hash: 8A31AF72504315ABDB20DF54C849F9BBBE9FF88314F000A19F989971A1DB34E949CBD2

Function 001A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001A9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001A9C8B

Part of subcall function 001A3874: GetInputState.USER32 ref: 001A38CB
Part of subcall function 001A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001A3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001A9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001A9C75

Strings

*.*, xrefs: 001A9B5D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 0c34c7c957af5ce87b83d1da06a492f70f42e0bbe7a51c3e5ca96a41ece063b0
Instruction ID: 51e687739ac420428bb561d0a904cd388942bebf3a256e1ec0c4a50e7e9aa089
Opcode Fuzzy Hash: 0c34c7c957af5ce87b83d1da06a492f70f42e0bbe7a51c3e5ca96a41ece063b0
Instruction Fuzzy Hash: 1E41817590460A9FCF15DFA4CC89EEEBBB8FF16310F248155E815A6191EB309E84CFA0

Function 0014997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00149A4E
GetSysColor.USER32(0000000F), ref: 00149B23
SetBkColor.GDI32(?,00000000), ref: 00149B36

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: cbe5836940fadbce98218a833d7278749b82b594f3633d8ae1b887cf38706a16
Instruction ID: 899e1ba681c136bc210010781a01dcc764ced17109e1eca5eb08d011a980d2b1
Opcode Fuzzy Hash: cbe5836940fadbce98218a833d7278749b82b594f3633d8ae1b887cf38706a16
Instruction Fuzzy Hash: DCA10770208544AFE729BA2C9C8DE7B3A9EDB52350B364219F502C7AF2CB25DE01C771

Function 001B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001B307A
Part of subcall function 001B304E: _wcslen.LIBCMT ref: 001B309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001B185D
WSAGetLastError.WSOCK32 ref: 001B1884
bind.WSOCK32(00000000,?,00000010), ref: 001B18DB
WSAGetLastError.WSOCK32 ref: 001B18E6
closesocket.WSOCK32(00000000), ref: 001B1915

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0d14225f140152c2bfdb20cc920f1b9614c0c41797f847e920201c8f7d2e2e77
Instruction ID: 12b8d96297a153a36109587d23d0cada9752399d8c85760d45a9965bfa8b50da
Opcode Fuzzy Hash: 0d14225f140152c2bfdb20cc920f1b9614c0c41797f847e920201c8f7d2e2e77
Instruction Fuzzy Hash: 3B51B475A00200AFEB10AF24C896F6A77E5AB54718F49845CFA19AF3D3C771ED418BE1

Function 001C1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 001C1CC0
IsWindowEnabled.USER32 ref: 001C1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 001C1CDB
IsIconic.USER32 ref: 001C1CE9
IsZoomed.USER32 ref: 001C1CF7

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0c0f0fc25b17ca726dcf14d55751102ce6c9b831bebf798a5c1885c22af424bb
Instruction ID: 04f333c71b10d74c1789209775d11aa0db9a117d9b9a4680b0c855651f6d1e03
Opcode Fuzzy Hash: 0c0f0fc25b17ca726dcf14d55751102ce6c9b831bebf798a5c1885c22af424bb
Instruction Fuzzy Hash: DA2183317802116FE7249F1AC894F6A7BA5EFA6325F19805CF84A8B752C771DC42CBD4

Function 00138060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 001383FA
VUUU, xrefs: 0013843C
VUUU, xrefs: 001383E8
ERCP, xrefs: 0013813C
VUUU, xrefs: 00175DF0

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 5bc6cf3affef61e0bf31abee42c5fd0f8ebd860c16c5dde6364bd777261a4c79
Instruction ID: 42b597fc1ed8e343f3cf2175f2d13f85ab0f044917caa7620699345450ec5847
Opcode Fuzzy Hash: 5bc6cf3affef61e0bf31abee42c5fd0f8ebd860c16c5dde6364bd777261a4c79
Instruction Fuzzy Hash: CCA26171E0061ACBDF24CF58C8517BEB7B2BF54314F2581AAE819A7285DB749E81CF90

Function 001BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001BA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 001BA6BA

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Process32NextW.KERNEL32(00000000,?), ref: 001BA79C
CloseHandle.KERNEL32(00000000), ref: 001BA7AB

Part of subcall function 0014CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00173303,?), ref: 0014CE8A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d3824bfa25f7d5c8bf941fafa82ce225a88863ab033e4e49f430409cbfb96aac
Instruction ID: 5155c45c24caa6cf87155dfbf1727d6438fc6d2ad195cec5178ff6ab049a8fbe
Opcode Fuzzy Hash: d3824bfa25f7d5c8bf941fafa82ce225a88863ab033e4e49f430409cbfb96aac
Instruction Fuzzy Hash: 93514C71508300AFD710EF25D886E6BBBE8FF99754F40891DF589A7261EB70D904CB92

Function 0019AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0019AAAC
SetKeyboardState.USER32(00000080), ref: 0019AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0019AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0019AB88

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: cb1d67580de1aceb3f56cd038c312da8c9b189a3c5e4fb98ec9a7b178f037949
Instruction ID: aa8eb72e3452f34621081774742ef752358615eb250779691f13366d3ab92f3c
Opcode Fuzzy Hash: cb1d67580de1aceb3f56cd038c312da8c9b189a3c5e4fb98ec9a7b178f037949
Instruction Fuzzy Hash: D7311630A40258AFFF358B698C05BFA7BA6AF54310F84421AF586561D0D7749989C7E3

Function 001ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001ACE89
GetLastError.KERNEL32(?,00000000), ref: 001ACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001ACEFE

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c558b932f255b2108abffe5c13a74c0650a61f3507a1cb73613b87e943c72b25
Instruction ID: 47cdb1e173e51ea7e517397d5addeadd10400894de4ad5384b8a07be369b4502
Opcode Fuzzy Hash: c558b932f255b2108abffe5c13a74c0650a61f3507a1cb73613b87e943c72b25
Instruction Fuzzy Hash: FA219DB9900305AFEB30DF65D948BA67BF8EB51354F10442EE64692551E770EE48CBE0

Function 00198298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001982AA

Strings

(, xrefs: 001982F0
|, xrefs: 001982DA

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 134eba314e4d0c51a8aedc077081b570077ce2cc124b49d0cea41babb59ab9cf
Instruction ID: 85a6f356787cb2ceff14b7ffd475aa34e8c21e4a67d118f3e73bfec2fed3d715
Opcode Fuzzy Hash: 134eba314e4d0c51a8aedc077081b570077ce2cc124b49d0cea41babb59ab9cf
Instruction Fuzzy Hash: 66323475A00605DFCB28CF69C481A6AB7F0FF48710B15C56EE59ADB3A1EB70E981CB50

Function 001A5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001A5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 001A5D17
FindClose.KERNEL32(?), ref: 001A5D5F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 2b8e11b9700040a40a45b67f3e2f12aa1cdbdeefd715579b1444b6693de39507
Instruction ID: b89c31bc64523ca2a03e92f1be5f9a1acca442413f67cfb242cd2b10d538fabe
Opcode Fuzzy Hash: 2b8e11b9700040a40a45b67f3e2f12aa1cdbdeefd715579b1444b6693de39507
Instruction Fuzzy Hash: F7519A786086019FC714CF68C494E9AB7E5FF4A324F14855DE99A8B3A2CB30ED45CF91

Function 00162622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0016271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00162724
UnhandledExceptionFilter.KERNEL32(?), ref: 00162731

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d8cb8ddf631142185d1a01211618fffa7cd0b724e0040e29517f7f4a86dfa987
Instruction ID: 7efa533b65ebf586bcbd223a6e9021b8c4995ed22367476a51d2e14c92c90cf2
Opcode Fuzzy Hash: d8cb8ddf631142185d1a01211618fffa7cd0b724e0040e29517f7f4a86dfa987
Instruction Fuzzy Hash: B031B47591122C9BCB21DF64DD89B99BBB8BF18310F5041EAE81CA7261E7309F858F85

Function 001A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001A51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001A5238
SetErrorMode.KERNEL32(00000000), ref: 001A52A1

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 092f6137a7930c6eeca1dcf37e9c68e595e0932c7210d32e03f3148e65242e84
Instruction ID: f2931d9cf96d8c41cf449726c9f60676e363c62ab52b863805b7f649cd6491f0
Opcode Fuzzy Hash: 092f6137a7930c6eeca1dcf37e9c68e595e0932c7210d32e03f3148e65242e84
Instruction Fuzzy Hash: 80312B75A04518DFDB00DF55D884EADBBB5FF49314F088099E809AB3A2DB31E855CB90

Function 001916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0014FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00150668
Part of subcall function 0014FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00150685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0019170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0019173A
GetLastError.KERNEL32 ref: 0019174A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 15c99f7b2a7caf2b4cb2f751dd7590cfc14970b70b5abb3cd17e5460bdf632bc
Instruction ID: 1bdbf729c46b6891f85a3f1cb39c059c846d839e7325fc51058b9e3b0de89667
Opcode Fuzzy Hash: 15c99f7b2a7caf2b4cb2f751dd7590cfc14970b70b5abb3cd17e5460bdf632bc
Instruction Fuzzy Hash: 3C1191B2804305BFE7189F94EC86D6BBBB9EF44714B24852EF05657651EB70FC828A60

Function 0019D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0019D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0019D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0019D650

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 2c0c7e18b29a096afcff70b77f54db356ab0df985944d3f0f353f18cf7b15110
Instruction ID: c2e02c741d2e101f1a027706c111a69ad3211cb0e9c4fd4441586cb80ba8d625
Opcode Fuzzy Hash: 2c0c7e18b29a096afcff70b77f54db356ab0df985944d3f0f353f18cf7b15110
Instruction Fuzzy Hash: 84113C75E05228BBDB108F95AC45FAFBFBCEB45B50F108115F908E7290D6704A058BA1

Function 00191663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0019168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001916A1
FreeSid.ADVAPI32(?), ref: 001916B1

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1ff7af78c69f6b5258de48204863ec3f0b314657609dc64e39bb367a4672350f
Instruction ID: ffc658b97fdc88fd53de633b35cfc82cbbbadc786a02cba3ca3a97c64fed547b
Opcode Fuzzy Hash: 1ff7af78c69f6b5258de48204863ec3f0b314657609dc64e39bb367a4672350f
Instruction Fuzzy Hash: 3FF0F475950309FBDF00DFE49C89EAEBBBCFB08604F504565E901E2181E774EA948A94

Function 00154CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001628E9,?,00154CBE,001628E9,001F88B8,0000000C,00154E15,001628E9,00000002,00000000,?,001628E9), ref: 00154D09
TerminateProcess.KERNEL32(00000000,?,00154CBE,001628E9,001F88B8,0000000C,00154E15,001628E9,00000002,00000000,?,001628E9), ref: 00154D10
ExitProcess.KERNEL32 ref: 00154D22

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 950512528563bdaf7d8a7173c72d08e8b3ad3fa090f994c97e5f48ee0261bff0
Instruction ID: fe7c6c5704b7e82018f57ca7972562bc9f9ea724d88335c3633483826c7928aa
Opcode Fuzzy Hash: 950512528563bdaf7d8a7173c72d08e8b3ad3fa090f994c97e5f48ee0261bff0
Instruction Fuzzy Hash: 70E0B631400188EBCF11AF94EE09E583F79FB61786B145018FC298B522CB36DE96CA90

Function 0016C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0016C36C

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 701a006ab1d7aede9e3f18fe4e401a283c8c8ea0cc8dbafea675521cb6617c0d
Instruction ID: 7804c5d45996a7d135332fa57feedba03c2351f7f4c09b6289522a8d45d9aee8
Opcode Fuzzy Hash: 701a006ab1d7aede9e3f18fe4e401a283c8c8ea0cc8dbafea675521cb6617c0d
Instruction Fuzzy Hash: 03412376900219ABCB209FB9CC88EBB77B8EB84314F1042A9F945C7280E7309D818B90

Function 0018D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0018D28C

Strings

X64, xrefs: 0018D2A8

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 58170ff8fc8143d2a262a5539f7524d233dc2eeec5817bd3ca03c38d8eb45041
Instruction ID: c2084221b64e8601b44d645703db50269b110a2663c419d3606a9369c36ad1b5
Opcode Fuzzy Hash: 58170ff8fc8143d2a262a5539f7524d233dc2eeec5817bd3ca03c38d8eb45041
Instruction Fuzzy Hash: A8D0C9B480111DEACF94DB90EC88DDAB77CBB04305F100151F106A2040DB3096488F10

Function 0015CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 3454f2da9a412600e69017257f834f2be12ab4333928450b0260d78ff1166a4c
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 44021C71E00219DFDF14CFA9C8906ADBBF1EF58315F25816AD829EB380D731AA458BD4

Function 0013CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p# , xrefs: 0013CF7F
Variable is not of type 'Object'., xrefs: 00180C40

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#
API String ID: 0-1790810085
Opcode ID: 2e27886bcb486e84a4712e5eb7aeae41326f52cbc7a09f6a09c8d2d1cedcbd43
Instruction ID: db9d7c5d73e9f9970eeba986d677de588f63eb6e38e6c99bb6dfa8a159629226
Opcode Fuzzy Hash: 2e27886bcb486e84a4712e5eb7aeae41326f52cbc7a09f6a09c8d2d1cedcbd43
Instruction Fuzzy Hash: E0328E74900218DFDF19EF94C885AEDB7B9BF19304F148069E806BB292D775AE49CF90

Function 001A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001A6918
FindClose.KERNEL32(00000000), ref: 001A6961

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45aa98e3ce4d1b05f2d4bc4db86d520997a59fbcefc215acc80a3380240ead41
Instruction ID: fd99662ea2753890bd046add280bf74ddbc046a9801aa1787bb4e474fabaf2d5
Opcode Fuzzy Hash: 45aa98e3ce4d1b05f2d4bc4db86d520997a59fbcefc215acc80a3380240ead41
Instruction Fuzzy Hash: 1B1190756042009FD714DF29D488A16BBE5FF89328F18C699E4698F6A2CB30EC45CBD1

Function 001A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001B4891,?,?,00000035,?), ref: 001A37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001B4891,?,?,00000035,?), ref: 001A37F4

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a03f13eac915bc96626e418cfef9c3e0e6d33acfd2eae2a1733bbf2aba0364a0
Instruction ID: 63fdc2b91944ebb9216749a18767a74f5d976c73b0c2f1f359f4ac49417c7c38
Opcode Fuzzy Hash: a03f13eac915bc96626e418cfef9c3e0e6d33acfd2eae2a1733bbf2aba0364a0
Instruction Fuzzy Hash: 27F0E5B56043282AE72057A69C4DFEB3AAEEFC5B61F100165F509D2281DAA09D44C6F0

Function 0019B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0019B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0019B270

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: a9a45a21b6c3ea12530bef23612d975f7a4541250a34358ae7e4c9500e1b097d
Instruction ID: 592b96ffec6d7e9ebcdab8e6ddd43b6edac8a06f867a7a4f9bad0921b2341c76
Opcode Fuzzy Hash: a9a45a21b6c3ea12530bef23612d975f7a4541250a34358ae7e4c9500e1b097d
Instruction Fuzzy Hash: 28F01D7190428EABDF059FA0D845BAE7FB4FF04305F00801AF955A5191C379D6519F94

Function 001910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001911FC), ref: 001910D4
CloseHandle.KERNEL32(?,?,001911FC), ref: 001910E9

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1b301f1e1eba9d96fb374b538afe5e377da617290124cab515ebc8941351acf0
Instruction ID: 777be9c229d553c96a39a75cb65e3f7771f64a7e9bbd8a47997747d68b026d85
Opcode Fuzzy Hash: 1b301f1e1eba9d96fb374b538afe5e377da617290124cab515ebc8941351acf0
Instruction Fuzzy Hash: 28E04F32004600AEE7252B51FC05E737BA9FB04310B14882DF4A6808B1DB62ACE1DB50

Function 0016676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00166766,?,?,00000008,?,?,0016FEFE,00000000), ref: 00166998

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 24dc9e26473862c5a325059347eb4b9a4a249eaa6bd708140e2424242ea8ef6e
Instruction ID: f77060e2cfd256005d7e9498b3146f014225a27eb1eff474e6067c9d52cbfe6f
Opcode Fuzzy Hash: 24dc9e26473862c5a325059347eb4b9a4a249eaa6bd708140e2424242ea8ef6e
Instruction Fuzzy Hash: 9BB12C31610609DFD719CF28C88AB657BE0FF45368F258658E8D9CF2A2C735E9A1CB40

Function 0014B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0018851F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 34f2350ce4a8cd225a77683d6cd8cdce30b18453766c7e80c884cf4b78a3e560
Instruction ID: 51e5da50c3d863bc7f7e3b067f3528639ff3c9fa3db2fa2947e6aabebdecbe5e
Opcode Fuzzy Hash: 34f2350ce4a8cd225a77683d6cd8cdce30b18453766c7e80c884cf4b78a3e560
Instruction Fuzzy Hash: C2126E719042299BCB24DF58C880AEEB7F5FF48710F55819AE849EB255EB30DE81CF90

Function 001AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001AEABD

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e3672aafe7769141b39be8ba8e86519de0edab822632b1b79548c4ce800406f3
Instruction ID: 90a5297ed9b4488905a796edc8f649f0a9989ec9231330e82892a7879279859c
Opcode Fuzzy Hash: e3672aafe7769141b39be8ba8e86519de0edab822632b1b79548c4ce800406f3
Instruction Fuzzy Hash: 7AE01A362002149FD710EF59D844E9ABBE9AFA9760F00841AFD49DB351DB70EC408B90

Function 001509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001503EE), ref: 001509DA

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 782825861fe86530939592735f26fc9f685aefd33ec5fb2e2b3c715445809fbd
Instruction ID: 67764a0da0aeadd045a627d48aac6e817384dc7d3714c6a129a3c58af40d87ad
Opcode Fuzzy Hash: 782825861fe86530939592735f26fc9f685aefd33ec5fb2e2b3c715445809fbd
Instruction Fuzzy Hash:

Function 0015781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0015798B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: dc40ee5373be1ef6e33f769c1769b30b0801ee3147439e1fce34bd45005b73f5
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 7651556160C705DBDB388568A85FBBE638A9B22357F180509DCB6DF2C2C715EE0DD362

Function 001A2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0& , xrefs: 001A2053

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID: 0&
API String ID: 0-597335918
Opcode ID: d8250522ee6bb091791976f49a28ad95db2e0efd0840f59e73f73b75e27cc16d
Instruction ID: 5b6694356ff764eba52ee1d0f2cdd2cb5e82bcfd0f6146b6e905098b51b6a777
Opcode Fuzzy Hash: d8250522ee6bb091791976f49a28ad95db2e0efd0840f59e73f73b75e27cc16d
Instruction Fuzzy Hash: 3721BB326206118BD728CF79C91767E73E5A754310F15862EE4A7C77D1DE7AA904C740

Function 00166DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad482b3846087bd84d9f2120b4f469f38d2cc39e5bdf2195ec9a6b5490770b38
Instruction ID: d8c2b6aaabc61d0a734e1061351bf45b9a68ef2ca59f59579e431ab55eca204a
Opcode Fuzzy Hash: ad482b3846087bd84d9f2120b4f469f38d2cc39e5bdf2195ec9a6b5490770b38
Instruction Fuzzy Hash: DC32F222D2AF414DD7239634DC22335A749AFB73D9F15D727E82AB5DA9EB29C4C34100

Function 0014CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0bf42ed0e606f4565b18608ca7f288c1ad94fe5d2ab41bd7e34636a173b0352
Instruction ID: 481caa2acee58a8012b0d0b8e7befb28aed7e6c6ebb4695fc54de3f5f4839f07
Opcode Fuzzy Hash: a0bf42ed0e606f4565b18608ca7f288c1ad94fe5d2ab41bd7e34636a173b0352
Instruction Fuzzy Hash: E2322531A001158BCF28EF69C4D46BD7BA1EB45310F29856AD55ADB6A1E330DF81DFE0

Function 00137920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454e5efa07afdae261770b33f32b01820abb01c4f994621a4d1e6a7ed63d845b
Instruction ID: 6d75ea99ae150103b1b0b7a4002b7f7bc1447d356d56e51022af2a320e3e7f84
Opcode Fuzzy Hash: 454e5efa07afdae261770b33f32b01820abb01c4f994621a4d1e6a7ed63d845b
Instruction Fuzzy Hash: 2022C4B0A0460ADFDF14CFA4C881AAEF7F6FF54300F248529E816A7291EB75AD55CB50

Function 001391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec09d4ffe4e4e24a413537a32f32da1920d1a4df3608518d16239b7e1f44821
Instruction ID: d74a80c770b586488f42697d5450f0d481fa9c4b9fc17cf5502572ac6c03748e
Opcode Fuzzy Hash: 9ec09d4ffe4e4e24a413537a32f32da1920d1a4df3608518d16239b7e1f44821
Instruction Fuzzy Hash: DD02A6B0E00105EFDB05DF64D881AAEBBF5FF58300F118169E81A9B391EB71AA55CB91

Function 00151C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: e0b3972a907c16350bfde6cc1a81b7b7436e448a6bd0acf96ce42bd3af5407d8
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 289165321080A399DB2F4679857967DFEE19A523A371A079DDCF2CE1C1EF10895CD620

Function 001519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d8965938b12efe1ee75a883782e4e0464d42144b4fb861d123abf1cff6c95c48
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 03912E722090E29ADB2F427A857427DFEF15A922A771A0799D8F2CF1C1FB24855CD620

Function 00157A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb25d01e0c1f9fcedadb704c37127d13856ef9ad8d7cc1d0e3d8a591c59adc74
Instruction ID: fde25f98093e94c1f93404aa6ca918a99844f40a93b13c4a34f42c745093b443
Opcode Fuzzy Hash: eb25d01e0c1f9fcedadb704c37127d13856ef9ad8d7cc1d0e3d8a591c59adc74
Instruction Fuzzy Hash: C061487160870AD7EA38A928B897BBE2394DF51703F180919EC73DF2C1DB519E4E8355

Function 00157CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85cc4445c11f9f59aa3da4df0450c2e988b964e63d943ffdbff0f510d7d8ea5a
Instruction ID: 76943e92e7b5fa17a6651759c578599860288c0c0415f2234537341b3613a4aa
Opcode Fuzzy Hash: 85cc4445c11f9f59aa3da4df0450c2e988b964e63d943ffdbff0f510d7d8ea5a
Instruction Fuzzy Hash: E3618B71208709D6DE395AA8B857BBE23A8EF52743F100959EC73DF2C1EB129D4E8251

Function 00151706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: c1f6e035cf6420571117fe7f97e0cbee65b000545c89c5099c1ea9988376a64d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 3C8141735080A29ADB2E423D853467EFFE15A923A771A079DD8F2CE1C1EF24995CD620

Function 001B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001B2B30
DeleteObject.GDI32(00000000), ref: 001B2B43
DestroyWindow.USER32 ref: 001B2B52
GetDesktopWindow.USER32 ref: 001B2B6D
GetWindowRect.USER32(00000000), ref: 001B2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001B2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001B2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2CF8
GetClientRect.USER32(00000000,?), ref: 001B2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001B2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2D80
GlobalLock.KERNEL32(00000000), ref: 001B2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2D98
GlobalUnlock.KERNEL32(00000000), ref: 001B2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2DA8
GlobalFree.KERNEL32(00000000), ref: 001B2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,001CFC38,00000000), ref: 001B2DDB
GlobalFree.KERNEL32(00000000), ref: 001B2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001B2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001B2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B303F

Strings

static, xrefs: 001B2D3A, 001B2E91
AutoIt v3, xrefs: 001B2CF2
, xrefs: 001B2FC5
DISPLAY, xrefs: 001B2EA2

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: f20f2ccadb9ef7ad29f4481a2b81d8e9e20f25ed1fda9e307ab49024ff8cba96
Instruction ID: a5565f97226c529dae6f519c53b3ec935dea5837f22b1114a870c4351e98c49e
Opcode Fuzzy Hash: f20f2ccadb9ef7ad29f4481a2b81d8e9e20f25ed1fda9e307ab49024ff8cba96
Instruction Fuzzy Hash: D6028B71900219EFDB14DF64DD89EAE7BB9EF48310F048158F919AB2A1DB70ED45CBA0

Function 001C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001C712F
GetSysColorBrush.USER32(0000000F), ref: 001C7160
GetSysColor.USER32(0000000F), ref: 001C716C
SetBkColor.GDI32(?,000000FF), ref: 001C7186
SelectObject.GDI32(?,?), ref: 001C7195
InflateRect.USER32(?,000000FF,000000FF), ref: 001C71C0
GetSysColor.USER32(00000010), ref: 001C71C8
CreateSolidBrush.GDI32(00000000), ref: 001C71CF
FrameRect.USER32(?,?,00000000), ref: 001C71DE
DeleteObject.GDI32(00000000), ref: 001C71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 001C7230
FillRect.USER32(?,?,?), ref: 001C7262
GetWindowLongW.USER32(?,000000F0), ref: 001C7284

Part of subcall function 001C73E8: GetSysColor.USER32(00000012), ref: 001C7421
Part of subcall function 001C73E8: SetTextColor.GDI32(?,?), ref: 001C7425
Part of subcall function 001C73E8: GetSysColorBrush.USER32(0000000F), ref: 001C743B
Part of subcall function 001C73E8: GetSysColor.USER32(0000000F), ref: 001C7446
Part of subcall function 001C73E8: GetSysColor.USER32(00000011), ref: 001C7463
Part of subcall function 001C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001C7471
Part of subcall function 001C73E8: SelectObject.GDI32(?,00000000), ref: 001C7482
Part of subcall function 001C73E8: SetBkColor.GDI32(?,00000000), ref: 001C748B
Part of subcall function 001C73E8: SelectObject.GDI32(?,?), ref: 001C7498
Part of subcall function 001C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001C74B7
Part of subcall function 001C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001C74CE
Part of subcall function 001C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001C74DB

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 1b4499489e825d3cfe025f68076eff19611df3bbdba903670a8549dea603af50
Instruction ID: 457184c21bdc95adb0f81b474649f3dea3f548d1794ae1d9286e191eaa91286c
Opcode Fuzzy Hash: 1b4499489e825d3cfe025f68076eff19611df3bbdba903670a8549dea603af50
Instruction Fuzzy Hash: B5A18D72508301EFDB009F60DC48E6BBBA9FB89320F140A19F966965E1D771ED85CF91

Function 00148D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00148E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00186AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00186AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00186F43

Part of subcall function 00148F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00148BE8,?,00000000,?,?,?,?,00148BBA,00000000,?), ref: 00148FC5

SendMessageW.USER32(?,00001053), ref: 00186F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00186F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00186FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00186FB7

Strings

0, xrefs: 00186DCF

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 878d296244b47dcb75e6f05db71e2353a23f857adec2f7d97436ba36fec9d119
Instruction ID: 2968797acf58dc70f355fe23e3c8ce1384a15e07815f9ef3fc282cd369073263
Opcode Fuzzy Hash: 878d296244b47dcb75e6f05db71e2353a23f857adec2f7d97436ba36fec9d119
Instruction Fuzzy Hash: D912BF30600211DFD725EF14D898BAABBE5FB44300F144569F589DB662CB31EDA1DF91

Function 001B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001B273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001B286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001B28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001B28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001B2900
GetClientRect.USER32(00000000,?), ref: 001B290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001B2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001B2964
GetStockObject.GDI32(00000011), ref: 001B2974
SelectObject.GDI32(00000000,00000000), ref: 001B2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001B2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001B2991
DeleteDC.GDI32(00000000), ref: 001B299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001B29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001B29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001B2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001B2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 001B2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001B2A77
GetStockObject.GDI32(00000011), ref: 001B2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001B2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001B2A97

Strings

static, xrefs: 001B294F, 001B2A71
msctls_progress32, xrefs: 001B2A13
AutoIt v3, xrefs: 001B28F8
DISPLAY, xrefs: 001B295A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 638f5cc4c9da4aeec703f6a60937e52d83cc604328a9706a394c2366737c788c
Instruction ID: aa37f7b9d9c7f208816f47feb5f7f4b71b602328b3c5859a38d5ea4ac2af8c59
Opcode Fuzzy Hash: 638f5cc4c9da4aeec703f6a60937e52d83cc604328a9706a394c2366737c788c
Instruction Fuzzy Hash: 2FB15DB1A00219AFEB24DFA8DC89FAE7BA9EF18710F004154F915E7691D774ED40CBA4

Function 001A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001A4AED
GetDriveTypeW.KERNEL32(?,001CCB68,?,\\.\,001CCC08), ref: 001A4BCA
SetErrorMode.KERNEL32(00000000,001CCB68,?,\\.\,001CCC08), ref: 001A4D36

Strings

Unknown, xrefs: 001A4BED, 001A4C83
SSD, xrefs: 001A4C4A
\\.\, xrefs: 001A4B3F
Fixed, xrefs: 001A4C09
FileBackedVirtual, xrefs: 001A4CEC
CDROM, xrefs: 001A4BFB
USB, xrefs: 001A4CB4
Fibre, xrefs: 001A4CAD
Removable, xrefs: 001A4C10, 001A4C15
Network, xrefs: 001A4C02
RAMDisk, xrefs: 001A4BF4
1394, xrefs: 001A4C9F
SAS, xrefs: 001A4CC9
PhysicalDrive, xrefs: 001A4B76
MMC, xrefs: 001A4CDE
ATAPI, xrefs: 001A4C91
ATA, xrefs: 001A4C98
SATA, xrefs: 001A4CD0
SSA, xrefs: 001A4CA6
SCSI, xrefs: 001A4C8A
iSCSI, xrefs: 001A4CC2
RAID, xrefs: 001A4CBB
Virtual, xrefs: 001A4CE5

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8ce0e48720234b202383d6265392532e67b59e0f25ea1fa06644b6e336019d31
Instruction ID: 6f3b3fc938d4b7cb6c1c8787008dfbb2327a46507002e6335af009c5781302a0
Opcode Fuzzy Hash: 8ce0e48720234b202383d6265392532e67b59e0f25ea1fa06644b6e336019d31
Instruction Fuzzy Hash: 10610438705209EBCB08DF68CA82D7C77B0AF96360B248015F94EAB695DBB1ED41DB51

Function 001C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001C7421
SetTextColor.GDI32(?,?), ref: 001C7425
GetSysColorBrush.USER32(0000000F), ref: 001C743B
GetSysColor.USER32(0000000F), ref: 001C7446
CreateSolidBrush.GDI32(?), ref: 001C744B
GetSysColor.USER32(00000011), ref: 001C7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001C7471
SelectObject.GDI32(?,00000000), ref: 001C7482
SetBkColor.GDI32(?,00000000), ref: 001C748B
SelectObject.GDI32(?,?), ref: 001C7498
InflateRect.USER32(?,000000FF,000000FF), ref: 001C74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001C74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001C74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001C752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001C7554
InflateRect.USER32(?,000000FD,000000FD), ref: 001C7572
DrawFocusRect.USER32(?,?), ref: 001C757D
GetSysColor.USER32(00000011), ref: 001C758E
SetTextColor.GDI32(?,00000000), ref: 001C7596
DrawTextW.USER32(?,001C70F5,000000FF,?,00000000), ref: 001C75A8
SelectObject.GDI32(?,?), ref: 001C75BF
DeleteObject.GDI32(?), ref: 001C75CA
SelectObject.GDI32(?,?), ref: 001C75D0
DeleteObject.GDI32(?), ref: 001C75D5
SetTextColor.GDI32(?,?), ref: 001C75DB
SetBkColor.GDI32(?,?), ref: 001C75E5

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: aa2230bb34fbd72effcd6eca90fd7c01d982778ace14e4440dfabb266b789ef1
Instruction ID: 77e26f5e1fead3ff870a70cdf757160a13b5e987c1cb52d16e7cc5704091a304
Opcode Fuzzy Hash: aa2230bb34fbd72effcd6eca90fd7c01d982778ace14e4440dfabb266b789ef1
Instruction Fuzzy Hash: 84613972904218AFDB059FA4DC49EEEBFB9EB08320F154115F919AB2A1D7B5DD80CF90

Function 001C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001C1128
GetDesktopWindow.USER32 ref: 001C113D
GetWindowRect.USER32(00000000), ref: 001C1144
GetWindowLongW.USER32(?,000000F0), ref: 001C1199
DestroyWindow.USER32(?), ref: 001C11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001C11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001C120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001C121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 001C1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001C1245
IsWindowVisible.USER32(00000000), ref: 001C12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001C12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001C12D0
GetWindowRect.USER32(00000000,?), ref: 001C12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 001C130E
GetMonitorInfoW.USER32(00000000,?), ref: 001C1328
CopyRect.USER32(?,?), ref: 001C133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001C13AA

Strings

0, xrefs: 001C10D3
(, xrefs: 001C131B
tooltips_class32, xrefs: 001C11E6

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b63355ce527bf4df2b287ee318fe114235b58bf5f19892f9d964984186c4d5c6
Instruction ID: 479987d2e7853237a5ea955bacae3ec8bcef3f2fa9b6bf7033359771a68ffa60
Opcode Fuzzy Hash: b63355ce527bf4df2b287ee318fe114235b58bf5f19892f9d964984186c4d5c6
Instruction Fuzzy Hash: EAB17871608341AFD704DF64C984F6ABBE4FF99354F00891CF9999B2A2C771E844CB92

Function 001C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001C02E5
_wcslen.LIBCMT ref: 001C031F
_wcslen.LIBCMT ref: 001C0389
_wcslen.LIBCMT ref: 001C03F1
_wcslen.LIBCMT ref: 001C0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001C04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001C0504

Part of subcall function 0014F9F2: _wcslen.LIBCMT ref: 0014F9FD

Part of subcall function 0019223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00192258
Part of subcall function 0019223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0019228A

Strings

SELECTCLEAR, xrefs: 001C052D
SELECTINVERT, xrefs: 001C057E
VIEWCHANGE, xrefs: 001C0675
GETSUBITEMCOUNT, xrefs: 001C0384, 001C039F
DESELECT, xrefs: 001C059C
GETTEXT, xrefs: 001C03EC, 001C0407
FINDITEM, xrefs: 001C0627
GETSELECTED, xrefs: 001C05E1
SELECT, xrefs: 001C0548
ISSELECTED, xrefs: 001C04DD
GETSELECTEDCOUNT, xrefs: 001C0470, 001C048B
GETITEMCOUNT, xrefs: 001C0316, 001C0337
SELECTALL, xrefs: 001C0515

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 839ba783c00327c6b2519848259c52773f8328c6c18b4190226dda1ffc0a818c
Instruction ID: 4f19b2e81f4eab4207a766fdb37ace6ee90200ae5c44bd835ebb6d145535c72e
Opcode Fuzzy Hash: 839ba783c00327c6b2519848259c52773f8328c6c18b4190226dda1ffc0a818c
Instruction Fuzzy Hash: CFE19D31208241DFCB19DF24C591E2AB3E6BFA8718F15495CF896AB3A1DB30ED45CB81

Function 00148891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00148968
GetSystemMetrics.USER32(00000007), ref: 00148970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0014899B
GetSystemMetrics.USER32(00000008), ref: 001489A3
GetSystemMetrics.USER32(00000004), ref: 001489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00148A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00148A3C
GetClientRect.USER32(00000000,000000FF), ref: 00148A5A
GetStockObject.GDI32(00000011), ref: 00148A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00148A81

Part of subcall function 0014912D: GetCursorPos.USER32(?), ref: 00149141
Part of subcall function 0014912D: ScreenToClient.USER32(00000000,?), ref: 0014915E
Part of subcall function 0014912D: GetAsyncKeyState.USER32(00000001), ref: 00149183
Part of subcall function 0014912D: GetAsyncKeyState.USER32(00000002), ref: 0014919D

SetTimer.USER32(00000000,00000000,00000028,001490FC), ref: 00148AA8

Strings

AutoIt v3 GUI, xrefs: 00148A20

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c298681210d119ce2ab65f702c7029bfa35a9166f3e5de6c63d22e2c58482491
Instruction ID: 2f56baa93437ac4295df34061e5d2e940d1b1d76628e54921abdc4da96e02548
Opcode Fuzzy Hash: c298681210d119ce2ab65f702c7029bfa35a9166f3e5de6c63d22e2c58482491
Instruction Fuzzy Hash: 03B17C71A0020A9FDB14DFA8DC49FAE7BB5FB48314F114229FA15A72A0DB70E951CF91

Function 00190D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00191114
Part of subcall function 001910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 00191120
Part of subcall function 001910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 0019112F
Part of subcall function 001910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 00191136
Part of subcall function 001910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0019114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00190DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00190E29
GetLengthSid.ADVAPI32(?), ref: 00190E40
GetAce.ADVAPI32(?,00000000,?), ref: 00190E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00190E96
GetLengthSid.ADVAPI32(?), ref: 00190EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00190EB5
HeapAlloc.KERNEL32(00000000), ref: 00190EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00190EDD
CopySid.ADVAPI32(00000000), ref: 00190EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00190F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00190F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00190F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00190F6E
HeapFree.KERNEL32(00000000), ref: 00190F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00190F7E
HeapFree.KERNEL32(00000000), ref: 00190F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00190F8E
HeapFree.KERNEL32(00000000), ref: 00190F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00190FA1
HeapFree.KERNEL32(00000000), ref: 00190FA8

Part of subcall function 00191193: GetProcessHeap.KERNEL32(00000008,00190BB1,?,00000000,?,00190BB1,?), ref: 001911A1
Part of subcall function 00191193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00190BB1,?), ref: 001911A8
Part of subcall function 00191193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00190BB1,?), ref: 001911B7

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 539f894a6fabd56c27fbd353e9200d948f40ac0bcd1a16def8fb3319053bc3ed
Instruction ID: 34ac083c1853df3a559d4d61f67ed3031dbef55e40fadf515f50ff0202a3e27c
Opcode Fuzzy Hash: 539f894a6fabd56c27fbd353e9200d948f40ac0bcd1a16def8fb3319053bc3ed
Instruction Fuzzy Hash: 0C71357290020AEFDF219FA5DC48FAEBBB8FF08300F148115F919A6291D7319E55CBA0

Function 001BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,001CCC08,00000000,?,00000000,?,?), ref: 001BC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001BC5A4
_wcslen.LIBCMT ref: 001BC5F4
_wcslen.LIBCMT ref: 001BC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001BC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001BC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001BC84D
RegCloseKey.ADVAPI32(?), ref: 001BC881
RegCloseKey.ADVAPI32(00000000), ref: 001BC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001BC960

Strings

REG_BINARY, xrefs: 001BC913
REG_SZ, xrefs: 001BC644
REG_DWORD, xrefs: 001BC804
REG_QWORD, xrefs: 001BC8C3
REG_MULTI_SZ, xrefs: 001BC6F5
REG_EXPAND_SZ, xrefs: 001BC5CD

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 79fb2306f9aef5561cf8cbfb72aa73611d46e2b685365d86102f63e722c28f87
Instruction ID: 4e67e316d1d573e25b303891c2ec4eaac9ff19ca0567b9f2fff9025511c9f218
Opcode Fuzzy Hash: 79fb2306f9aef5561cf8cbfb72aa73611d46e2b685365d86102f63e722c28f87
Instruction Fuzzy Hash: 731259756042019FDB24DF14C881E6ABBE5FF88714F04889DF89A9B3A2DB31ED41CB81

Function 001C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001C09C6
_wcslen.LIBCMT ref: 001C0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001C0A54
_wcslen.LIBCMT ref: 001C0A8A
_wcslen.LIBCMT ref: 001C0B06
_wcslen.LIBCMT ref: 001C0B81

Part of subcall function 0014F9F2: _wcslen.LIBCMT ref: 0014F9FD

Part of subcall function 00192BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00192BFA

Strings

ISCHECKED, xrefs: 001C0CE1
CHECK, xrefs: 001C0A85, 001C0AA0
GETTOTALCOUNT, xrefs: 001C09F2, 001C0A17
COLLAPSE, xrefs: 001C0B01, 001C0B1C
GETSELECTED, xrefs: 001C0C4E
SELECT, xrefs: 001C0D11
UNCHECK, xrefs: 001C0D3E
GETITEMCOUNT, xrefs: 001C0C1E
EXPAND, xrefs: 001C0BF8
EXISTS, xrefs: 001C0B7C, 001C0B97
GETTEXT, xrefs: 001C0C97

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 9ecaf7275a77ffa407fe7f486484079b124e3c896eb16880fc19566fa437821b
Instruction ID: 60f25ae3801123ecd2a9d518105ea4e067d92497e20edffef83267901baf61d6
Opcode Fuzzy Hash: 9ecaf7275a77ffa407fe7f486484079b124e3c896eb16880fc19566fa437821b
Instruction Fuzzy Hash: 9EE17B75208301DFCB19DF64C451A2AB7E1BFA8318F15895CF89AAB3A2D731ED45CB81

Function 001BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BB6AE,?,?), ref: 001BC9B5
_wcslen.LIBCMT ref: 001BC9F1
_wcslen.LIBCMT ref: 001BCA68
_wcslen.LIBCMT ref: 001BCA9E
_wcslen.LIBCMT ref: 001BCAF9
_wcslen.LIBCMT ref: 001BCB2F
_wcslen.LIBCMT ref: 001BCB7F

Strings

HKLM, xrefs: 001BCA98, 001BCA9D
HKU, xrefs: 001BCBF0
HKEY_CLASSES_ROOT, xrefs: 001BCAF3, 001BCAF8
HKCR, xrefs: 001BCB29, 001BCB2E
HKCC, xrefs: 001BCBAC
HKEY_CURRENT_USER, xrefs: 001BCBBD
HKEY_USERS, xrefs: 001BCBDF
HKCU, xrefs: 001BCBCE
HKEY_LOCAL_MACHINE, xrefs: 001BCA62, 001BCA67
HKEY_CURRENT_CONFIG, xrefs: 001BCB79, 001BCB7E

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 900bfbfe01e661bfb56c359d38e8df6d6a21db7ad9ceba7ccfd235bf789f07f4
Instruction ID: 1c8f9e530842ce2172a6f8c893bca84380cfb1936a4a44778dc8e8d924ca8984
Opcode Fuzzy Hash: 900bfbfe01e661bfb56c359d38e8df6d6a21db7ad9ceba7ccfd235bf789f07f4
Instruction Fuzzy Hash: 8C71B23261012A8BCB20DE7DCA515FF3791ABB5794B250528FC66AB295FB31CD85C3E0

Function 001C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001C835A
_wcslen.LIBCMT ref: 001C836E
_wcslen.LIBCMT ref: 001C8391
_wcslen.LIBCMT ref: 001C83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001C83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001C5BF2), ref: 001C844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001C8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001C84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001C8501
FreeLibrary.KERNEL32(?), ref: 001C850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001C851D
DestroyIcon.USER32(?,?,?,?,?,001C5BF2), ref: 001C852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001C8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001C8555

Strings

.icl, xrefs: 001C8368
.exe, xrefs: 001C8388
.dll, xrefs: 001C83AB

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 678910d8855d58f5ce44e8f0a3a3819b03a114b94a186e28281b90516af01309
Instruction ID: 3f28576214593be01e9146bb8804c17856b3e4438a32713a14e6dd61950fd5da
Opcode Fuzzy Hash: 678910d8855d58f5ce44e8f0a3a3819b03a114b94a186e28281b90516af01309
Instruction Fuzzy Hash: 9361BF71540219FAEB18DF64CC82FBE7BA8BB28711F10450AF915DA1D1DBB4E980CBA0

Function 00137778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00137873, 001378C5
#include, xrefs: 00137847
#requireadmin, xrefs: 001377FF
#pragma compile, xrefs: 001377D3
", xrefs: 00175153
#ce, xrefs: 001378ED
#include-once, xrefs: 0013782F
Cannot parse #include, xrefs: 00175279
#OnAutoItStartRegister, xrefs: 00137817
Unterminated group of comments, xrefs: 0017528C
', xrefs: 00175169
#notrayicon, xrefs: 001377E7
#comments-start, xrefs: 0013785F, 001378B1
#comments-end, xrefs: 001378D9
Bad directive syntax error, xrefs: 0017519A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 39ada7df00c91c8a55a3ee8f6e2afd78f4de0690396ce6b836eb385d95147925
Instruction ID: d657320bd6216c688ce5affa47faf261c17a8d4f064740dbeaed4ee75287a0d5
Opcode Fuzzy Hash: 39ada7df00c91c8a55a3ee8f6e2afd78f4de0690396ce6b836eb385d95147925
Instruction Fuzzy Hash: 5081D8B1604605FBEB24AF60DC47FAE77B5AF25300F054028F909BA2D6EBB0D916C791

Function 00195A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00195A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00195A40
SetWindowTextW.USER32(?,?), ref: 00195A57
GetDlgItem.USER32(?,000003EA), ref: 00195A6C
SetWindowTextW.USER32(00000000,?), ref: 00195A72
GetDlgItem.USER32(?,000003E9), ref: 00195A82
SetWindowTextW.USER32(00000000,?), ref: 00195A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00195AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00195AC3
GetWindowRect.USER32(?,?), ref: 00195ACC
_wcslen.LIBCMT ref: 00195B33
SetWindowTextW.USER32(?,?), ref: 00195B6F
GetDesktopWindow.USER32 ref: 00195B75
GetWindowRect.USER32(00000000), ref: 00195B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00195BD3
GetClientRect.USER32(?,?), ref: 00195BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00195C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00195C2F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: c5b8a6720808d53de6f683ae98eeb082d33ebbac608444a7360793b1ac2f2738
Instruction ID: 2e8aa25eaf1a4f1f1d2e361096402a2bea8a90d61796fbf8caaa6a0d289ac23f
Opcode Fuzzy Hash: c5b8a6720808d53de6f683ae98eeb082d33ebbac608444a7360793b1ac2f2738
Instruction Fuzzy Hash: AE714931900B09AFDB21DFA8CE85EAEBBF6FB48705F104518E586A26A0D775ED44CB50

Function 001500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001500C6

Part of subcall function 001500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0020070C,00000FA0,DF4B6E23,?,?,?,?,001723B3,000000FF), ref: 0015011C
Part of subcall function 001500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001723B3,000000FF), ref: 00150127
Part of subcall function 001500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001723B3,000000FF), ref: 00150138
Part of subcall function 001500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0015014E
Part of subcall function 001500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0015015C
Part of subcall function 001500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0015016A
Part of subcall function 001500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00150195
Part of subcall function 001500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001501A0

___scrt_fastfail.LIBCMT ref: 001500E7

Part of subcall function 001500A3: __onexit.LIBCMT ref: 001500A9

Strings

kernel32.dll, xrefs: 00150133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00150122
InitializeConditionVariable, xrefs: 00150148
WakeAllConditionVariable, xrefs: 00150162
SleepConditionVariableCS, xrefs: 00150154

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 21c7c95b2adc02b0980d69cf89563905964de22fc77dbd6c40220e13f163fdea
Instruction ID: 738d72aaf380f6b3eb7e40796d62d00d8cc8ecbcc6ee5ddbd8ed2c09670cee10
Opcode Fuzzy Hash: 21c7c95b2adc02b0980d69cf89563905964de22fc77dbd6c40220e13f163fdea
Instruction Fuzzy Hash: 86212C32640700EFE7125BE4AC8AF6977D4EB19B52F04012DFC15AAAE1DF74DC458AD1

Function 001930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0019318D
_wcslen.LIBCMT ref: 001931F8

Strings

CLASS, xrefs: 00193188, 001931A5
CLASSNN, xrefs: 001931F3, 00193204
REGEXPCLASS, xrefs: 00193255, 00193266
NAME, xrefs: 00193335, 00193346
INSTANCE, xrefs: 00193453
TEXT, xrefs: 0019347C

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: dc3b99d8f9c05e708452b211dac026cf63ce590c6ec943cf4161ab5f743f1e90
Instruction ID: a9e8dfe2a1a2337bff2a1ae0f4743a67802cdfa71b6004c9f9fa9562ca279b20
Opcode Fuzzy Hash: dc3b99d8f9c05e708452b211dac026cf63ce590c6ec943cf4161ab5f743f1e90
Instruction Fuzzy Hash: 0DE1D432A00516ABCF189FA8C4516FEFBB1BF58710F558129E576B7250DB30AF85C7A0

Function 001A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,001CCC08), ref: 001A4527
_wcslen.LIBCMT ref: 001A453B
_wcslen.LIBCMT ref: 001A4599
_wcslen.LIBCMT ref: 001A45F4
_wcslen.LIBCMT ref: 001A463F
_wcslen.LIBCMT ref: 001A46A7

Part of subcall function 0014F9F2: _wcslen.LIBCMT ref: 0014F9FD

GetDriveTypeW.KERNEL32(?,001F6BF0,00000061), ref: 001A4743

Strings

cdrom, xrefs: 001A458F, 001A4594
network, xrefs: 001A469D, 001A46A2
ramdisk, xrefs: 001A46F1
fixed, xrefs: 001A4635, 001A463A
unknown, xrefs: 001A4708
removable, xrefs: 001A45EA, 001A45EF
all, xrefs: 001A4531, 001A4536

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 381cde04a2cf7c605c797ca6dcc278d043480463a4cf97aa4c5c420aca4036b8
Instruction ID: 7b6378b877897a24f5a091f2a7c01e218cb131296e009beb2c30f5d1b5be6b9c
Opcode Fuzzy Hash: 381cde04a2cf7c605c797ca6dcc278d043480463a4cf97aa4c5c420aca4036b8
Instruction Fuzzy Hash: D8B100796083029FC714DF28C890A7AB7E5BFE6724F50491DF49AC7291E7B0D845CBA2

Function 001C911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

DragQueryPoint.SHELL32(?,?), ref: 001C9147

Part of subcall function 001C7674: ClientToScreen.USER32(?,?), ref: 001C769A
Part of subcall function 001C7674: GetWindowRect.USER32(?,?), ref: 001C7710
Part of subcall function 001C7674: PtInRect.USER32(?,?,001C8B89), ref: 001C7720

SendMessageW.USER32(?,000000B0,?,?), ref: 001C91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001C91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001C91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001C9225
SendMessageW.USER32(?,000000B0,?,?), ref: 001C923E
SendMessageW.USER32(?,000000B1,?,?), ref: 001C9255
SendMessageW.USER32(?,000000B1,?,?), ref: 001C9277
DragFinish.SHELL32(?), ref: 001C927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001C9371

Strings

@GUI_DROPID, xrefs: 001C929E
@GUI_DRAGID, xrefs: 001C92E9
@GUI_DRAGFILE, xrefs: 001C9320
p# , xrefs: 001C92BB

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#
API String ID: 221274066-1260850325
Opcode ID: 7f4ee665abd2dc311d61cd408e0818e30eeba569eb233131fc133f7e10ca9b84
Instruction ID: 7854f94377d3b0ef5b2563f73ffe5507332f7b95333da06d58200e77a4f67ff6
Opcode Fuzzy Hash: 7f4ee665abd2dc311d61cd408e0818e30eeba569eb233131fc133f7e10ca9b84
Instruction Fuzzy Hash: 71616B71108301AFD705DF64DC89EAFBBE8EFA8750F00091EF595922A1DB70DA49CB92

Function 001BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001BB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001BB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001BB1D4
_wcslen.LIBCMT ref: 001BB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001BB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001BB236
_wcslen.LIBCMT ref: 001BB332

Part of subcall function 001A05A7: GetStdHandle.KERNEL32(000000F6), ref: 001A05C6

_wcslen.LIBCMT ref: 001BB34B
_wcslen.LIBCMT ref: 001BB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001BB3B6
GetLastError.KERNEL32(00000000), ref: 001BB407
CloseHandle.KERNEL32(?), ref: 001BB439
CloseHandle.KERNEL32(00000000), ref: 001BB44A
CloseHandle.KERNEL32(00000000), ref: 001BB45C
CloseHandle.KERNEL32(00000000), ref: 001BB46E
CloseHandle.KERNEL32(?), ref: 001BB4E3

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 2ef398489657b0975fca3e8af2c8ef76986d95d329210bb639d125e87dcfc3ea
Instruction ID: 407e10a86d88c9ac05501eafbb0848c12a9071fdeca106e32fc89704c3d73ce2
Opcode Fuzzy Hash: 2ef398489657b0975fca3e8af2c8ef76986d95d329210bb639d125e87dcfc3ea
Instruction Fuzzy Hash: 49F1AD715083009FC724EF24C891BAEBBE1BF85314F14855DF89A9B2A2DB71EC44CB92

Function 0013326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00201990), ref: 00172F8D
GetMenuItemCount.USER32(00201990), ref: 0017303D
GetCursorPos.USER32(?), ref: 00173081
SetForegroundWindow.USER32(00000000), ref: 0017308A
TrackPopupMenuEx.USER32(00201990,00000000,?,00000000,00000000,00000000), ref: 0017309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001730A9

Strings

0, xrefs: 0013327D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 18831496fb97a75de3db0578e42bba6a3be53310703ba8f7f967f3fc224217d6
Instruction ID: b8cc6157a341956d2b325f3b35fbda4c327c1ca955661923263d0e4324889212
Opcode Fuzzy Hash: 18831496fb97a75de3db0578e42bba6a3be53310703ba8f7f967f3fc224217d6
Instruction Fuzzy Hash: F7711531644205BFEB258F64DC89FAABF74FF05364F208216F528AA1E1C7B1AD50DB90

Function 001C6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 001C6DEB

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001C6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001C6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001C6E94
DestroyWindow.USER32(?), ref: 001C6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00130000,00000000), ref: 001C6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001C6EFD
GetDesktopWindow.USER32 ref: 001C6F16
GetWindowRect.USER32(00000000), ref: 001C6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001C6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001C6F4D

Part of subcall function 00149944: GetWindowLongW.USER32(?,000000EB), ref: 00149952

Strings

tooltips_class32, xrefs: 001C6E58, 001C6EDD
0, xrefs: 001C6D98

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 22a42bdf3e2dbabc1abc2686773b28772f78a9cbf31ea3ba4b2ec4d20c97b1fe
Instruction ID: b75ffc7c3d8ea2e79c4069dd5bf819c8a41316708bc785f738f4a43defe38f42
Opcode Fuzzy Hash: 22a42bdf3e2dbabc1abc2686773b28772f78a9cbf31ea3ba4b2ec4d20c97b1fe
Instruction Fuzzy Hash: 8F714574104344AFDB21CF28D858FAABBE9FF99304F44481EF99987261C770E946DB52

Function 001AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001AC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001AC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001AC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001AC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001AC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001AC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001AC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001AC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001AC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001AC5F0
InternetCloseHandle.WININET(00000000), ref: 001AC5FB

Strings

, xrefs: 001AC575

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: b9b2cf12cc9a8cd27218b20949bd2deb7bc90237f51115a2e2a2c8378bfff148
Instruction ID: 05b2c2675b8b4818c173ccb5fa73eda3ad2532653373d5880ceaca6632f1ceba
Opcode Fuzzy Hash: b9b2cf12cc9a8cd27218b20949bd2deb7bc90237f51115a2e2a2c8378bfff148
Instruction Fuzzy Hash: D0513BB5600705BFDB219FA4C948AAB7BFCFF09754F004419F94996610DB34ED449BE0

Function 001C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 001C8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001C85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001C85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001C85BA
GlobalLock.KERNEL32(00000000), ref: 001C85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001C85D7
GlobalUnlock.KERNEL32(00000000), ref: 001C85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001C85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001C85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,001CFC38,?), ref: 001C8611
GlobalFree.KERNEL32(00000000), ref: 001C8621
GetObjectW.GDI32(?,00000018,?), ref: 001C8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001C8671
DeleteObject.GDI32(?), ref: 001C8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001C86AF

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1aa77d8a74eb684edf6b96ba0a9206d2ea49a34da5f14148f67f51ea1846dcf7
Instruction ID: 565192759069d6090fa2ac6d8d0e92fcd8133a42331d5e6705b59eef05d17806
Opcode Fuzzy Hash: 1aa77d8a74eb684edf6b96ba0a9206d2ea49a34da5f14148f67f51ea1846dcf7
Instruction Fuzzy Hash: 5F414875600208AFDB119FA5CC88EAABBB8FF99B11F108058F909E7660DB70DD41CB60

Function 001A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001A1502
VariantCopy.OLEAUT32(?,?), ref: 001A150B
VariantClear.OLEAUT32(?), ref: 001A1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001A15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001A1657
VariantInit.OLEAUT32(?), ref: 001A1708
SysFreeString.OLEAUT32(?), ref: 001A178C
VariantClear.OLEAUT32(?), ref: 001A17D8
VariantClear.OLEAUT32(?), ref: 001A17E7
VariantInit.OLEAUT32(00000000), ref: 001A1823

Strings

Default, xrefs: 001A16AF
%4d%02d%02d%02d%02d%02d, xrefs: 001A1625

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a14a5c268d1aebfbc188a8da9c595e182324438f4215ddc952e84e8a4b25b3b2
Instruction ID: 711c129272eb86a687b7741a1fd0ba62935af1e4effe2b9aa76e8ecde4559b8d
Opcode Fuzzy Hash: a14a5c268d1aebfbc188a8da9c595e182324438f4215ddc952e84e8a4b25b3b2
Instruction Fuzzy Hash: E7D11E35E00505FBDB08AFA5E894B79B7B5BF47700F11805AE44AAF290DB30EC41DBA1

Function 001BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 001BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BB6AE,?,?), ref: 001BC9B5
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BC9F1
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA68
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001BB772
RegDeleteValueW.ADVAPI32(?,?), ref: 001BB80A
RegCloseKey.ADVAPI32(?), ref: 001BB87E
RegCloseKey.ADVAPI32(?), ref: 001BB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001BB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001BB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 001BB922
FreeLibrary.KERNEL32(00000000), ref: 001BB983
RegCloseKey.ADVAPI32(00000000), ref: 001BB994

Strings

RegDeleteKeyExW, xrefs: 001BB8FE
advapi32.dll, xrefs: 001BB8ED

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 8cd1a3ca9d748b45ef2586b52137585af8c24df6436fb787a4162be0674cec72
Instruction ID: 7a48ad7682a10e243bbbaeb528b2eb78ed8b43e4a33f14f0d23d743e6060342c
Opcode Fuzzy Hash: 8cd1a3ca9d748b45ef2586b52137585af8c24df6436fb787a4162be0674cec72
Instruction Fuzzy Hash: C9C17974208201AFD714DF24C4D5F6ABBE5BF84318F14849CF59A8BAA2CBB1ED45CB91

Function 001B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001B25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001B25E8
CreateCompatibleDC.GDI32(?), ref: 001B25F4
SelectObject.GDI32(00000000,?), ref: 001B2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001B266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001B26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001B26D0
SelectObject.GDI32(?,?), ref: 001B26D8
DeleteObject.GDI32(?), ref: 001B26E1
DeleteDC.GDI32(?), ref: 001B26E8
ReleaseDC.USER32(00000000,?), ref: 001B26F3

Strings

(, xrefs: 001B268D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e7f6bc74bc9ba7aee5e377dad4bbce66986175ba5cd64a977c7b13e6ba4a2664
Instruction ID: 6803b1a8eb106096888c69eab1e2ab025cf2b7983eae486903887d4ac0bd8003
Opcode Fuzzy Hash: e7f6bc74bc9ba7aee5e377dad4bbce66986175ba5cd64a977c7b13e6ba4a2664
Instruction Fuzzy Hash: 9A61D1B5D00219EFCB14CFA8D884EEEBBB6FF58310F248529E959A7250D770AD518F90

Function 0016DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0016DAA1

Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D659
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D66B
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D67D
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D68F
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D6A1
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D6B3
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D6C5
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D6D7
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D6E9
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D6FB
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D70D
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D71F
Part of subcall function 0016D63C: _free.LIBCMT ref: 0016D731

_free.LIBCMT ref: 0016DA96

Part of subcall function 001629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000), ref: 001629DE
Part of subcall function 001629C8: GetLastError.KERNEL32(00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000,00000000), ref: 001629F0

_free.LIBCMT ref: 0016DAB8
_free.LIBCMT ref: 0016DACD
_free.LIBCMT ref: 0016DAD8
_free.LIBCMT ref: 0016DAFA
_free.LIBCMT ref: 0016DB0D
_free.LIBCMT ref: 0016DB1B
_free.LIBCMT ref: 0016DB26
_free.LIBCMT ref: 0016DB5E
_free.LIBCMT ref: 0016DB65
_free.LIBCMT ref: 0016DB82
_free.LIBCMT ref: 0016DB9A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 0e1ea02c6fd4f112de3b452a618456d886e4e4119d779ccab206528f16583706
Instruction ID: b94dd31f52b23e6808411edacd89578883dbcbb6f8061572730c7dd40e419670
Opcode Fuzzy Hash: 0e1ea02c6fd4f112de3b452a618456d886e4e4119d779ccab206528f16583706
Instruction Fuzzy Hash: BB319A32B087049FEB25AA78EC41B6AB7E9FF61354F154429E448D7191DF30ECA0CB20

Function 0019365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0019369C
_wcslen.LIBCMT ref: 001936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00193797
GetClassNameW.USER32(?,?,00000400), ref: 0019380C
GetDlgCtrlID.USER32(?), ref: 0019385D
GetWindowRect.USER32(?,?), ref: 00193882
GetParent.USER32(?), ref: 001938A0
ScreenToClient.USER32(00000000), ref: 001938A7
GetClassNameW.USER32(?,?,00000100), ref: 00193921
GetWindowTextW.USER32(?,?,00000400), ref: 0019395D

Strings

%s%u, xrefs: 00193734

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 4ad0a542aa23ce667d1bb3e8d54227bf2ad6c6a96ed50664e48d809db475846f
Instruction ID: 3d3f39554952fd52a3802cef9cf6616d6619fd60050e9e7a217b43d98cf85547
Opcode Fuzzy Hash: 4ad0a542aa23ce667d1bb3e8d54227bf2ad6c6a96ed50664e48d809db475846f
Instruction Fuzzy Hash: 5191B171204606EFDB19DF64C885FAAF7A9FF44354F008629F9A9C6190DB30EA46CBD1

Function 00194954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00194994
GetWindowTextW.USER32(?,?,00000400), ref: 001949DA
_wcslen.LIBCMT ref: 001949EB
CharUpperBuffW.USER32(?,00000000), ref: 001949F7
_wcsstr.LIBVCRUNTIME ref: 00194A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00194A64
GetWindowTextW.USER32(?,?,00000400), ref: 00194A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00194AE6
GetClassNameW.USER32(?,?,00000400), ref: 00194B20
GetWindowRect.USER32(?,?), ref: 00194B8B

Strings

ThumbnailClass, xrefs: 00194A6F, 00194AF1

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 8e0c7e6b961f804b50d3c8345f7847a175124890d4744c687ae86d216a5c10f7
Instruction ID: dcefbe79aa04e3131c10bba31bd9d637d3f2e4b450bdb615c2f11b21a59f019b
Opcode Fuzzy Hash: 8e0c7e6b961f804b50d3c8345f7847a175124890d4744c687ae86d216a5c10f7
Instruction Fuzzy Hash: 3E91BD721082059FDF04CF14C985FAA7BE9FF94314F048469FD8A9A196EB30ED46CBA1

Function 001C8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001C8D5A
GetFocus.USER32 ref: 001C8D6A
GetDlgCtrlID.USER32(00000000), ref: 001C8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 001C8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001C8ECF
GetMenuItemCount.USER32(?), ref: 001C8EEC
GetMenuItemID.USER32(?,00000000), ref: 001C8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001C8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001C8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001C8FA1

Strings

0, xrefs: 001C8E9F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: eebccb51253e50c46177473236e81aa00797711f616c162ea22bd6ce3662a26e
Instruction ID: 63b3428676e231e6acaa6c3110aa7fb73d020b4e3ac9cfbb5bf87a43afcd6043
Opcode Fuzzy Hash: eebccb51253e50c46177473236e81aa00797711f616c162ea22bd6ce3662a26e
Instruction Fuzzy Hash: 09819B71608311AFDB10CF24D884FABBBE9FBA9314F04091DF98997291DB70D941CBA2

Function 0019DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0019DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0019DC46
_wcslen.LIBCMT ref: 0019DC50
_wcsstr.LIBVCRUNTIME ref: 0019DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0019DCBC

Strings

StringFileInfo\, xrefs: 0019DC8F
DefaultLangCodepage, xrefs: 0019DD1F
\VarFileInfo\Translation, xrefs: 0019DCB4
%u.%u.%u.%u, xrefs: 0019DD9A
04090000, xrefs: 0019DCF2

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 51d410446e3afa5e0beeae2fff1cb34147ee06703059a9debd2cde986f297fb4
Instruction ID: 91ef42d8335fd3940af421b3ae9984eaee8fba7a13eda9efc756f502055b6df9
Opcode Fuzzy Hash: 51d410446e3afa5e0beeae2fff1cb34147ee06703059a9debd2cde986f297fb4
Instruction Fuzzy Hash: 79412472940204BADB14ABB4AC07EBF77ACEF61751F10006DF905BA1D2EB74DD0587A5

Function 001BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001BCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001BCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001BCD48

Part of subcall function 001BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001BCCAA
Part of subcall function 001BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001BCCBD
Part of subcall function 001BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001BCCCF
Part of subcall function 001BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001BCD05
Part of subcall function 001BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001BCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 001BCCF3

Strings

RegDeleteKeyExW, xrefs: 001BCCC9
advapi32.dll, xrefs: 001BCCB8

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 32ba08a1f1b93322044156b67cda2da3d5c830719d2de11470398e5c11d6aed4
Instruction ID: 1194270bf52c24247669036e5844ea06bdf1aa8addce2ca3be0bb6fb1ffcbe6b
Opcode Fuzzy Hash: 32ba08a1f1b93322044156b67cda2da3d5c830719d2de11470398e5c11d6aed4
Instruction Fuzzy Hash: 3D316A75901129BBDB209B95DC88EFFBF7CEF55750F000169F90AE2240DB349E85AAE0

Function 0019E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0019E6B4

Part of subcall function 0014E551: timeGetTime.WINMM(?,?,0019E6D4), ref: 0014E555

Sleep.KERNEL32(0000000A), ref: 0019E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0019E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0019E727
SetActiveWindow.USER32 ref: 0019E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0019E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0019E773
Sleep.KERNEL32(000000FA), ref: 0019E77E
IsWindow.USER32 ref: 0019E78A
EndDialog.USER32(00000000), ref: 0019E79B

Strings

BUTTON, xrefs: 0019E719

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a867b1cc0fbb762b388b2f57bb001be98eeb4d003a86900506ea3e1b3b8e8df4
Instruction ID: be73634b8931ba4d0ddd28296ede46554af308a660d3263a376bfdec7d77ddd9
Opcode Fuzzy Hash: a867b1cc0fbb762b388b2f57bb001be98eeb4d003a86900506ea3e1b3b8e8df4
Instruction Fuzzy Hash: 75215E70600315EFEF009FA0FC8DE253FADF754748F140425F91982AA2DB62EC848BA5

Function 0019E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0019EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0019EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0019EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0019EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0019EAA7

Strings

play PlayMe wait, xrefs: 0019EA91
play PlayMe, xrefs: 0019EAA2
alias PlayMe, xrefs: 0019EA36
open , xrefs: 0019EA0C
close PlayMe, xrefs: 0019EA6E, 0019EA9B
status PlayMe mode, xrefs: 0019EA58

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: cb1ce81a2fd94c2ab3f691772c134a616bf82fb3052ed1412a7f956e3100889c
Instruction ID: c1f825ccb279aa53b26313332bffa9f338b772eb658ee744eafc1832bec80fae
Opcode Fuzzy Hash: cb1ce81a2fd94c2ab3f691772c134a616bf82fb3052ed1412a7f956e3100889c
Instruction Fuzzy Hash: 3E112131A9025D7DDB20E7A2DC4AEFF6ABCFBD1B44F400429B511A20D1EBB05D45C6B0

Function 00148BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00148F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00148BE8,?,00000000,?,?,?,?,00148BBA,00000000,?), ref: 00148FC5

DestroyWindow.USER32(?), ref: 00148C81
KillTimer.USER32(00000000,?,?,?,?,00148BBA,00000000,?), ref: 00148D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00186973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00148BBA,00000000,?), ref: 001869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00148BBA,00000000,?), ref: 001869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00148BBA,00000000), ref: 001869D4
DeleteObject.GDI32(00000000), ref: 001869E6

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 88752f626fe89ba1dce50828a4482309467583626aa0ba085f07df95e4ccd068
Instruction ID: 3645c08995d6fa60e6d8b9cb60a5728893b6fbcdad54c220a75122445e1ea377
Opcode Fuzzy Hash: 88752f626fe89ba1dce50828a4482309467583626aa0ba085f07df95e4ccd068
Instruction Fuzzy Hash: B1618D30902714DFDB29AF14D998B69BBF1FB50316F144518E0469B9B0CB71AEE0DF90

Function 00149838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00149944: GetWindowLongW.USER32(?,000000EB), ref: 00149952

GetSysColor.USER32(0000000F), ref: 00149862

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d561f009c2e7338a34815627a417d90ebae95dd054a7aea97ea84227d764216e
Instruction ID: 601f723e5357fd78a3ee3546de28b314a7da29cf8f6befd5b677a240cda68e21
Opcode Fuzzy Hash: d561f009c2e7338a34815627a417d90ebae95dd054a7aea97ea84227d764216e
Instruction Fuzzy Hash: 8D41A131104648AFDB209F3C9C88FBA3BA5AB46330F284615FAA6871F1C731DD82DB50

Function 001996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0017F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00199717
LoadStringW.USER32(00000000,?,0017F7F8,00000001), ref: 00199720

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0017F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00199742
LoadStringW.USER32(00000000,?,0017F7F8,00000001), ref: 00199745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00199866

Strings

^ ERROR, xrefs: 001997FB
Line %d:, xrefs: 001997A0
Error: , xrefs: 0019981D
%s (%d) : ==> %s: %s %s, xrefs: 0019984A
Line %d (File "%s"):, xrefs: 0019978F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 78cba83ba5b86761bcd1549c743a3c5a7da57018359faaa138f913cf32db41f0
Instruction ID: 7eeeb5324e3945fe7b51d68bb9bc84cd038d0d9327a27658531b6176dcdcc772
Opcode Fuzzy Hash: 78cba83ba5b86761bcd1549c743a3c5a7da57018359faaa138f913cf32db41f0
Instruction Fuzzy Hash: 03413F7280420DAACF04FBE4DE46EEEB778AF65340F504069F60572092EB756F49CB61

Function 001906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00190804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0019082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00190837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0019083C

Strings

SOFTWARE\Classes\, xrefs: 0019070E
\CLSID, xrefs: 00190724
\IPC$, xrefs: 00190784

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: e2ba528f32977ee212c67e2ff270f353a5cd801bd0161a74b292ed8d55d2f638
Instruction ID: 7917b9f0909bbcae0dff350b3535569549ff95b5594a8e554608715271711eed
Opcode Fuzzy Hash: e2ba528f32977ee212c67e2ff270f353a5cd801bd0161a74b292ed8d55d2f638
Instruction Fuzzy Hash: 4D412472D00228AFCF15EBA4DC85CEEB7B8BF58350F444169E905A31A0EB709E44CBA0

Function 001B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B3C5C
CoInitialize.OLE32(00000000), ref: 001B3C8A
CoUninitialize.OLE32 ref: 001B3C94
_wcslen.LIBCMT ref: 001B3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 001B3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 001B3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001B3F0E
CoGetObject.OLE32(?,00000000,001CFB98,?), ref: 001B3F2D
SetErrorMode.KERNEL32(00000000), ref: 001B3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001B3FC4
VariantClear.OLEAUT32(?), ref: 001B3FD8

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: eb6b96b1e5058caaee4dedd3deba9283875601e6a3d2a8e06160abf730e77a94
Instruction ID: 87f1596187a7c82b6f6e5b85287182899e5dfb4c025d8435bb7a1c0167cd8ffc
Opcode Fuzzy Hash: eb6b96b1e5058caaee4dedd3deba9283875601e6a3d2a8e06160abf730e77a94
Instruction Fuzzy Hash: 71C145716083059FC704DF68C88496BBBE9FF89744F14491DF99A9B250DB30EE46CB92

Function 001A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001A7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001A7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001A7BA3
CoCreateInstance.OLE32(001CFD08,00000000,00000001,001F6E6C,?), ref: 001A7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001A7C74
CoTaskMemFree.OLE32(?,?), ref: 001A7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001A7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001A7D7A
CoTaskMemFree.OLE32(00000000), ref: 001A7D81
CoTaskMemFree.OLE32(00000000), ref: 001A7DD6
CoUninitialize.OLE32 ref: 001A7DDC

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: c1b51282988810a8841f969ab43ddc0998c1f48cedb4d8cd22ff190725ba2d53
Instruction ID: 3c2755774643776c924a1eaa51ac1dbee33ba996ae9903a76eb0705d2dee2c9c
Opcode Fuzzy Hash: c1b51282988810a8841f969ab43ddc0998c1f48cedb4d8cd22ff190725ba2d53
Instruction Fuzzy Hash: 99C11975A04209AFCB14DFA4C884DAEBBF9FF49314F148499E81A9B661D730EE45CB90

Function 001C541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001C5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C5515
CharNextW.USER32(00000158), ref: 001C5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001C5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001C559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C55AC

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 9897a278442dac35c66aa00ac6b57ac384645950eb018b90274b9162eb9433a9
Instruction ID: 55614c620c0f7b018463c1726e2808605389b027b1cfbe995a81120a49c00abb
Opcode Fuzzy Hash: 9897a278442dac35c66aa00ac6b57ac384645950eb018b90274b9162eb9433a9
Instruction Fuzzy Hash: EC619F30900618EFDF148F94CC84EFE7BBAEB29724F104149F925A6291D770EAC0DB61

Function 0018FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0018FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0018FB08
VariantInit.OLEAUT32(?), ref: 0018FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0018FB3A
VariantCopy.OLEAUT32(?,?), ref: 0018FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0018FBA1
VariantClear.OLEAUT32(?), ref: 0018FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0018FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0018FBCC
VariantClear.OLEAUT32(?), ref: 0018FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0018FBE9

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f5b207c03b0cfc08bc64596406d42db0672bd856415de1e58a173f8b53952398
Instruction ID: e250df2cd05b5e747cbeb786d4be4456c570a02ce8a35a9a17f93aa5ba759338
Opcode Fuzzy Hash: f5b207c03b0cfc08bc64596406d42db0672bd856415de1e58a173f8b53952398
Instruction Fuzzy Hash: 9D412135A002199FCB04EF64D854DAEBBB9FF58354F008069E959A7661D730EE46CF90

Function 00199C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00199CA1
GetAsyncKeyState.USER32(000000A0), ref: 00199D22
GetKeyState.USER32(000000A0), ref: 00199D3D
GetAsyncKeyState.USER32(000000A1), ref: 00199D57
GetKeyState.USER32(000000A1), ref: 00199D6C
GetAsyncKeyState.USER32(00000011), ref: 00199D84
GetKeyState.USER32(00000011), ref: 00199D96
GetAsyncKeyState.USER32(00000012), ref: 00199DAE
GetKeyState.USER32(00000012), ref: 00199DC0
GetAsyncKeyState.USER32(0000005B), ref: 00199DD8
GetKeyState.USER32(0000005B), ref: 00199DEA

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a6b36ec9ff4e38e7e286ed4a1bc9823b542985d8cddec14faeba7afea72a7ac3
Instruction ID: e1831e01a4a804cccb8401aa04ecdf5fe0b26f5e7275a5b16c5072c0c6ffb262
Opcode Fuzzy Hash: a6b36ec9ff4e38e7e286ed4a1bc9823b542985d8cddec14faeba7afea72a7ac3
Instruction Fuzzy Hash: 7E41CD349047CA6DFF3597A8C8447B5BEE06F12344F04805ED6C6565C2EBA59DC4C792

Function 001B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001B05BC
inet_addr.WSOCK32(?), ref: 001B061C
gethostbyname.WSOCK32(?), ref: 001B0628
IcmpCreateFile.IPHLPAPI ref: 001B0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001B06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001B06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001B07B9
WSACleanup.WSOCK32 ref: 001B07BF

Strings

Ping, xrefs: 001B0676

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e3312ad9bd0bb176c9934ccaaf99f315badb01cd3b48a849fd865950f7235888
Instruction ID: c49ebdeeeb991eeabcb4741e28379337c3b41da08d56d6d2238ac1872e551bc9
Opcode Fuzzy Hash: e3312ad9bd0bb176c9934ccaaf99f315badb01cd3b48a849fd865950f7235888
Instruction Fuzzy Hash: 9A918E355042019FD321DF15C888F5BBBE4AF48318F1585A9F4A99BBA2CB30ED45CF91

Function 001B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001B8CF3

Part of subcall function 00198E54: _wcslen.LIBCMT ref: 00198E77

_wcslen.LIBCMT ref: 001B8D4E
_wcslen.LIBCMT ref: 001B8D9C
_wcslen.LIBCMT ref: 001B8DDC
_wcslen.LIBCMT ref: 001B8E6E

Strings

winapi, xrefs: 001B8D96, 001B8D9B
stdcall, xrefs: 001B8DD6, 001B8DDB
none, xrefs: 001B8E65, 001B8E6A
cdecl, xrefs: 001B8D48, 001B8D4D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 877f30a7a8e4eca273c0c173ca5d6fd1a6e7e12bd2aaddb3813a844ff0a99312
Instruction ID: d30abb6ff3aac31f2f2804367f93a56de08579592657e0b485ee472831c5229b
Opcode Fuzzy Hash: 877f30a7a8e4eca273c0c173ca5d6fd1a6e7e12bd2aaddb3813a844ff0a99312
Instruction Fuzzy Hash: DB519331A0411A9BCF14DFACC9519FEB7A9BF64B24B21422AE966E72C4DF31DD40C790

Function 001B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001B3774
CoUninitialize.OLE32 ref: 001B377F
CoCreateInstance.OLE32(?,00000000,00000017,001CFB78,?), ref: 001B37D9
IIDFromString.OLE32(?,?), ref: 001B384C
VariantInit.OLEAUT32(?), ref: 001B38E4
VariantClear.OLEAUT32(?), ref: 001B3936

Strings

Failed to create object, xrefs: 001B37E4, 001B389A
NULL Pointer assignment, xrefs: 001B381E
Invalid parameter, xrefs: 001B3865

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 5b06687a9d79e0cc4bba019e52b2524a7852fc309abf6c84f3f80d88614a29da
Instruction ID: ddc1f9a7c4ffbf641149d329fdfbe3d921602cf06574be2ce4470624a4de3899
Opcode Fuzzy Hash: 5b06687a9d79e0cc4bba019e52b2524a7852fc309abf6c84f3f80d88614a29da
Instruction Fuzzy Hash: 0161D371608301AFD711DF54C888FAABBE8EF59710F00490DF9959B291DB70EE59CB92

Function 001C8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

Part of subcall function 0014912D: GetCursorPos.USER32(?), ref: 00149141
Part of subcall function 0014912D: ScreenToClient.USER32(00000000,?), ref: 0014915E
Part of subcall function 0014912D: GetAsyncKeyState.USER32(00000001), ref: 00149183
Part of subcall function 0014912D: GetAsyncKeyState.USER32(00000002), ref: 0014919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 001C8B6B
ImageList_EndDrag.COMCTL32 ref: 001C8B71
ReleaseCapture.USER32 ref: 001C8B77
SetWindowTextW.USER32(?,00000000), ref: 001C8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001C8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 001C8CFF

Strings

@GUI_DROPID, xrefs: 001C8C51
@GUI_DRAGFILE, xrefs: 001C8C9A
p# , xrefs: 001C8C71

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#
API String ID: 1924731296-1206455525
Opcode ID: e2a7a229570ee753904f0d2addca08d8f1138c3f3bb9dd0b81e2dfaf5e6043e8
Instruction ID: db88cc713b0b1f5fe2043d8f56a2136b79438335a7f9b45397589cd9a1d3474d
Opcode Fuzzy Hash: e2a7a229570ee753904f0d2addca08d8f1138c3f3bb9dd0b81e2dfaf5e6043e8
Instruction Fuzzy Hash: ED514A71104304AFD704DF14D89AFAA77E4EB98714F40062DF996672E2DB70DD54CBA2

Function 001A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001A33CF

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001A33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 001A3522
Error: , xrefs: 001A34D1
Incorrect parameters to object property !, xrefs: 001A34AB
"%s" (%d) : ==> %s:%s%s, xrefs: 001A3504
Line %d (File "%s"):, xrefs: 001A3443, 001A345C
^ ERROR , xrefs: 001A349E

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 05182611bb2611bda1aeb79784ae45e2e48d650e854feec9f81c3534f9273d54
Instruction ID: 2eacf3673529af1f5edd66668c864a3d015964657ffa9032f624cc47063d0b54
Opcode Fuzzy Hash: 05182611bb2611bda1aeb79784ae45e2e48d650e854feec9f81c3534f9273d54
Instruction Fuzzy Hash: D7518C72D00209AADF15EBE0DD46EEEB778EF25340F1080A5F519720A2EB716F58DB61

Function 0019B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0019B5FC
_wcslen.LIBCMT ref: 0019B608
_wcslen.LIBCMT ref: 0019B64D
_wcslen.LIBCMT ref: 0019B68C
_wcslen.LIBCMT ref: 0019B6C7

Strings

APPEND, xrefs: 0019B6C1, 0019B6C6
REMOVE, xrefs: 0019B602, 0019B607
EXISTS, xrefs: 0019B686, 0019B68B
KEYS, xrefs: 0019B647, 0019B64C

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 6689feaaaa98a01298a92c075f1fa9e8d41fe0c331d7b45465a841cbb6147dc9
Instruction ID: 69124c4dfc5bce43c457c876206ae21377e005ab0b58cceba2614a75646e674e
Opcode Fuzzy Hash: 6689feaaaa98a01298a92c075f1fa9e8d41fe0c331d7b45465a841cbb6147dc9
Instruction Fuzzy Hash: 9941F832A080269BCF106F7DDED15BE77A5BFA0B58B254229E421DB284E731ED81C790

Function 001A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001A53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001A5416
GetLastError.KERNEL32 ref: 001A5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001A54A7

Strings

UNKNOWN, xrefs: 001A5444
READONLY, xrefs: 001A5452
READY, xrefs: 001A5460, 001A5468
INVALID, xrefs: 001A5459
NOTREADY, xrefs: 001A544B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ec6a7ae05976c65e39376bce6625991db3bc092c4a660d943e0885a9a3de3b24
Instruction ID: 984c337c2ea727a6f5e7201bdfbcf252373db99e944c6075cec119dc4bb21a58
Opcode Fuzzy Hash: ec6a7ae05976c65e39376bce6625991db3bc092c4a660d943e0885a9a3de3b24
Instruction Fuzzy Hash: 9A31D439A04608DFC714DF68C484EAE7BB5FF5A305F188065E505DB692E770ED86CBA0

Function 001C3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 001C3C79
SetMenu.USER32(?,00000000), ref: 001C3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001C3D10
IsMenu.USER32(?), ref: 001C3D24
CreatePopupMenu.USER32 ref: 001C3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001C3D5B
DrawMenuBar.USER32 ref: 001C3D63

Strings

F, xrefs: 001C3D4E
0, xrefs: 001C3C54

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: a19349e8195630e802c172ce58e7b55de00879b3635f893021ef069f00feac0c
Instruction ID: b34c212e63fe78d22fe39a35cce6332e87f55b3586c3545b33a02db302d41dd9
Opcode Fuzzy Hash: a19349e8195630e802c172ce58e7b55de00879b3635f893021ef069f00feac0c
Instruction Fuzzy Hash: 4F413679A01209AFDB14CFA4E844FAA7BB5FF59350F14402DE95AA7360D730EE50CB94

Function 001C3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001C3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001C3AA0
GetWindowLongW.USER32(?,000000F0), ref: 001C3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001C3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001C3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001C3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001C3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001C3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001C3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001C3C13

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: cbd5c41cbe966d41b010bfeb9b7e8e01fde26cf69f8b7d75aec5c6a90e9cfdd1
Instruction ID: aca901801718218c27beb91c35acdf18b70f97fefbca80b0156631b43d6b1ddd
Opcode Fuzzy Hash: cbd5c41cbe966d41b010bfeb9b7e8e01fde26cf69f8b7d75aec5c6a90e9cfdd1
Instruction Fuzzy Hash: A6616975A00248AFDB10DFA8CC85FEE77B8EB19700F10419AFA15A72A2D770EE55DB50

Function 0019B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0019B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B165
GetWindowThreadProcessId.USER32(00000000), ref: 0019B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0019B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0019A1E1,?,00000001), ref: 0019B21D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 64aca38fdfc6fe7f0f1c50e7179230255c275d8f255871cd8db337f04677bbf7
Instruction ID: 2d9b19cb019a5d5f8e52b0e1013db0c7c33be45053fdad0c8054102a6aa00cad
Opcode Fuzzy Hash: 64aca38fdfc6fe7f0f1c50e7179230255c275d8f255871cd8db337f04677bbf7
Instruction Fuzzy Hash: 75316579504304AFDF10DF24FE88FAA7BAAFB51311F104019FA0996291D7B4AE818BA0

Function 00162C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00162C94

Part of subcall function 001629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000), ref: 001629DE
Part of subcall function 001629C8: GetLastError.KERNEL32(00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000,00000000), ref: 001629F0

_free.LIBCMT ref: 00162CA0
_free.LIBCMT ref: 00162CAB
_free.LIBCMT ref: 00162CB6
_free.LIBCMT ref: 00162CC1
_free.LIBCMT ref: 00162CCC
_free.LIBCMT ref: 00162CD7
_free.LIBCMT ref: 00162CE2
_free.LIBCMT ref: 00162CED
_free.LIBCMT ref: 00162CFB

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a6e493c1676857dd415c46b3cf9f988fe2518390d99cd7243be417a0cf13ef3
Instruction ID: 92ec0fdff666860d5eac6dbaf0b616839a152ca4e6f946a0cdc64f9ddd5dde00
Opcode Fuzzy Hash: 1a6e493c1676857dd415c46b3cf9f988fe2518390d99cd7243be417a0cf13ef3
Instruction Fuzzy Hash: 2511C376600518BFCB06EF54DC82CDD3BA5FF55394F4144A1FA489B222DB31EA609B90

Function 00131410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00131459
OleUninitialize.OLE32(?,00000000), ref: 001314F8
UnregisterHotKey.USER32(?), ref: 001316DD
DestroyWindow.USER32(?), ref: 001724B9
FreeLibrary.KERNEL32(?), ref: 0017251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0017254B

Strings

close all, xrefs: 00131454

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 409e4ebc772bf54c75f9e5a740430120bc2f829f7c75c065968aa7f890d5a7e0
Instruction ID: fcd33cd21fa0784c7f5222181e74cb85aa3dfd928b35a198f55204d374fe4a92
Opcode Fuzzy Hash: 409e4ebc772bf54c75f9e5a740430120bc2f829f7c75c065968aa7f890d5a7e0
Instruction Fuzzy Hash: A3D147317012129FCB29EF54C999A69F7B4BF15700F1582ADE84A6B262DB30ED13CF91

Function 00135BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00135C7A

Part of subcall function 00135D0A: GetClientRect.USER32(?,?), ref: 00135D30
Part of subcall function 00135D0A: GetWindowRect.USER32(?,?), ref: 00135D71
Part of subcall function 00135D0A: ScreenToClient.USER32(?,?), ref: 00135D99

GetDC.USER32 ref: 001746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00174708
SelectObject.GDI32(00000000,00000000), ref: 00174716
SelectObject.GDI32(00000000,00000000), ref: 0017472B
ReleaseDC.USER32(?,00000000), ref: 00174733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001747C4

Strings

U, xrefs: 00174693

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c5ec04c61c13eb9d3a3584cfacc4e9cac5b7d8942450747d677e2cf901f9a21a
Instruction ID: 88adfd4fe86a3b0d58ad2a675c9aac9f498c966a50719297300d91c0feeb088b
Opcode Fuzzy Hash: c5ec04c61c13eb9d3a3584cfacc4e9cac5b7d8942450747d677e2cf901f9a21a
Instruction Fuzzy Hash: 1671DF35400205DFCF2A8F64C984ABA7BB6FF5A364F188269F9595A266C331DC81DF50

Function 001A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001A35E4

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

LoadStringW.USER32(00202390,?,00000FFF,?), ref: 001A360A

Strings

^ ERROR, xrefs: 001A36C9
"%s" (%d) : ==> %s:, xrefs: 001A3742
Error: , xrefs: 001A36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 001A3724
Line %d (File "%s"):, xrefs: 001A366B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: ed68c63145b6e863ae6f4e5fb92293c319d1829a230856fdf2f90dbb47fd5a77
Instruction ID: 87226bdfcd7a7680e306afe6c410715ea191b03b1a8c48b947edde61237e57bf
Opcode Fuzzy Hash: ed68c63145b6e863ae6f4e5fb92293c319d1829a230856fdf2f90dbb47fd5a77
Instruction Fuzzy Hash: 86515B72800209BBDF15EBE0DC46EEEBB78AF25300F144169F115721A2EB715B99DFA1

Function 001AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001AC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001AC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001AC2CA
GetLastError.KERNEL32 ref: 001AC322
SetEvent.KERNEL32(?), ref: 001AC336
InternetCloseHandle.WININET(00000000), ref: 001AC341

Strings

, xrefs: 001AC2BB

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6aab719ec09341bfb0629011f21cb805e950f297896675b3afb51218ad70c52e
Instruction ID: 01277b150396af25ca8e0bad29c1018930abcc31d21a98ab7d2e69db0036f4f1
Opcode Fuzzy Hash: 6aab719ec09341bfb0629011f21cb805e950f297896675b3afb51218ad70c52e
Instruction Fuzzy Hash: B9318DB5500304AFDB219FA48888AAB7AFCFF5A740F10851EF44A92600DB30DD459BE1

Function 0019989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00173AAF,?,?,Bad directive syntax error,001CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001998BC
LoadStringW.USER32(00000000,?,00173AAF,?), ref: 001998C3

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00199987

Strings

Line %d:, xrefs: 00199912
%s (%d) : ==> %s.: %s %s, xrefs: 001998F1
Error: , xrefs: 00199955
Line %d (File "%s"):, xrefs: 0019992D
., xrefs: 0019996D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 8fb48aec3d510d399729ac821c727fad574ce5862675a86f3d0bf4ad7a33edf7
Instruction ID: 46a9d6eeaa3b90be4c01c4ad50276308199051c91f5cc27b92426522135dcba9
Opcode Fuzzy Hash: 8fb48aec3d510d399729ac821c727fad574ce5862675a86f3d0bf4ad7a33edf7
Instruction Fuzzy Hash: F2214F3194021EEBCF15AF90CC0AEEE7779FF28704F044469F619660A2EB719A58DB51

Function 0019209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0019214D

Strings

details, xrefs: 001920FB
SHELLDLL_DefView, xrefs: 001920CC
largeicons, xrefs: 001920E1
smallicons, xrefs: 00192115
list, xrefs: 0019212F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a6ea1c9ad10c6a4c179b67af2c410ef9decbed399a357882939dc8732ff94c6e
Instruction ID: 7464f19d6d9e00d26e5148c4214bbc3de0010835042be609a6d856a2066ff899
Opcode Fuzzy Hash: a6ea1c9ad10c6a4c179b67af2c410ef9decbed399a357882939dc8732ff94c6e
Instruction Fuzzy Hash: E611367668871ABAFF052220DC0ACF6379ECB14729F200026FB05A90D2EB71AC955654

Function 0016CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0016CEB7
_free.LIBCMT ref: 0016CF22
_free.LIBCMT ref: 0016CF48
_free.LIBCMT ref: 0016CF71
_free.LIBCMT ref: 0016CFA9
_free.LIBCMT ref: 0016CFDA
_free.LIBCMT ref: 0016D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0016D09C
_free.LIBCMT ref: 0016D0B5

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0c6b4e5c23b8e2fc292b166595da1bedbebd6c24c3ff0c8b691556f577d727d4
Instruction ID: 31a268db35ac02665921ad7af91b187ed8df0cd6b66da71b3acc707351b27ee7
Opcode Fuzzy Hash: 0c6b4e5c23b8e2fc292b166595da1bedbebd6c24c3ff0c8b691556f577d727d4
Instruction Fuzzy Hash: 45617871A04311AFDF25AFB4AC85B7E7BA5EF15350F0441ADF98497282DB329D2187E0

Function 001C50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 001C5186
ShowWindow.USER32(?,00000000), ref: 001C51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001C51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001C51D1

Part of subcall function 001C6FBA: DeleteObject.GDI32(00000000), ref: 001C6FE6

GetWindowLongW.USER32(?,000000F0), ref: 001C520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001C521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001C524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 001C5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 001C5296

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: c03ec4e4590ac268c6cbaf6a243e4a59938cefc866934b73d538bb49c15c7544
Instruction ID: 897f70e987f08898c561f5dc1eb4b0d3d82c8fbb7066c2c38c56ad5bee15ad29
Opcode Fuzzy Hash: c03ec4e4590ac268c6cbaf6a243e4a59938cefc866934b73d538bb49c15c7544
Instruction Fuzzy Hash: 5A51BD30A40A08FEEF249F24CC4AFD97BA6EB25365F58401AF619962E1C771F9D0DB41

Function 00148B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00186890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00148874,00000000,00000000,00000000,000000FF,00000000), ref: 00186901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0018691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00148874,00000000,00000000,00000000,000000FF,00000000), ref: 0018692D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: d026e5c857e3d6c89626c9a17b4649ccb0b808ae05723e77c5e01e29af5bdf3e
Instruction ID: 42b5991b02450539c04dc1e55d51273c4d5c53037199e8815e1379f5f1747bf8
Opcode Fuzzy Hash: d026e5c857e3d6c89626c9a17b4649ccb0b808ae05723e77c5e01e29af5bdf3e
Instruction Fuzzy Hash: DA515870A00309EFDB24DF24CC95FAA7BB5EB58754F104528F956972A0DB70EE90DB50

Function 001AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001AC182
GetLastError.KERNEL32 ref: 001AC195
SetEvent.KERNEL32(?), ref: 001AC1A9

Part of subcall function 001AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001AC272
Part of subcall function 001AC253: GetLastError.KERNEL32 ref: 001AC322
Part of subcall function 001AC253: SetEvent.KERNEL32(?), ref: 001AC336
Part of subcall function 001AC253: InternetCloseHandle.WININET(00000000), ref: 001AC341

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 23c102b47d160970b3d930ebeb3d392f081bf7b64929e8a4efaee1f9e5598af2
Instruction ID: 90337d5bd4660075438e8d5ab3d7d437ab2199fb9ad78570916913b604e3e8f4
Opcode Fuzzy Hash: 23c102b47d160970b3d930ebeb3d392f081bf7b64929e8a4efaee1f9e5598af2
Instruction Fuzzy Hash: C3318D79200705EFDB219FA5DD44A66BFF9FF5A300B04441EF95A82A11D731E854DBE0

Function 001925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00193A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00193A57
Part of subcall function 00193A3D: GetCurrentThreadId.KERNEL32 ref: 00193A5E
Part of subcall function 00193A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001925B3), ref: 00193A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00192601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00192605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0019260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00192623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00192627

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1370fa072c67e4a1c4dbf71ea30a4e687275bac09142b2384bdc84eef490073c
Instruction ID: 23e74f6c499511ff1bca724b47bf7c0ef02db5c0631b678e6e2faba89fc8bd60
Opcode Fuzzy Hash: 1370fa072c67e4a1c4dbf71ea30a4e687275bac09142b2384bdc84eef490073c
Instruction Fuzzy Hash: 6A01FC30790210BBFB106769DC8AF993F59DF5EB11F110001F318AF1D1C9F15884CAA9

Function 00191803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00191449,?,?,00000000), ref: 0019180C
HeapAlloc.KERNEL32(00000000,?,00191449,?,?,00000000), ref: 00191813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00191449,?,?,00000000), ref: 00191828
GetCurrentProcess.KERNEL32(?,00000000,?,00191449,?,?,00000000), ref: 00191830
DuplicateHandle.KERNEL32(00000000,?,00191449,?,?,00000000), ref: 00191833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00191449,?,?,00000000), ref: 00191843
GetCurrentProcess.KERNEL32(00191449,00000000,?,00191449,?,?,00000000), ref: 0019184B
DuplicateHandle.KERNEL32(00000000,?,00191449,?,?,00000000), ref: 0019184E
CreateThread.KERNEL32(00000000,00000000,00191874,00000000,00000000,00000000), ref: 00191868

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0df9d1c0b4fa920a58499fc2952e92f727aa2b81d2603fdab5bf4c10ce850704
Instruction ID: 4931965ff389f883932992b5b0cd8803c30875743bf95f15b846770f294a0106
Opcode Fuzzy Hash: 0df9d1c0b4fa920a58499fc2952e92f727aa2b81d2603fdab5bf4c10ce850704
Instruction Fuzzy Hash: BE01A8B5240348FFE610ABA6DC49F6B3BACEB89B11F044411FA09DB5A1CA74DC408B60

Function 001BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0019D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0019D501
Part of subcall function 0019D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0019D50F
Part of subcall function 0019D4DC: CloseHandle.KERNEL32(00000000), ref: 0019D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001BA16D
GetLastError.KERNEL32 ref: 001BA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001BA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001BA268
GetLastError.KERNEL32(00000000), ref: 001BA273
CloseHandle.KERNEL32(00000000), ref: 001BA2C4

Strings

SeDebugPrivilege, xrefs: 001BA18F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: efeeb44abd7b5ce1f2ed8c76292f5f019f5435b6e6019864eaeef3ad4c1226c7
Instruction ID: 0bb4cd0689b30857581ef389955a37ee0094ba5fe384c75c7d06be8b0901db6c
Opcode Fuzzy Hash: efeeb44abd7b5ce1f2ed8c76292f5f019f5435b6e6019864eaeef3ad4c1226c7
Instruction Fuzzy Hash: 1F61B030204242AFE724DF19C494F55BBE5AF54318F58849CE46A8BBA3C772EC85CBD2

Function 001C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001C3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001C393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001C3954
_wcslen.LIBCMT ref: 001C3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001C39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001C39F4

Strings

SysListView32, xrefs: 001C38F7

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: fa93ef2683653343a9f65c92e3a52f09023d7ced7d817ced93f0716876f362dd
Instruction ID: 0e225eb5b63c34abaf57bf3ea3c1e8d45044a442202f81f34d50ecd3d27c82e5
Opcode Fuzzy Hash: fa93ef2683653343a9f65c92e3a52f09023d7ced7d817ced93f0716876f362dd
Instruction Fuzzy Hash: DC41C671A00318ABEF219F64CC49FEA7BA9EF18354F10452AF958E7281D771DE90CB90

Function 0019BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0019BCFD
IsMenu.USER32(00000000), ref: 0019BD1D
CreatePopupMenu.USER32 ref: 0019BD53
GetMenuItemCount.USER32(00D23BA0), ref: 0019BDA4
InsertMenuItemW.USER32(00D23BA0,?,00000001,00000030), ref: 0019BDCC

Strings

2, xrefs: 0019BD37
0, xrefs: 0019BCA8

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 43ceb2b40370df6f90bab63f5d46da21d155009e441ed18054b293fee78cbae8
Instruction ID: 6ff836934c15fc7bcf2aa6766cf431ab5d6f0d5bceaa6fd0a0d05cf228faf1d7
Opcode Fuzzy Hash: 43ceb2b40370df6f90bab63f5d46da21d155009e441ed18054b293fee78cbae8
Instruction Fuzzy Hash: 5D51BF70A08209DBDF10CFE8EAC8BAEBBF4BF55318F144259E455E7290D770A941CBA1

Function 0019C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0019C913

Strings

stop, xrefs: 0019C8E4
info, xrefs: 0019C8B4
warning, xrefs: 0019C8FC
blank, xrefs: 0019C895
question, xrefs: 0019C8CC

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d258cad814615455f9a92e763b8ed1b5a34861c6bdbf1c558e6277ca282c7431
Instruction ID: 8c270ac4150c67f15b2e24fb3bb448a800618197d13097dcb7ed0f08b3c9d08a
Opcode Fuzzy Hash: d258cad814615455f9a92e763b8ed1b5a34861c6bdbf1c558e6277ca282c7431
Instruction Fuzzy Hash: A5110D3168930ABBEF05AB54DC83CAE779CDF1535DB20002EF945A6182D7709D4053E4

Function 0019ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0019ED2A
_wcslen.LIBCMT ref: 0019ED3B
_wcslen.LIBCMT ref: 0019ED79
_wcslen.LIBCMT ref: 0019EDAF
_wcslen.LIBCMT ref: 0019EDDF
_wcslen.LIBCMT ref: 0019EDEF
_wcslen.LIBCMT ref: 0019EE2B
_wcslen.LIBCMT ref: 0019EE5A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 8c52fe27d977e26c7012664bb883dd29cdeb22450e08393fd111da5667ded682
Instruction ID: b2735a7805c1b4e5c7829e470cffff868795079551b703641f5fa44b94863f0b
Opcode Fuzzy Hash: 8c52fe27d977e26c7012664bb883dd29cdeb22450e08393fd111da5667ded682
Instruction Fuzzy Hash: F841B565C10118B6CB11EBF4C88A9DFB7B8EF55311F508466E924E7121FB34E249C3E6

Function 0014F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0018682C,00000004,00000000,00000000), ref: 0014F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0018682C,00000004,00000000,00000000), ref: 0018F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0018682C,00000004,00000000,00000000), ref: 0018F454

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e404052c3d79ec9ee43c2e103e01eea6aa6967ced3e8f2dc5810c4a8db9e90b5
Instruction ID: 28c5aa73a27d3b1d5b957411ac682d6101d9ab623b9e7493a4e27f68a66e099a
Opcode Fuzzy Hash: e404052c3d79ec9ee43c2e103e01eea6aa6967ced3e8f2dc5810c4a8db9e90b5
Instruction Fuzzy Hash: D241E631608780FAD7399F29C988B2A7B92AB56318F15443DF48B56B71C732A983CB51

Function 001C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001C2D1B
GetDC.USER32(00000000), ref: 001C2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001C2D2E
ReleaseDC.USER32(00000000,00000000), ref: 001C2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001C2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001C2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001C2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001C2DE1

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 041341bb5bc2aea3c6a9e847085fcacade6ce73ffd37e6bca9eef4244a7e9f20
Instruction ID: ca380ffb4c673c486810c3deec9207f9b5ce064139f250abe8ba12cabddf4e74
Opcode Fuzzy Hash: 041341bb5bc2aea3c6a9e847085fcacade6ce73ffd37e6bca9eef4244a7e9f20
Instruction Fuzzy Hash: AC318972201224BFEB218F508C8AFFB3FA9EB19711F084055FE099A291C675DC91CBA0

Function 00195622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00195637
_memcmp.LIBVCRUNTIME ref: 00195659
_memcmp.LIBVCRUNTIME ref: 00195671
_memcmp.LIBVCRUNTIME ref: 00195684
_memcmp.LIBVCRUNTIME ref: 0019569E
_memcmp.LIBVCRUNTIME ref: 001956B1
_memcmp.LIBVCRUNTIME ref: 001956C9
_memcmp.LIBVCRUNTIME ref: 001956E4

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 92000f1a73c9aec2bd96692047ccb71e772fcec6a51891f182bb35d713c79dc5
Instruction ID: 38606e7480b5e6cc4a784e0035cd74347e2fce1120c1d88defe7dbc870f840db
Opcode Fuzzy Hash: 92000f1a73c9aec2bd96692047ccb71e772fcec6a51891f182bb35d713c79dc5
Instruction Fuzzy Hash: 3621A761B41A09B7DB1A5E209D92FFA335FBF30795F440028FD04AE581F720EE1583A5

Function 001B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 001B502E, 001B5383
Not an Object type, xrefs: 001B5007

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 28602f35f2756eebb5f3b3a9873522d821263dbd0cbfb47dc2df9e538a46306f
Instruction ID: f76fdf8b6408d32767214c55d2b12ee14414b0c256e1ff89fff0bbe8381dce63
Opcode Fuzzy Hash: 28602f35f2756eebb5f3b3a9873522d821263dbd0cbfb47dc2df9e538a46306f
Instruction Fuzzy Hash: CCD1B075A0060A9FDF14DFA8C880FEEB7B6BF48344F148069E915AB291E770DD45CBA0

Function 00171522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00171651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001717FB,?,001717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001716FB

Part of subcall function 00163820: RtlAllocateHeap.NTDLL(00000000,?,00201444,?,0014FDF5,?,?,0013A976,00000010,00201440,001313FC,?,001313C6,?,00131129), ref: 00163852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00171777
__freea.LIBCMT ref: 001717A2
__freea.LIBCMT ref: 001717AE

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7e248f9206c49389912c934d6cce0c68fe04b78bce8e8e5d8a0b2d8e7e2e8027
Instruction ID: 08e4932cf5bf5c449a15b991af40796fde7ca9fb67c19c68d0a4463ec3987de0
Opcode Fuzzy Hash: 7e248f9206c49389912c934d6cce0c68fe04b78bce8e8e5d8a0b2d8e7e2e8027
Instruction Fuzzy Hash: E791B472E00216BADB288EBCCC81EEE7BB5AF59710F198659F909E7141D735DD40CBA0

Function 001B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B4648
VariantInit.OLEAUT32(?), ref: 001B4749
VariantClear.OLEAUT32(?), ref: 001B4753
VariantClear.OLEAUT32(?), ref: 001B47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 001B45D8, 001B4706, 001B47BE
Incorrect Object type in FOR..IN loop, xrefs: 001B472C

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: a0f1f5854a1d4ed68f305a72951cadc434d64ad10028096566640a721eb971a3
Instruction ID: 221a8f1bb6aab8b14351264312d5848eed70e29330fefe7e19201f6f949131a6
Opcode Fuzzy Hash: a0f1f5854a1d4ed68f305a72951cadc434d64ad10028096566640a721eb971a3
Instruction Fuzzy Hash: DB918F71A00219ABDF24CFA5C884FEEBBB8EF46714F10C559F505AB282DB709945CFA0

Function 001A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001A125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001A1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001A12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001A12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001A135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001A13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001A1430

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: a038458177e420ef00ea259123dc85391980da6db39eb2b072637f764336e7ed
Instruction ID: 28a0faadf53a02f06b0bc90c67bdf827109093f0d8bfefdc630e42d7a5a975ed
Opcode Fuzzy Hash: a038458177e420ef00ea259123dc85391980da6db39eb2b072637f764336e7ed
Instruction Fuzzy Hash: 8B91F479A00208AFDB05DFA8C884BBE77B5FF5A325F214029E941EB291D774E945CB90

Function 0014948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 54238e6aed4a9b8aee6a61b81b924999b8614fb7ebdeb9a75b5ef2f16dfcde98
Instruction ID: 28ebfb47307beb9a4d99119c817148959d7708d6057dd746c146dc5dcb91c4a3
Opcode Fuzzy Hash: 54238e6aed4a9b8aee6a61b81b924999b8614fb7ebdeb9a75b5ef2f16dfcde98
Instruction Fuzzy Hash: 5F911771D00219EFCB14CFA9C884AEEBBB9FF49320F24455AE515B7261D374AA41CF60

Function 001B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B396B
CharUpperBuffW.USER32(?,?), ref: 001B3A7A
_wcslen.LIBCMT ref: 001B3A8A
VariantClear.OLEAUT32(?), ref: 001B3C1F

Part of subcall function 001A0CDF: VariantInit.OLEAUT32(00000000), ref: 001A0D1F
Part of subcall function 001A0CDF: VariantCopy.OLEAUT32(?,?), ref: 001A0D28
Part of subcall function 001A0CDF: VariantClear.OLEAUT32(?), ref: 001A0D34

Strings

Incorrect Parameter format, xrefs: 001B39A6, 001B3BA1
AUTOIT.ERROR, xrefs: 001B3A80, 001B3A85

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b9ecb9934ae616755860158d07e7e633c4141af1539559e1846fb89e41254dbe
Instruction ID: 1d9a31f2cb215244832454d000d3ef1d2d426a8e8a3179653e2cf55a7a1f3d47
Opcode Fuzzy Hash: b9ecb9934ae616755860158d07e7e633c4141af1539559e1846fb89e41254dbe
Instruction Fuzzy Hash: E6917C756083059FCB14DF28C5809AABBE4FF99314F14886DF8999B351DB30EE46CB92

Function 001B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0019000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?,?,0019035E), ref: 0019002B
Part of subcall function 0019000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?), ref: 00190046
Part of subcall function 0019000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?), ref: 00190054
Part of subcall function 0019000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?), ref: 00190064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001B4C51
_wcslen.LIBCMT ref: 001B4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001B4DCF
CoTaskMemFree.OLE32(?), ref: 001B4DDA

Strings

NULL Pointer assignment, xrefs: 001B4E23, 001B4E52

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 1b59486874ae03a53a955b2d56f1a106f4b3644839ee86d95f2e675f3b1606fc
Instruction ID: 90cb661114068dff8ccfe91fa25962639fd0a74bc217ccf1504c2e2c9e54a18d
Opcode Fuzzy Hash: 1b59486874ae03a53a955b2d56f1a106f4b3644839ee86d95f2e675f3b1606fc
Instruction Fuzzy Hash: 26911571D0021DAFDF14DFA4D881AEEBBB9BF18314F108169E915AB251EB749E44CFA0

Function 001C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 001C2183
GetMenuItemCount.USER32(00000000), ref: 001C21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001C21DD
_wcslen.LIBCMT ref: 001C2213
GetMenuItemID.USER32(?,?), ref: 001C224D
GetSubMenu.USER32(?,?), ref: 001C225B

Part of subcall function 00193A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00193A57
Part of subcall function 00193A3D: GetCurrentThreadId.KERNEL32 ref: 00193A5E
Part of subcall function 00193A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001925B3), ref: 00193A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001C22E3

Part of subcall function 0019E97B: Sleep.KERNEL32 ref: 0019E9F3

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 5fde21f8a75ae3e43243e1408ab39c8c16c3ef525f28f4f52d590051a6682e34
Instruction ID: 02a5d80cb18dd5782ed77b764e3c338388c887c76d29d377b0fb876f41656585
Opcode Fuzzy Hash: 5fde21f8a75ae3e43243e1408ab39c8c16c3ef525f28f4f52d590051a6682e34
Instruction Fuzzy Hash: D0715B75A00215AFCB14EFA8C845EAEBBF5EF68320F15845DE816EB351DB34ED418B90

Function 0019AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0019AEF9
GetKeyboardState.USER32(?), ref: 0019AF0E
SetKeyboardState.USER32(?), ref: 0019AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0019AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0019AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0019AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0019B020

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9ddea42c01dd7842311d7d0e36072ff0b2561b7236c8c8e426b89dcf0c8816b0
Instruction ID: 6d8b1887f772e3103c1e09e88bc277f0de942459d2b6e023fd04b202af39c71b
Opcode Fuzzy Hash: 9ddea42c01dd7842311d7d0e36072ff0b2561b7236c8c8e426b89dcf0c8816b0
Instruction Fuzzy Hash: 9E51A1A0A087D53DFF3642348D89BBABEA95F06304F088589F1D9558C2D399ACC8D791

Function 0019ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0019AD19
GetKeyboardState.USER32(?), ref: 0019AD2E
SetKeyboardState.USER32(?), ref: 0019AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0019ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0019ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0019AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0019AE38

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8f50e7a3d8dc9945a297acef9b7eaedca59afb031c88483223d68f6c43f0dc05
Instruction ID: 17cba1d6b1c6b5c9387ba8859faca71e95ddd72d70988dc349c9de38de3a00bb
Opcode Fuzzy Hash: 8f50e7a3d8dc9945a297acef9b7eaedca59afb031c88483223d68f6c43f0dc05
Instruction Fuzzy Hash: 8F51C5A15487D53DFF3683648C95B7A7EE96F46300F488488E1D9468C2D394EC8CD7D2

Function 0016542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00173CD6,?,?,?,?,?,?,?,?,00165BA3,?,?,00173CD6,?,?), ref: 00165470
__fassign.LIBCMT ref: 001654EB
__fassign.LIBCMT ref: 00165506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00173CD6,00000005,00000000,00000000), ref: 0016552C
WriteFile.KERNEL32(?,00173CD6,00000000,00165BA3,00000000,?,?,?,?,?,?,?,?,?,00165BA3,?), ref: 0016554B
WriteFile.KERNEL32(?,?,00000001,00165BA3,00000000,?,?,?,?,?,?,?,?,?,00165BA3,?), ref: 00165584

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: cf2c8cfa060bf7ceab8fcd8e41c913ce80ff69acad4f0a3372bc9e26c1b4ee0a
Instruction ID: 1dda55ca4b0b3ff028ae170433d6f38d76466610c5005cb34c476a4949aa8307
Opcode Fuzzy Hash: cf2c8cfa060bf7ceab8fcd8e41c913ce80ff69acad4f0a3372bc9e26c1b4ee0a
Instruction Fuzzy Hash: 445193719006499FDB10CFA8DC89AEEBBFAEF09300F14415AF556E7291D730DA51CB60

Function 00152D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00152D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00152D53
_ValidateLocalCookies.LIBCMT ref: 00152DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00152E0C
_ValidateLocalCookies.LIBCMT ref: 00152E61

Strings

csm, xrefs: 00152DF6

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ace5cde2bdea4a4f08e92a26963b2195d01bb09e3ae01c701c4d5ca716710b27
Instruction ID: 2931eb27482330a1a437c2604ac231893b1649ee88501f6d3e88eb3b336a9751
Opcode Fuzzy Hash: ace5cde2bdea4a4f08e92a26963b2195d01bb09e3ae01c701c4d5ca716710b27
Instruction Fuzzy Hash: E441D435A00208EBCF14DFA8C845A9EBBB4BF46326F148155EC346F352D731AA09CBD0

Function 001B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001B307A
Part of subcall function 001B304E: _wcslen.LIBCMT ref: 001B309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001B1112
WSAGetLastError.WSOCK32 ref: 001B1121
WSAGetLastError.WSOCK32 ref: 001B11C9
closesocket.WSOCK32(00000000), ref: 001B11F9

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 045bb368a11770467c49cbe85ced239722e249153fde7cd5f0cc42b33c6a6da9
Instruction ID: 4ec028d808d57da62ebd9af03397e91c650af0f93c30f46c9d4ff6639e116e95
Opcode Fuzzy Hash: 045bb368a11770467c49cbe85ced239722e249153fde7cd5f0cc42b33c6a6da9
Instruction Fuzzy Hash: C041D235600204AFDB109F28C894BEABBEAEF45364F558059FD19AB291C770ED81CFE1

Function 0019CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0019DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0019CF22,?), ref: 0019DDFD

Part of subcall function 0019DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0019CF22,?), ref: 0019DE16

lstrcmpiW.KERNEL32(?,?), ref: 0019CF45
MoveFileW.KERNEL32(?,?), ref: 0019CF7F
_wcslen.LIBCMT ref: 0019D005
_wcslen.LIBCMT ref: 0019D01B
SHFileOperationW.SHELL32(?), ref: 0019D061

Strings

\*.*, xrefs: 0019CFF3

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: cb95cad9830785f7fc2f52a7766038dedcb32cb45440aec9152e013d75f33cf5
Instruction ID: 3150283e917d7324915c3a17dd86ddc067378007a4ce054f6c30158c8612ec6a
Opcode Fuzzy Hash: cb95cad9830785f7fc2f52a7766038dedcb32cb45440aec9152e013d75f33cf5
Instruction Fuzzy Hash: D54137719452189FDF16EFA4D981EDEB7F9AF58380F1000E6E549EB141EB34AB88CB50

Function 001C2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001C2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 001C2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 001C2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 001C2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001C2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 001C2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001C2F0B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5ba0272c46e9ed00cbf8705a48311f9245a66e369105ec99cdfea6493d7ffa06
Instruction ID: 9dfb369b1dc125bfd28dfcfcabc5028387dd8ac5b9e587d6070dd7910fab6488
Opcode Fuzzy Hash: 5ba0272c46e9ed00cbf8705a48311f9245a66e369105ec99cdfea6493d7ffa06
Instruction Fuzzy Hash: 1E3105306042589FDB21DF58DD88FA53BE1EB6A710F150168F9049B2B2CB71EC90DB41

Function 00197726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00197769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0019778F
SysAllocString.OLEAUT32(00000000), ref: 00197792
SysAllocString.OLEAUT32(?), ref: 001977B0
SysFreeString.OLEAUT32(?), ref: 001977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001977DE
SysAllocString.OLEAUT32(?), ref: 001977EC

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1057e0011f375393aa3fd70066c31860e0fd5bc8f81115ac9c940cc077a31c22
Instruction ID: 8e84051fc3ea768da370bc8b0aff790266b43eb58262aadd61f58756ae21adaa
Opcode Fuzzy Hash: 1057e0011f375393aa3fd70066c31860e0fd5bc8f81115ac9c940cc077a31c22
Instruction Fuzzy Hash: 2F218176614219AFDF14DFA9CC88CBB77ACEF097647058425F915DB2A0D770DC8187A0

Function 001977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00197842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00197868
SysAllocString.OLEAUT32(00000000), ref: 0019786B
SysAllocString.OLEAUT32 ref: 0019788C
SysFreeString.OLEAUT32 ref: 00197895
StringFromGUID2.OLE32(?,?,00000028), ref: 001978AF
SysAllocString.OLEAUT32(?), ref: 001978BD

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3e773b24fa1c94680968c61492fa6c0a33cc5c3bca3cd5ad0bbb2ac11d7a443c
Instruction ID: 9c4409d86502027a45358e124e2adad9b63c813e397fb2209726854805992f5d
Opcode Fuzzy Hash: 3e773b24fa1c94680968c61492fa6c0a33cc5c3bca3cd5ad0bbb2ac11d7a443c
Instruction Fuzzy Hash: B6217F71A18204AFDF14AFA8DC88DAA77ECFF097607158125F915CB2A1DB70DC81CBA4

Function 001A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001A04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001A052E

Strings

nul, xrefs: 001A0567

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 88b0de8cb47fb0b10cbbbc9460744b9eaab6de9643e7183a044f61247e37b629
Instruction ID: 978ea216db38a31eca82d1e633ade44c83b58a8570df43cf7756c85073c45b45
Opcode Fuzzy Hash: 88b0de8cb47fb0b10cbbbc9460744b9eaab6de9643e7183a044f61247e37b629
Instruction Fuzzy Hash: B9219C79900305AFDF219F69DC44A9A7BB4BF4A764F204A19F8A1D72E0E770D990CF60

Function 001A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001A05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001A0601

Strings

nul, xrefs: 001A0639

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 82bf415bc68fe8ea8c3ab6657bdbfd4957f161de30a2a0c559226cf38e8e2969
Instruction ID: e940b2017ef788eecd0ccd17c47c5fcbee49eb6992719f6516da83d402762866
Opcode Fuzzy Hash: 82bf415bc68fe8ea8c3ab6657bdbfd4957f161de30a2a0c559226cf38e8e2969
Instruction Fuzzy Hash: 552162795003059FDB219F69DC04E9A77E4BF9A724F200A19F9A5E72E0E770D9A0CB50

Function 001C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0013600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0013604C
Part of subcall function 0013600E: GetStockObject.GDI32(00000011), ref: 00136060
Part of subcall function 0013600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0013606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001C4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001C411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001C412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001C4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001C4145

Strings

Msctls_Progress32, xrefs: 001C40E3

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 44c7192681ec91b2f061a2810b433556181409f39fa2ad1d18dae8e395ca4c76
Instruction ID: 7c6df3cc7995618a397cce0d1e7e019c59fc53ccb96d35044c21aa8899907a52
Opcode Fuzzy Hash: 44c7192681ec91b2f061a2810b433556181409f39fa2ad1d18dae8e395ca4c76
Instruction Fuzzy Hash: BA1190B2140219BEFF119E64CC86EE77FADEF18798F014111FA18A2190C772DC619BA4

Function 0016D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0016D7A3: _free.LIBCMT ref: 0016D7CC

_free.LIBCMT ref: 0016D82D

Part of subcall function 001629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000), ref: 001629DE
Part of subcall function 001629C8: GetLastError.KERNEL32(00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000,00000000), ref: 001629F0

_free.LIBCMT ref: 0016D838
_free.LIBCMT ref: 0016D843
_free.LIBCMT ref: 0016D897
_free.LIBCMT ref: 0016D8A2
_free.LIBCMT ref: 0016D8AD
_free.LIBCMT ref: 0016D8B8

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9f551bb3112a99225cdc13694ff4497d669e86bc728428cbdb1ccf6683544b03
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B7118B71B40B14AADA21BFF0DC07FCB7BDCAF60704F440825F699A7092DB34B5258662

Function 0019DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0019DA74
LoadStringW.USER32(00000000), ref: 0019DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0019DA91
LoadStringW.USER32(00000000), ref: 0019DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0019DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0019DAB9

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 5908fe498d338b8a7e468227026b4cfac185600ab9c5564435bd590188733ece
Instruction ID: 16a6df9df43bc9b091c391275afd1846b880e58b8ab0017c83f6e31c722ee31a
Opcode Fuzzy Hash: 5908fe498d338b8a7e468227026b4cfac185600ab9c5564435bd590188733ece
Instruction Fuzzy Hash: E60162F6900208BFEB10ABA4DD89EE7366CE708301F400495F74AE2441EA74DE848FB4

Function 001A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D1D1F0,00D1D1F0), ref: 001A097B
EnterCriticalSection.KERNEL32(00D1D1D0,00000000), ref: 001A098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 001A099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 001A09A9
CloseHandle.KERNEL32(00000000), ref: 001A09B8
InterlockedExchange.KERNEL32(00D1D1F0,000001F6), ref: 001A09C8
LeaveCriticalSection.KERNEL32(00D1D1D0), ref: 001A09CF

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a5b41f4904f9650ba54e2bdc5707431c98c98f9e7f6f73e30d9d917bc2686f32
Instruction ID: cdb647b928924e74e5e75cf182321fb25b9e68b1ac79c3908a48bf4a9a4a0910
Opcode Fuzzy Hash: a5b41f4904f9650ba54e2bdc5707431c98c98f9e7f6f73e30d9d917bc2686f32
Instruction Fuzzy Hash: 3EF0C932442A12ABD7525BA4EE89ED6BA29FF05706F442025F20690CA1C775D8A5CFD0

Function 001B1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001B1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001B1DE1
WSAGetLastError.WSOCK32 ref: 001B1DF2
htons.WSOCK32(?,?,?,?,?), ref: 001B1EDB
inet_ntoa.WSOCK32(?), ref: 001B1E8C

Part of subcall function 001939E8: _strlen.LIBCMT ref: 001939F2

Part of subcall function 001B3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,001AEC0C), ref: 001B3240

_strlen.LIBCMT ref: 001B1F35

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 1b83da0c7144c21bb78e4718540166c6b9c2bb1d70bbf3d4714897f3085be457
Instruction ID: 513c6a1a4e42ca861d2bcf9c0fdabb1a26b9d9d3b2e36d74352f404fac196532
Opcode Fuzzy Hash: 1b83da0c7144c21bb78e4718540166c6b9c2bb1d70bbf3d4714897f3085be457
Instruction Fuzzy Hash: 17B1DE31204300AFC324EF24C8A5E6A7BE5AF94318F95894CF55A5B2E2DB71ED46CB91

Function 001601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001600D6
__allrem.LIBCMT ref: 001600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0016010B
__allrem.LIBCMT ref: 00160122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00160140

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: a8ca65d04a95fcf7d6c8e76e6104a5eb9e1ccb585c844afaa3beefac8c3b0aac
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 3D815772A00706ABE7259F38CC81B6B73E8AF55364F24453EF861CB6C1E7B0D9558B90

Function 001661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001582D9,001582D9,?,?,?,0016644F,00000001,00000001,8BE85006), ref: 00166258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0016644F,00000001,00000001,8BE85006,?,?,?), ref: 001662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001663D8
__freea.LIBCMT ref: 001663E5

Part of subcall function 00163820: RtlAllocateHeap.NTDLL(00000000,?,00201444,?,0014FDF5,?,?,0013A976,00000010,00201440,001313FC,?,001313C6,?,00131129), ref: 00163852

__freea.LIBCMT ref: 001663EE
__freea.LIBCMT ref: 00166413

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 25ea97ff1ec88ebb47ab01c292ae3e86df270c481124135b1e5c831c6a3af603
Instruction ID: 508d82c21a9f74c119c2999e7c9e543881f0c6a4d1a3c1dc6dc35a9c7c39b1a1
Opcode Fuzzy Hash: 25ea97ff1ec88ebb47ab01c292ae3e86df270c481124135b1e5c831c6a3af603
Instruction Fuzzy Hash: 0F51B172A00216ABEB258F64DC81EBF7BA9FF55750F154629FC09DB240EB34DC60D6A0

Function 001BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 001BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BB6AE,?,?), ref: 001BC9B5
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BC9F1
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA68
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001BBD25
RegCloseKey.ADVAPI32(00000000), ref: 001BBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001BBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001BBDF3
RegCloseKey.ADVAPI32(?), ref: 001BBDFF

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: b0806adad38565f22ba1f1b90f0a13e831e9afc36bb9cbc92454742c619825fe
Instruction ID: 5800c90fb042b0cd30d3f4c06b78da4381c5dca61367245328562e1f598fe96a
Opcode Fuzzy Hash: b0806adad38565f22ba1f1b90f0a13e831e9afc36bb9cbc92454742c619825fe
Instruction Fuzzy Hash: CC81AC30208241AFD714DF64C8D1E6ABBE5FF84308F54895CF4998B6A2DB71ED45CB92

Function 0018F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0018F7B9
SysAllocString.OLEAUT32(00000001), ref: 0018F860
VariantCopy.OLEAUT32(0018FA64,00000000), ref: 0018F889
VariantClear.OLEAUT32(0018FA64), ref: 0018F8AD
VariantCopy.OLEAUT32(0018FA64,00000000), ref: 0018F8B1
VariantClear.OLEAUT32(?), ref: 0018F8BB

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 66e9a077afe7f497ecb5b17edd8fa528fd405c8168f5cc8a8a1fd8982a464b26
Instruction ID: 3f393023e671d055dd35b557b264b6095dd6d3a5603a1b2d87b1646a9d0baa54
Opcode Fuzzy Hash: 66e9a077afe7f497ecb5b17edd8fa528fd405c8168f5cc8a8a1fd8982a464b26
Instruction Fuzzy Hash: E651D635A00310BACF14BB65D895B29B3A4EF55314F20846EF905DF291DB708D46CFA6

Function 001A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00137620: _wcslen.LIBCMT ref: 00137625

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001A94E5
_wcslen.LIBCMT ref: 001A9506
_wcslen.LIBCMT ref: 001A952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001A9585

Strings

X, xrefs: 001A9412

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: aedb493fc66a84be46aede57d88834d1230c71d9819023c85edb8189107dfd64
Instruction ID: 11fdf6af1235b099d9001dd6093fa9281ac3275eee5cf45f04e56a9e896cab65
Opcode Fuzzy Hash: aedb493fc66a84be46aede57d88834d1230c71d9819023c85edb8189107dfd64
Instruction Fuzzy Hash: 1DE1AF75908340DFDB24DF24C881B6AB7E0BF95314F04896DF8999B2A2DB31ED45CB92

Function 0014920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

BeginPaint.USER32(?,?,?), ref: 00149241
GetWindowRect.USER32(?,?), ref: 001492A5
ScreenToClient.USER32(?,?), ref: 001492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001492D3
EndPaint.USER32(?,?,?,?,?), ref: 00149321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001871EA

Part of subcall function 00149339: BeginPath.GDI32(00000000), ref: 00149357

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 39b5163af17bd87d4186545a565f1daec40cecd4d45ce61905069f883496d86d
Instruction ID: 5496c414674cc377c418dab2a8c598225a4b66e26e61da32717262168655fc4c
Opcode Fuzzy Hash: 39b5163af17bd87d4186545a565f1daec40cecd4d45ce61905069f883496d86d
Instruction Fuzzy Hash: BB418A70104300AFD721EF24D889FAB7BB8EF56720F140669F994866F2C7719985DB61

Function 001A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001A080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001A0847
EnterCriticalSection.KERNEL32(?), ref: 001A0863
LeaveCriticalSection.KERNEL32(?), ref: 001A08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001A08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001A0921

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 47d435167b4bde95aa306b21a3962e12afb037eedc601e702f12aba6f8851752
Instruction ID: d5d2840589f02ce09db391e89ffd049f251c757c795a908676c6a5a31ed2d5a7
Opcode Fuzzy Hash: 47d435167b4bde95aa306b21a3962e12afb037eedc601e702f12aba6f8851752
Instruction Fuzzy Hash: 70416B71900205EFDF15DF54DC85AAAB7B8FF09310F1440A9ED04AA2A7D730DE65DBA4

Function 001C81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0018F3AB,00000000,?,?,00000000,?,0018682C,00000004,00000000,00000000), ref: 001C824C
EnableWindow.USER32(00000000,00000000), ref: 001C8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001C82D1
ShowWindow.USER32(00000000,00000004), ref: 001C82E5
EnableWindow.USER32(00000000,00000001), ref: 001C830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001C832F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c1dcb81ce428d052e2a9e56467a3918a5578e593e27dbee65b4a034603097416
Instruction ID: 483422155ca791d32b23c8f82914ddbe216aae3918cd1b37f91faac4b34a4b9f
Opcode Fuzzy Hash: c1dcb81ce428d052e2a9e56467a3918a5578e593e27dbee65b4a034603097416
Instruction Fuzzy Hash: D6419C30601654AFDB25CF24D8DDFA47BE1FB1A714F1852ADE5084B2A2CB31E851CB50

Function 00194C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00194C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00194CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00194CEA
_wcslen.LIBCMT ref: 00194D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00194D10
_wcsstr.LIBVCRUNTIME ref: 00194D1A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 9285c22c94e645a49bc3b8ce0584a5cf1221bacfa19fe3400d2249951b8afc7d
Instruction ID: 589f16deca443b020af4441fca886762fc4c2fa9e9ba771a73609f61c52f7396
Opcode Fuzzy Hash: 9285c22c94e645a49bc3b8ce0584a5cf1221bacfa19fe3400d2249951b8afc7d
Instruction Fuzzy Hash: C7212676604210BBEF155B79AD09EBB7FDCDF55750F10802DF809DA2A1EB61CC4282A0

Function 001A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00133AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00133A97,?,?,00132E7F,?,?,?,00000000), ref: 00133AC2

_wcslen.LIBCMT ref: 001A587B
CoInitialize.OLE32(00000000), ref: 001A5995
CoCreateInstance.OLE32(001CFCF8,00000000,00000001,001CFB68,?), ref: 001A59AE
CoUninitialize.OLE32 ref: 001A59CC

Strings

.lnk, xrefs: 001A5876, 001A58C1, 001A5985

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c58ab410ef520c82ac4a51e4d936740179d22b7b09c4667f54176523ba7b8843
Instruction ID: f71f1e0339078ce810d9c54256418341a350c8233191d53178c67260ab786895
Opcode Fuzzy Hash: c58ab410ef520c82ac4a51e4d936740179d22b7b09c4667f54176523ba7b8843
Instruction Fuzzy Hash: 1CD142796087019FC714DF25C480A2ABBE6FF9A724F14885DF8899B361DB31EC45CB92

Function 0019175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00190FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00190FCA
Part of subcall function 00190FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00190FD6
Part of subcall function 00190FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00190FE5
Part of subcall function 00190FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00190FEC
Part of subcall function 00190FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00191002

GetLengthSid.ADVAPI32(?,00000000,00191335), ref: 001917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001917BA
HeapAlloc.KERNEL32(00000000), ref: 001917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001917DA
GetProcessHeap.KERNEL32(00000000,00000000,00191335), ref: 001917EE
HeapFree.KERNEL32(00000000), ref: 001917F5

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 671bc8fddabcddf3180223ad2eb5a219329ec1b9e587e77c0afa4cb015b93726
Instruction ID: 3d7ff51ab9d2ea21d5c0e389ea21694e9692df611e816886fdc5606537bb3b93
Opcode Fuzzy Hash: 671bc8fddabcddf3180223ad2eb5a219329ec1b9e587e77c0afa4cb015b93726
Instruction Fuzzy Hash: 58116732A00606FFDF189FA5CC49FAE7BA9EB45355F144018F486A7220D736AD84CBA0

Function 001914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00191506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00191515
CloseHandle.KERNEL32(00000004), ref: 00191520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0019154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00191563

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e663e91b712fa846e0e49d82eaa6dc8441587064f571d1b97b1135179571735e
Instruction ID: e9696983a92be3deaa6a8743cb44bf56d2f690411c02aa91e6d2295044f99fef
Opcode Fuzzy Hash: e663e91b712fa846e0e49d82eaa6dc8441587064f571d1b97b1135179571735e
Instruction Fuzzy Hash: 4A11297250424ABBEF118F98ED49FDE7BA9FF49744F054015FA09A2060C375DEA1DBA0

Function 00153382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00153379,00152FE5), ref: 00153390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0015339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001533B7
SetLastError.KERNEL32(00000000,?,00153379,00152FE5), ref: 00153409

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ebefbb3cea4c2a69212a0b62514b5f90d08031e4e8ab58cd54afa3ac9215f9c1
Instruction ID: fcbc232e38d4f4575e2a81422cf1a30e8eafda7cb03a003caa180db6bc38b54c
Opcode Fuzzy Hash: ebefbb3cea4c2a69212a0b62514b5f90d08031e4e8ab58cd54afa3ac9215f9c1
Instruction Fuzzy Hash: EB012832609315FEE61927747D859662A54FB153FB320022DFC308F1F0EF214E4EA588

Function 00162D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00165686,00173CD6,?,00000000,?,00165B6A,?,?,?,?,?,0015E6D1,?,001F8A48), ref: 00162D78
_free.LIBCMT ref: 00162DAB
_free.LIBCMT ref: 00162DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0015E6D1,?,001F8A48,00000010,00134F4A,?,?,00000000,00173CD6), ref: 00162DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0015E6D1,?,001F8A48,00000010,00134F4A,?,?,00000000,00173CD6), ref: 00162DEC
_abort.LIBCMT ref: 00162DF2

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 923367e7b90c916be9db53d96dc22e1cb91e18f4fe87316f6d34601a1d2ac5a3
Instruction ID: 7f02305b2995dd46dd577e62831c66a4f622598011ea6de293eecbb6e3091b17
Opcode Fuzzy Hash: 923367e7b90c916be9db53d96dc22e1cb91e18f4fe87316f6d34601a1d2ac5a3
Instruction Fuzzy Hash: A3F0C832A04E1167C31627B4BC16E6E2959BFD27A1F250418F828935D2EF34CC7152A0

Function 001C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00149639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00149693
Part of subcall function 00149639: SelectObject.GDI32(?,00000000), ref: 001496A2
Part of subcall function 00149639: BeginPath.GDI32(?), ref: 001496B9
Part of subcall function 00149639: SelectObject.GDI32(?,00000000), ref: 001496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001C8A4E
LineTo.GDI32(?,00000003,00000000), ref: 001C8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001C8A70
LineTo.GDI32(?,00000000,00000003), ref: 001C8A80
EndPath.GDI32(?), ref: 001C8A90
StrokePath.GDI32(?), ref: 001C8AA0

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a6b800ea71b2739b006c7f3795bc7e5d4fab505e67753eafee7f41237d0fbb40
Instruction ID: 11f4d90d50d129225858704a51188c38f4490a9ee68ef82257aee6c0930add07
Opcode Fuzzy Hash: a6b800ea71b2739b006c7f3795bc7e5d4fab505e67753eafee7f41237d0fbb40
Instruction Fuzzy Hash: 6411097640014CFFDB129F90DC88EAA7F6CEB08350F048016FA599A5A1C771DDA5DFA0

Function 001951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00195218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00195229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00195230
ReleaseDC.USER32(00000000,00000000), ref: 00195238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0019524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00195261

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c073b6fab22101fa6131d7b39c7166a902f6d874db411c2e770e113e152ade50
Instruction ID: 93e9cc74dc08ac7f245b598e25b0c988d75bb2f9ff082b744af7eed4cc50d9c5
Opcode Fuzzy Hash: c073b6fab22101fa6131d7b39c7166a902f6d874db411c2e770e113e152ade50
Instruction Fuzzy Hash: 9F018475A01714BBEF105BA59C49E4EBF78EB44751F044065FA08A7680D670DC00CFA0

Function 00131BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00131BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00131BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00131C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00131C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00131C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00131C22

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2dbc3ff6229ef315ec3fb3ab1def07b09facb07f838e15e170bcd3d12cae3dd1
Instruction ID: 12799852d031e281facfb09609453463f9594cafe5521d6363435752a7c14fa8
Opcode Fuzzy Hash: 2dbc3ff6229ef315ec3fb3ab1def07b09facb07f838e15e170bcd3d12cae3dd1
Instruction Fuzzy Hash: 450148B09027597DE3008F5A8C85A52FEA8FF19354F00411B915C47A41C7B5A864CBE5

Function 0019EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0019EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0019EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0019EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0019EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0019EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0019EB75

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 368b831c0f7b8c1e74a39e4b11c94e7c0bbbfac6b6d9e8d6286d7b4bacd1970c
Instruction ID: 3f8c527cc28e14397bef98be8eb6a685335aa6ec719f89877164470c088a8d3d
Opcode Fuzzy Hash: 368b831c0f7b8c1e74a39e4b11c94e7c0bbbfac6b6d9e8d6286d7b4bacd1970c
Instruction Fuzzy Hash: D7F01772640168BBE7215B629D0EEEB3E7CEBCAB15F000158F605D1591A7A09E41CAF5

Function 00187439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00187452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00187469
GetWindowDC.USER32(?), ref: 00187475
GetPixel.GDI32(00000000,?,?), ref: 00187484
ReleaseDC.USER32(?,00000000), ref: 00187496
GetSysColor.USER32(00000005), ref: 001874B0

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 374fa4dd8945a03f0a8e85c8d875b6f19b78a58cf74d511141b1ef98c39f5c15
Instruction ID: f886cd4b8d9cd17c28a862a88b90b59cbd6b9c6b9b49df8428ecdf29a753f709
Opcode Fuzzy Hash: 374fa4dd8945a03f0a8e85c8d875b6f19b78a58cf74d511141b1ef98c39f5c15
Instruction Fuzzy Hash: FB014B31500215EFDB51AFA4DD08FEABFB5FB04311F650164F919A25A1CB319E92AF90

Function 00191874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0019187F
UnloadUserProfile.USERENV(?,?), ref: 0019188B
CloseHandle.KERNEL32(?), ref: 00191894
CloseHandle.KERNEL32(?), ref: 0019189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001918A5
HeapFree.KERNEL32(00000000), ref: 001918AC

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d5845ec733c959f962b79e4d6b067de1f648e9af749df1707f31ff3432fe0271
Instruction ID: 34d3f0498fc0dd8ef916ce5c39e7a766757a5cd343b86811c04f06d46e151395
Opcode Fuzzy Hash: d5845ec733c959f962b79e4d6b067de1f648e9af749df1707f31ff3432fe0271
Instruction Fuzzy Hash: 91E0E536404601FBDB015FA2ED0CD0ABF39FF49B22B108220F22981870CB32D8A0DF90

Function 0013BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0013BEB3

Strings

D% D% , xrefs: 0013BCA5
D% , xrefs: 0013BE9A
D% , xrefs: 0013BCA2
D% , xrefs: 0013BDED, 0013BD91, 0013BD1B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Init_thread_footer
String ID: D% $D% $D% $D% D%
API String ID: 1385522511-3319970960
Opcode ID: 123b63b3641af14c2add86778e49213d0e8101826c4ecbed34b56f27523b95b1
Instruction ID: 15977a0be8ad75f9e3a99a95985211059234c24ea3bbbb6c8a796772d4931253
Opcode Fuzzy Hash: 123b63b3641af14c2add86778e49213d0e8101826c4ecbed34b56f27523b95b1
Instruction Fuzzy Hash: 7E914A75A0420ACFCB28CF99C4D06A9BBF1FF58314F64816ADA45AB351E731E981CB90

Function 0019C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00137620: _wcslen.LIBCMT ref: 00137625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0019C6EE
_wcslen.LIBCMT ref: 0019C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0019C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0019C7CA

Strings

0, xrefs: 0019C6AF

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 1593fd4185f84ab2849589ec839e33d02021f7e88e3cbfe9046541c391191ad2
Instruction ID: f56ba4b97f664ff6dfe827bf3a39d188e12726580f5577d9d151171d00e70242
Opcode Fuzzy Hash: 1593fd4185f84ab2849589ec839e33d02021f7e88e3cbfe9046541c391191ad2
Instruction Fuzzy Hash: 4D51BE726143419BDB189F68C885B6BB7E8AF59314F040A2DF9D5D32E1DB70D904CBD2

Function 001BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001BAEA3

Part of subcall function 00137620: _wcslen.LIBCMT ref: 00137625

GetProcessId.KERNEL32(00000000), ref: 001BAF38
CloseHandle.KERNEL32(00000000), ref: 001BAF67

Strings

@, xrefs: 001BAE72
<, xrefs: 001BAE6B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: c4585e109036a283a88caf79de21357e7853baef4e6cc33a487a6c7e0d0c9d4e
Instruction ID: 2f10ccedb49ed9c62725257f7357d0f816dd63e8d452d23a47ee56ec18e99fe3
Opcode Fuzzy Hash: c4585e109036a283a88caf79de21357e7853baef4e6cc33a487a6c7e0d0c9d4e
Instruction Fuzzy Hash: C6717975A00619DFCB14DFA8D494A9EBBF0FF08310F448499E856AB3A2CB74ED45CB91

Function 0019719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00197206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0019723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0019724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001972CF

Strings

DllGetClassObject, xrefs: 00197242

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: dae852afae1b3c0c68eadfb07a779810bbcea2317c4b725571b81eabe826e776
Instruction ID: aa682de06ec362983361a161bb87098997514bb9e11af98a727e4e3ff9133181
Opcode Fuzzy Hash: dae852afae1b3c0c68eadfb07a779810bbcea2317c4b725571b81eabe826e776
Instruction Fuzzy Hash: F5416E71A24204EFDF15CF54C885A9A7BA9EF44710F2580ADBD099F28AD7B0DD45CBA0

Function 001C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001C2F8D
LoadLibraryW.KERNEL32(?), ref: 001C2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001C2FA9
DestroyWindow.USER32(?), ref: 001C2FB1

Strings

SysAnimate32, xrefs: 001C2F68

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 7fe529b8ca710fbc7ba7147210a04ee9313af4a34abac84b43267db0fb0cb84e
Instruction ID: b64ff71e7d87a5026b6f48ca24b80406e04fe484c4826edc08748565650609ae
Opcode Fuzzy Hash: 7fe529b8ca710fbc7ba7147210a04ee9313af4a34abac84b43267db0fb0cb84e
Instruction Fuzzy Hash: 5B21CA72200209ABEB218FA4DC80FBB77BDEB69364F10462CFA50D31A0D771DC9197A0

Function 00154D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00154D1E,001628E9,?,00154CBE,001628E9,001F88B8,0000000C,00154E15,001628E9,00000002), ref: 00154D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00154DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00154D1E,001628E9,?,00154CBE,001628E9,001F88B8,0000000C,00154E15,001628E9,00000002,00000000), ref: 00154DC3

Strings

CorExitProcess, xrefs: 00154D98
mscoree.dll, xrefs: 00154D86

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 190222d0373d4728e245f05ec44ad6c59a90b29513309253be1dad503598da54
Instruction ID: 25109bed9fc2e6ae43be92e89aaa3d7408eac001ce9fc1fe55c0c0c3b8ee43ba
Opcode Fuzzy Hash: 190222d0373d4728e245f05ec44ad6c59a90b29513309253be1dad503598da54
Instruction Fuzzy Hash: 59F03C35A40208EBDB119B95DC49BEEBFB5EF58756F0400A9FC09A6660CB309E84DAD0

Function 0018D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0018D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0018D3BF
FreeLibrary.KERNEL32(00000000), ref: 0018D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0018D3B9
X64, xrefs: 0018D2A8

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 0cb07e0200b3d39eb00dea83cde4a39a0fb31a15e96f163d796346936d028aca
Instruction ID: 32ad240ee1da44b5d9fa3f7b99893fb32422378bff5190dec437d5e3979fc11a
Opcode Fuzzy Hash: 0cb07e0200b3d39eb00dea83cde4a39a0fb31a15e96f163d796346936d028aca
Instruction Fuzzy Hash: 07F05571805721EBD7353711BC08DA9B711BF10B01B5A8158F80AF20D1CB20CF808FC2

Function 00134E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00134EDD,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00134EAE
FreeLibrary.KERNEL32(00000000,?,?,00134EDD,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00134EA8
kernel32.dll, xrefs: 00134E94

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ef572c3d9f89a8137c9c73ca96dd992958d78b3856000cd77e3028a2e0ee2400
Instruction ID: 6da6e2b8ac8a9d3f8059799be8a64a4d1b1793b3bc77ad7d202737364e7954c4
Opcode Fuzzy Hash: ef572c3d9f89a8137c9c73ca96dd992958d78b3856000cd77e3028a2e0ee2400
Instruction Fuzzy Hash: 91E0CD35E015229BD23117266C19F6F6954AFC1F62F0D0125FD08D2110DB64DD4284F4

Function 00134E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00173CDE,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00134E74
FreeLibrary.KERNEL32(00000000,?,?,00173CDE,?,00201418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00134E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00134E6E
kernel32.dll, xrefs: 00134E5B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 2b23447a3f7619e61bd8095539c195eb767fa74977a9550410b6e1c01d67fdf5
Instruction ID: b74e493a3da5bc5c5a20f2e42bc173c39e48f5db59f5ffeefeda5b3e08b99b93
Opcode Fuzzy Hash: 2b23447a3f7619e61bd8095539c195eb767fa74977a9550410b6e1c01d67fdf5
Instruction Fuzzy Hash: 64D05B3690263197E6321B66BC1DEDF6E18AF85F517090535F909E2114CF64DD42C5D0

Function 001BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001BA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001BA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001BA468
CloseHandle.KERNEL32(?), ref: 001BA63D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 6d2d2db11bf00091c03f17574e4c66744967d553fe210d8ad6c1a52a7ce45f69
Instruction ID: f6c9652394cb4102603e615982b1682befd2025234f25223c9b94ff573ee2545
Opcode Fuzzy Hash: 6d2d2db11bf00091c03f17574e4c66744967d553fe210d8ad6c1a52a7ce45f69
Instruction Fuzzy Hash: 57A1A371604300AFE720DF28D886F6AB7E5AF94714F54881DF69A9B2D2D770EC41CB92

Function 0016BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001D3700), ref: 0016BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0020121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0016BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00201270,000000FF,?,0000003F,00000000,?), ref: 0016BC36
_free.LIBCMT ref: 0016BB7F

Part of subcall function 001629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000), ref: 001629DE
Part of subcall function 001629C8: GetLastError.KERNEL32(00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000,00000000), ref: 001629F0

_free.LIBCMT ref: 0016BD4B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: cddea731753d4234425336ac0c172571e7b69283368b7e2a2085927a10577599
Instruction ID: 3e982c6faa02e152f6de2f217da3283d9c34429e132e6967d4b5df7ab9c78326
Opcode Fuzzy Hash: cddea731753d4234425336ac0c172571e7b69283368b7e2a2085927a10577599
Instruction Fuzzy Hash: CB51E471908219EFCB14EF699CC59BEB7B8FF50350B10426AE554D7292EB309EA18B90

Function 0019E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0019DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0019CF22,?), ref: 0019DDFD

Part of subcall function 0019DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0019CF22,?), ref: 0019DE16

Part of subcall function 0019E199: GetFileAttributesW.KERNEL32(?,0019CF95), ref: 0019E19A

lstrcmpiW.KERNEL32(?,?), ref: 0019E473
MoveFileW.KERNEL32(?,?), ref: 0019E4AC
_wcslen.LIBCMT ref: 0019E5EB
_wcslen.LIBCMT ref: 0019E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0019E650

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 998614e8a3a7b23036d9adeed5f7f8d759c1e8453f4b03f7b958600fb1f9adce
Instruction ID: 7a85c2b05355dda61d777fd2fbff3be8ce7325c4159711d54556543ce8a529d6
Opcode Fuzzy Hash: 998614e8a3a7b23036d9adeed5f7f8d759c1e8453f4b03f7b958600fb1f9adce
Instruction Fuzzy Hash: 895152B24083459BCB24DB94D8819DFB7ECAF94344F00492EF589D7191EF74A68CC766

Function 001BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 001BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BB6AE,?,?), ref: 001BC9B5
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BC9F1
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA68
Part of subcall function 001BC998: _wcslen.LIBCMT ref: 001BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001BBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001BBB63
RegCloseKey.ADVAPI32(?,?), ref: 001BBBA6
RegCloseKey.ADVAPI32(00000000), ref: 001BBBB3

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 6c8f23be2182029f4c2a8239ef22fc9d3f0d4321d5f5c3927c8d0511f2fc7902
Instruction ID: 44f85948bf94aa44e78dfe12a3a9a641e21ad242bd3a5d51ff0f203f70bcab5f
Opcode Fuzzy Hash: 6c8f23be2182029f4c2a8239ef22fc9d3f0d4321d5f5c3927c8d0511f2fc7902
Instruction Fuzzy Hash: 49618D31208241AFD714DF24C8D0E6ABBE5FF84318F54899CF4998B6A2DB71ED45CB92

Function 00198BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00198BCD
VariantClear.OLEAUT32 ref: 00198C3E
VariantClear.OLEAUT32 ref: 00198C9D
VariantClear.OLEAUT32(?), ref: 00198D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00198D3B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 684dfc4294c22415b660b9b8abc85c5be9f5fb90353d5eb7a90d656566df33f3
Instruction ID: 876939991c957688b1416d7bc6cb1689bb1a3c86e666d72e98db276fc6938f96
Opcode Fuzzy Hash: 684dfc4294c22415b660b9b8abc85c5be9f5fb90353d5eb7a90d656566df33f3
Instruction Fuzzy Hash: 745148B5A00619EFCB14CF68C894EAABBF9FF89314B158559E909DB350E730E911CF90

Function 001A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001A8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001A8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001A8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001A8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001A8C5F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 24f2ec04e806a7e0d87229948e3bcdd95e9d7271f24a4c431c94de2d3e9dd2ab
Instruction ID: 8767be3d485b8eafbe770afdd654367a911efedc00afbc94d54426cb448be35b
Opcode Fuzzy Hash: 24f2ec04e806a7e0d87229948e3bcdd95e9d7271f24a4c431c94de2d3e9dd2ab
Instruction Fuzzy Hash: 2B514B75A00219AFCB15DF65C881EA9BBF5FF49314F088458E849AB3A2DB31ED51CF90

Function 001B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001B8F40
GetProcAddress.KERNEL32(00000000,?), ref: 001B8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 001B8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001B9032
FreeLibrary.KERNEL32(00000000), ref: 001B9052

Part of subcall function 0014F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001A1043,?,75C0E610), ref: 0014F6E6
Part of subcall function 0014F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0018FA64,00000000,00000000,?,?,001A1043,?,75C0E610,?,0018FA64), ref: 0014F70D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: afe538e92780ddc154029916dd5977ccdb85784f3eb4fdca6763f4a9c4aff3fd
Instruction ID: cd7e3e837b75226aaf359a4c2cb6eede59814fde1efbc54b280b348d5b20a1f0
Opcode Fuzzy Hash: afe538e92780ddc154029916dd5977ccdb85784f3eb4fdca6763f4a9c4aff3fd
Instruction Fuzzy Hash: 9D513735604205DFCB15EF58C4949ADBBF5FF59324F0980A8E90A9B362DB31ED86CB90

Function 001C6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 001C6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 001C6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001C6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001AAB79,00000000,00000000), ref: 001C6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001C6CC7

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 1522c26ada53c9d778697a5e0af632f396770b567fb514cc345281df919b3ddc
Instruction ID: 31bab87bc52d795e3a7d480ba6a016239477d7173a9e9fbc29ab3a84bc30c4ae
Opcode Fuzzy Hash: 1522c26ada53c9d778697a5e0af632f396770b567fb514cc345281df919b3ddc
Instruction Fuzzy Hash: A341E335A04114AFDB24CF68CD59FA97FA5EB1A360F15022CF899A73E1C371ED41DA84

Function 00162051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001620C3
_free.LIBCMT ref: 001620E3

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8c3373a4423a8a33572ed4e0ed5b0e431dacf0c5db5ece4d71aaa935b23fa092
Instruction ID: 4a2fdfa506ee715bb110b7863ae53dae2937ddff969442bb188ef86bd6142ce5
Opcode Fuzzy Hash: 8c3373a4423a8a33572ed4e0ed5b0e431dacf0c5db5ece4d71aaa935b23fa092
Instruction Fuzzy Hash: 1841F332A006049FCB24DF78CD80A6DB3F5EF99314F164568E915EB351DB31AD11CB80

Function 0014912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00149141
ScreenToClient.USER32(00000000,?), ref: 0014915E
GetAsyncKeyState.USER32(00000001), ref: 00149183
GetAsyncKeyState.USER32(00000002), ref: 0014919D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 06db4360104567a6b9a9b3d6f10103f992724330195adf70da092f9af9c124eb
Instruction ID: d6bb80990398a0dc4e7acb336e5f07e8a7243632bd6038112403d96c709514c5
Opcode Fuzzy Hash: 06db4360104567a6b9a9b3d6f10103f992724330195adf70da092f9af9c124eb
Instruction Fuzzy Hash: C5414271A0851ABBDF19AF64C848BEEB774FB15730F244219E429A72E0C730AE50CF91

Function 001A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001A38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001A3922
TranslateMessage.USER32(?), ref: 001A394B
DispatchMessageW.USER32(?), ref: 001A3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001A3966

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5101dd0e688beb487c9365add612674a0e4c6d6bd1708a6c65e419da697cfe2b
Instruction ID: 8087f25178e7a0765141a1788712c35aa0f263683f3e0b454940f875acaa5137
Opcode Fuzzy Hash: 5101dd0e688beb487c9365add612674a0e4c6d6bd1708a6c65e419da697cfe2b
Instruction Fuzzy Hash: 7A3182789043419FEB29CB74A84CBB73BA8EB17308F04456DF476825A1E7B49A89CB51

Function 001ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,001AC21E,00000000), ref: 001ACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001ACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001AC21E,00000000), ref: 001ACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001AC21E,00000000), ref: 001ACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001AC21E,00000000), ref: 001ACFF2

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: c33b0d5b4023f814d40980b4ac96874b2d62b43239ddac851974c120a442a958
Instruction ID: d2ac102751d4d7bd3618e15f67eeac72793ebe1ecc724167fb1efca99b8fb5e9
Opcode Fuzzy Hash: c33b0d5b4023f814d40980b4ac96874b2d62b43239ddac851974c120a442a958
Instruction Fuzzy Hash: 39318EB5900205EFDB24DFA5C884EABBBF9EB15310B10442EF51AD2610DB30EE41DBE0

Function 00191901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00191915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001919E2

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 9845b9e41a7aacbc3d95a5116266736d16f60be599944456f827dfc9a16a1d9a
Instruction ID: b077e2e89924c8e1884c744871676754d32a221e93e884656b595c6e2b87174b
Opcode Fuzzy Hash: 9845b9e41a7aacbc3d95a5116266736d16f60be599944456f827dfc9a16a1d9a
Instruction Fuzzy Hash: 2231AD72A0021AEFDF04CFA8C999ADE3BB5EB04319F104229F925A72D1C7709D84CB90

Function 001C5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001C5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 001C579D
_wcslen.LIBCMT ref: 001C57AF
_wcslen.LIBCMT ref: 001C57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 001C5816

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: ef1ef59e09fb0229f742d29b30a0777a8ceb0483b3c4061fddbfc75b02226822
Instruction ID: 860d12b120343748dcae8da93e9f90e6291535a95c648755d193b2e527a73221
Opcode Fuzzy Hash: ef1ef59e09fb0229f742d29b30a0777a8ceb0483b3c4061fddbfc75b02226822
Instruction Fuzzy Hash: A3216471904658DADB209FA0CC45FEE7B79FF24724F10815AE9299A180E770D9C5CF50

Function 001B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001B0951
GetForegroundWindow.USER32 ref: 001B0968
GetDC.USER32(00000000), ref: 001B09A4
GetPixel.GDI32(00000000,?,00000003), ref: 001B09B0
ReleaseDC.USER32(00000000,00000003), ref: 001B09E8

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 07c93ff8efe058680cac0268ea62feaed8dd3786697ae0fb35035af233f1dc5e
Instruction ID: c29f72bd700d5207f8602bd105c7cdadd99afbb6396151dd559731b60d5f5106
Opcode Fuzzy Hash: 07c93ff8efe058680cac0268ea62feaed8dd3786697ae0fb35035af233f1dc5e
Instruction Fuzzy Hash: AB216F39600214AFD704EF65D984EAEBBE9EF59740F048068F84A97752DB30EC44CB90

Function 0016CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0016CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0016CDE9

Part of subcall function 00163820: RtlAllocateHeap.NTDLL(00000000,?,00201444,?,0014FDF5,?,?,0013A976,00000010,00201440,001313FC,?,001313C6,?,00131129), ref: 00163852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0016CE0F
_free.LIBCMT ref: 0016CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0016CE31

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ea120b7809db1bde4c77326cc62637cd3fbd9164eb9ea7be5443ff110db342a3
Instruction ID: 8f6b0339d6435482bf9ca7082039e177bd23d87bc15b89f2dd5b405224b3e58e
Opcode Fuzzy Hash: ea120b7809db1bde4c77326cc62637cd3fbd9164eb9ea7be5443ff110db342a3
Instruction Fuzzy Hash: 0901D472A022157F232116BA6C88C7F7D7DEFC6BA13154129F949C7200EB66CD2181F0

Function 00149639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00149693
SelectObject.GDI32(?,00000000), ref: 001496A2
BeginPath.GDI32(?), ref: 001496B9
SelectObject.GDI32(?,00000000), ref: 001496E2

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9e749aab29fbbbd2ecd751c09394ff6a1e710e1be7e5b0454d0d44ac0769dc90
Instruction ID: 2b34224b326b9ffc36a17ff1a669407df94f29d698b7ffa574e46eb8864d7e6a
Opcode Fuzzy Hash: 9e749aab29fbbbd2ecd751c09394ff6a1e710e1be7e5b0454d0d44ac0769dc90
Instruction Fuzzy Hash: A0219D70802349EFDB119F25FC0CBAA3BA9BF50325F110216F818A61B2D37098A2CF90

Function 00195711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00195726
_memcmp.LIBVCRUNTIME ref: 00195744
_memcmp.LIBVCRUNTIME ref: 00195757
_memcmp.LIBVCRUNTIME ref: 0019576F
_memcmp.LIBVCRUNTIME ref: 00195787

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6fe48e866ac6d06d871ec9cd0dad9d9ba56b371bb16b4bd10e2f73dd191dea6e
Instruction ID: 99f8490f2e8dfdd4362dd8d91fb4199372a93ecf4ae61db509f110c444007970
Opcode Fuzzy Hash: 6fe48e866ac6d06d871ec9cd0dad9d9ba56b371bb16b4bd10e2f73dd191dea6e
Instruction Fuzzy Hash: 0B01D261241609FADB0E5650AD92FBA735FAB303A5B804028FD04AE242F730EE1583A1

Function 00162DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0015F2DE,00163863,00201444,?,0014FDF5,?,?,0013A976,00000010,00201440,001313FC,?,001313C6), ref: 00162DFD
_free.LIBCMT ref: 00162E32
_free.LIBCMT ref: 00162E59
SetLastError.KERNEL32(00000000,00131129), ref: 00162E66
SetLastError.KERNEL32(00000000,00131129), ref: 00162E6F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 5003686138cb15b9c7094042cb495042b0a4f01e1ff47753702ebd19676c6c50
Instruction ID: f7a88b74ded0d1efa4d5875f85cfac6cec3179dc6257374e951f158a4ee67f54
Opcode Fuzzy Hash: 5003686138cb15b9c7094042cb495042b0a4f01e1ff47753702ebd19676c6c50
Instruction Fuzzy Hash: FB012836645E1067C72667347C45D3B2A5DEBE13B5B260038F425A32D3EF32CC719160

Function 0019000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?,?,0019035E), ref: 0019002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?), ref: 00190046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?), ref: 00190054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?), ref: 00190064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0018FF41,80070057,?,?), ref: 00190070

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: adc95b3a8a14090ddc766940f67628053c3a875f1fc2e1e92c6dddc8473fc189
Instruction ID: 3bbf14a0f209d9f27e2c888f892bd361b6eb6e469df06de63cb73baa9cebdbf0
Opcode Fuzzy Hash: adc95b3a8a14090ddc766940f67628053c3a875f1fc2e1e92c6dddc8473fc189
Instruction Fuzzy Hash: 71014F76600214BFDF128F69DC44FAA7EEDEB48791F184128F909D6210D775DD809BA0

Function 0019E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0019E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0019E9A5
Sleep.KERNEL32(00000000), ref: 0019E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0019E9B7
Sleep.KERNEL32 ref: 0019E9F3

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 856cdaf56c87e85fb9588f1d9fc8a30bea17ff8d7c4147b592c35d980aacee3e
Instruction ID: 08e1d9304dfa9dca42d5d14fbe96c55805861fa99bb118f1afbe8d28a760005e
Opcode Fuzzy Hash: 856cdaf56c87e85fb9588f1d9fc8a30bea17ff8d7c4147b592c35d980aacee3e
Instruction Fuzzy Hash: BC012531C01629DBCF00EFE5DC59AEDBBB8FF09705F050956E906B2641CB309A95CBA2

Function 001910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00191114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 00191120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 0019112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00190B9B,?,?,?), ref: 00191136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0019114D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9f194ce8d96218edfc7ba41a4cc4afb13d4edd7f76a8620aa4e0bbad6ebcbeed
Instruction ID: d57a1cf02df8284569b14c031e8cbd81abf3d70e84c880a8c5138974e5fd71df
Opcode Fuzzy Hash: 9f194ce8d96218edfc7ba41a4cc4afb13d4edd7f76a8620aa4e0bbad6ebcbeed
Instruction Fuzzy Hash: C4011979200305BFDB114FA5DC4DE6A3F6EEF893A0B244429FA49D7360DB31DC819AA0

Function 00190FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00190FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00190FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00190FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00190FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00191002

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b3fdbb8cc329e7de414a641bf45f355013c68f74ff83767f4a97e374411d96bf
Instruction ID: 8d0eee58f9bbaa30d8ac35cb28edf67d327139925d866e1e6cd0e1269f5db8fe
Opcode Fuzzy Hash: b3fdbb8cc329e7de414a641bf45f355013c68f74ff83767f4a97e374411d96bf
Instruction Fuzzy Hash: B9F04939200302FBDB214FA5AC49F563FADFF89762F244414FA49C6651CA71DC90CAA0

Function 00191014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0019102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00191036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00191045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0019104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00191062

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 93340f4f0a52c0870bcf1ea85bf1fe171c885c64637b35dfb0a9a36c32ca6473
Instruction ID: e4ad9ff24886e67e0743207653a9241621e9889deaaec8c3009fdfbdb0d29c4c
Opcode Fuzzy Hash: 93340f4f0a52c0870bcf1ea85bf1fe171c885c64637b35dfb0a9a36c32ca6473
Instruction Fuzzy Hash: 1FF04939200302FBDB215FA5EC49F563FADFF897A1F240814FA49C6650CA71DC908AA0

Function 001A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001A017D,?,001A32FC,?,00000001,00172592,?), ref: 001A0324
CloseHandle.KERNEL32(?,?,?,?,001A017D,?,001A32FC,?,00000001,00172592,?), ref: 001A0331
CloseHandle.KERNEL32(?,?,?,?,001A017D,?,001A32FC,?,00000001,00172592,?), ref: 001A033E
CloseHandle.KERNEL32(?,?,?,?,001A017D,?,001A32FC,?,00000001,00172592,?), ref: 001A034B
CloseHandle.KERNEL32(?,?,?,?,001A017D,?,001A32FC,?,00000001,00172592,?), ref: 001A0358
CloseHandle.KERNEL32(?,?,?,?,001A017D,?,001A32FC,?,00000001,00172592,?), ref: 001A0365

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 482657dcaae3de1793c58d1bcdeeb044b9cb4872d0f9b3fdd269562fac3acde2
Instruction ID: 143b506e7a07d579768927e847f0e1766372cec2d475f792725cac03764766c4
Opcode Fuzzy Hash: 482657dcaae3de1793c58d1bcdeeb044b9cb4872d0f9b3fdd269562fac3acde2
Instruction Fuzzy Hash: B701AA7A800B159FCB32AF66D880812FBF9BF653153158A3FD19652931C3B1A998DF80

Function 0016D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0016D752

Part of subcall function 001629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000), ref: 001629DE
Part of subcall function 001629C8: GetLastError.KERNEL32(00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000,00000000), ref: 001629F0

_free.LIBCMT ref: 0016D764
_free.LIBCMT ref: 0016D776
_free.LIBCMT ref: 0016D788
_free.LIBCMT ref: 0016D79A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4f8b99f2bc52e792251f6b6bcb80e8863a44abac0ac964d78779543451084752
Instruction ID: 72e6d69c81c0c827f371c465a2ef623e88f535655af34b9a5cc991c89aa1da3a
Opcode Fuzzy Hash: 4f8b99f2bc52e792251f6b6bcb80e8863a44abac0ac964d78779543451084752
Instruction Fuzzy Hash: 9DF09632B00618AB8625EB64FEC2C2677DDBB44358B950C05F048D7901CB30FCD0C6A1

Function 00195C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00195C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00195C6F
MessageBeep.USER32(00000000), ref: 00195C87
KillTimer.USER32(?,0000040A), ref: 00195CA3
EndDialog.USER32(?,00000001), ref: 00195CBD

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 124ca0b04d2def57b3e4b530de28abbddf322ccd785d7fa2149ee22da0873c3c
Instruction ID: 6459b1681bede6c1347ff049d6a99763a7f76b8bbbd49fdb22775cd9e89e3f94
Opcode Fuzzy Hash: 124ca0b04d2def57b3e4b530de28abbddf322ccd785d7fa2149ee22da0873c3c
Instruction Fuzzy Hash: F6018130500B14ABEF255B50DE4EFA67BBDBB00B05F000559E687B19E1DBF0AD848B91

Function 001622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001622BE

Part of subcall function 001629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000), ref: 001629DE
Part of subcall function 001629C8: GetLastError.KERNEL32(00000000,?,0016D7D1,00000000,00000000,00000000,00000000,?,0016D7F8,00000000,00000007,00000000,?,0016DBF5,00000000,00000000), ref: 001629F0

_free.LIBCMT ref: 001622D0
_free.LIBCMT ref: 001622E3
_free.LIBCMT ref: 001622F4
_free.LIBCMT ref: 00162305

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 05c606f5ce7ab62ee2f5a14bf5e32b8bcffde26752dbe1713dc701cbc62bda74
Instruction ID: 75c361c6379bfbfeb73c297e3db4da4afbcd35e190f6814c915f1d526edd8b64
Opcode Fuzzy Hash: 05c606f5ce7ab62ee2f5a14bf5e32b8bcffde26752dbe1713dc701cbc62bda74
Instruction Fuzzy Hash: 43F03470A00B358BCB16AFA4BD499183BA4B7287A1B00060AF814D36B3CB300871BFE5

Function 001495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001495D4
StrokeAndFillPath.GDI32(?,?,001871F7,00000000,?,?,?), ref: 001495F0
SelectObject.GDI32(?,00000000), ref: 00149603
DeleteObject.GDI32 ref: 00149616
StrokePath.GDI32(?), ref: 00149631

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 85ddb214fad6338ea54cb9183c0701cbd3f6a67d65073319e9911996c28ac4f3
Instruction ID: ae303f29641754d5f46a71d1802536db77e05679ad3be6e3466ded5d2cdf848a
Opcode Fuzzy Hash: 85ddb214fad6338ea54cb9183c0701cbd3f6a67d65073319e9911996c28ac4f3
Instruction Fuzzy Hash: E2F0E735006348EBDB269F69FD1CB693F65BB05322F148214F469594F2C73089B5DF61

Function 00160F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001610F9
__freea.LIBCMT ref: 00161117

Part of subcall function 00161537: _free.LIBCMT ref: 0016154F

Strings

a/p, xrefs: 001611DE
am/pm, xrefs: 0016117A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: f01ccdb82a76490489afa00275ae746f59490ed66b3fa1cf9107294d89ebf03b
Instruction ID: f4a7864342e9c56236198be6b5d09cd48d3064384b7cd4905cf1ae6760a270cb
Opcode Fuzzy Hash: f01ccdb82a76490489afa00275ae746f59490ed66b3fa1cf9107294d89ebf03b
Instruction Fuzzy Hash: 66D10131900206EADB289F68CC95BFEB7B1FF16320F2D4159E906AB750D3759DA0CB91

Function 001B61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00150242: EnterCriticalSection.KERNEL32(0020070C,00201884,?,?,0014198B,00202518,?,?,?,001312F9,00000000), ref: 0015024D
Part of subcall function 00150242: LeaveCriticalSection.KERNEL32(0020070C,?,0014198B,00202518,?,?,?,001312F9,00000000), ref: 0015028A

Part of subcall function 001500A3: __onexit.LIBCMT ref: 001500A9

__Init_thread_footer.LIBCMT ref: 001B6238

Part of subcall function 001501F8: EnterCriticalSection.KERNEL32(0020070C,?,?,00148747,00202514), ref: 00150202
Part of subcall function 001501F8: LeaveCriticalSection.KERNEL32(0020070C,?,00148747,00202514), ref: 00150235

Part of subcall function 001A359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001A35E4
Part of subcall function 001A359C: LoadStringW.USER32(00202390,?,00000FFF,?), ref: 001A360A

Strings

x# , xrefs: 001B6353
x# , xrefs: 001B633A
x# , xrefs: 001B636F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x# $x# $x#
API String ID: 1072379062-466273406
Opcode ID: 9449bbaeda66e2505f322ddcae6aabe9d5389a39ca11c9da1d7386b34adf0a25
Instruction ID: fa3917ed0adb1f8e07bc6a61cf4665c6971b643237780d4d5787bfefba057bab
Opcode Fuzzy Hash: 9449bbaeda66e2505f322ddcae6aabe9d5389a39ca11c9da1d7386b34adf0a25
Instruction Fuzzy Hash: 53C18A71A00205ABDB24DF98C894EFEB7B9FF68340F108069F915AB291DB74ED44CB90

Function 001B7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00150242: EnterCriticalSection.KERNEL32(0020070C,00201884,?,?,0014198B,00202518,?,?,?,001312F9,00000000), ref: 0015024D
Part of subcall function 00150242: LeaveCriticalSection.KERNEL32(0020070C,?,0014198B,00202518,?,?,?,001312F9,00000000), ref: 0015028A

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 001500A3: __onexit.LIBCMT ref: 001500A9

__Init_thread_footer.LIBCMT ref: 001B7BFB

Part of subcall function 001501F8: EnterCriticalSection.KERNEL32(0020070C,?,?,00148747,00202514), ref: 00150202
Part of subcall function 001501F8: LeaveCriticalSection.KERNEL32(0020070C,?,00148747,00202514), ref: 00150235

Strings

G, xrefs: 001B7C7F
5, xrefs: 001B7C78
Variable must be of type 'Object'., xrefs: 001B7C3A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 285da9c2808fb26cbbe0564311b4c1db9bdb8573555603aa4dc16fbc097e72b2
Instruction ID: 3fe9baa1245501760c36abd5b38c94b38cda8e5df82024b96edd21b4ca15f92f
Opcode Fuzzy Hash: 285da9c2808fb26cbbe0564311b4c1db9bdb8573555603aa4dc16fbc097e72b2
Instruction Fuzzy Hash: A8918970A04209EFCB14EF94D891DEDBBB2FF99340F508059F806AB292DB71AE45CB51

Function 00192716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0019B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001921D0,?,?,00000034,00000800,?,00000034), ref: 0019B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00192760

Part of subcall function 0019B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0019B3F8

Part of subcall function 0019B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0019B355
Part of subcall function 0019B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00192194,00000034,?,?,00001004,00000000,00000000), ref: 0019B365
Part of subcall function 0019B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00192194,00000034,?,?,00001004,00000000,00000000), ref: 0019B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0019281A

Strings

@, xrefs: 00192832

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9248bfa41328e68f8fb5d86bfe2e92cfa2f52f001d4d0826e76c47c9f57b4c02
Instruction ID: 7e86498db4d94fe8349762261febaff439ef6f0d91f53340f3ba68ed9a30ad45
Opcode Fuzzy Hash: 9248bfa41328e68f8fb5d86bfe2e92cfa2f52f001d4d0826e76c47c9f57b4c02
Instruction Fuzzy Hash: A3411B72900218BFDF10DBA4DD85EEEBBB8AF19700F104095FA55B7181DB706E85CBA1

Function 0016172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\3WgNXsWvMO.exe,00000104), ref: 00161769
_free.LIBCMT ref: 00161834
_free.LIBCMT ref: 0016183E

Strings

C:\Users\user\Desktop\3WgNXsWvMO.exe, xrefs: 00161760, 00161767, 00161796, 001617CE

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\3WgNXsWvMO.exe
API String ID: 2506810119-4260163063
Opcode ID: 3e48adc34e9d251fdaa105d94930cfc8cf596eb6e2bab3acdd18d02534fa8a23
Instruction ID: dc937318606db34278505e2ed995c6f7c5eb4f3b2950410b89c80df81ef968ba
Opcode Fuzzy Hash: 3e48adc34e9d251fdaa105d94930cfc8cf596eb6e2bab3acdd18d02534fa8a23
Instruction Fuzzy Hash: 54316C71A40218FFDB21DB999C85D9EBBFCEB95310B1841AAF804D7212D7708E61CB90

Function 0019C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0019C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0019C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00201990,00D23BA0), ref: 0019C395

Strings

0, xrefs: 0019C2DF

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 9064b5b59bf515a9f668d0b106884503839db621ed3a4cf11cdfe3d00c9a949b
Instruction ID: 487efd82647dbf5ea5b19b22dcd02ad709b08a6a19b9d09214cc5b965cd0f70a
Opcode Fuzzy Hash: 9064b5b59bf515a9f668d0b106884503839db621ed3a4cf11cdfe3d00c9a949b
Instruction Fuzzy Hash: 8341C2716043019FDB24DF29D884F5ABBE4BF99320F008A1DF8A5972D1D770EA04CB92

Function 001C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001CCC08,00000000,?,?,?,?), ref: 001C44AA
GetWindowLongW.USER32 ref: 001C44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001C44D7

Strings

SysTreeView32, xrefs: 001C447C

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5932c1e93a0175a9cea59dd9df6fdd1ffabc45a67a3c7dccbddb2c7bd6fca735
Instruction ID: 6fe203eeae2f835c4351187943935727f0fcbfa0ff922488fee0e43a68e9d311
Opcode Fuzzy Hash: 5932c1e93a0175a9cea59dd9df6fdd1ffabc45a67a3c7dccbddb2c7bd6fca735
Instruction Fuzzy Hash: 13318B31214605AFDB248E38DC55FEA7BA9EB28334F204719F979922E0D770EC519B90

Function 001B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001B3077,?,?), ref: 001B3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001B307A
_wcslen.LIBCMT ref: 001B309B
htons.WSOCK32(00000000,?,?,00000000), ref: 001B3106

Strings

255.255.255.255, xrefs: 001B3095, 001B309A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b193b4fdb4eb2c026d86beee7c3e42126322b2dd021fcc7627b788742c6efd16
Instruction ID: 261674c46be6ea3ea8e5a0da74652b5ea979f323adf9372a841d619eb894db80
Opcode Fuzzy Hash: b193b4fdb4eb2c026d86beee7c3e42126322b2dd021fcc7627b788742c6efd16
Instruction Fuzzy Hash: ED31F3396002059FCB10DF28C885EEA7BE4EF54318F258059E8258B392DB72EE45CB60

Function 001C4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001C4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001C4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001C471A

Strings

msctls_updown32, xrefs: 001C4684

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 07020538fce50e86ead01d936ead76eba2fc2a2bb304fbabdcb49d70d9cafb8d
Instruction ID: 3f1a6b26260c598f0d11234a2597cc7a675f2038ba060e46d1b81ed133885163
Opcode Fuzzy Hash: 07020538fce50e86ead01d936ead76eba2fc2a2bb304fbabdcb49d70d9cafb8d
Instruction Fuzzy Hash: C6213DB5604209AFDB11DF64DCD5EB737ADEF6A3A4B040059FA049B391CB71EC61CAA0

Function 001995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0019961D

Strings

#requireadmin, xrefs: 001995D9
#OnAutoItStartRegister, xrefs: 001995F3
#notrayicon, xrefs: 001995B7

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 13aec962b0c2d5cdd5b79b40a3213d4baf0b0fff3e291b66b0f0edacd3090da6
Instruction ID: 488b40a03dc16cb6e7be0d34f793d87f9c0ea04a7aacd7bbdced3e15eea6d3bc
Opcode Fuzzy Hash: 13aec962b0c2d5cdd5b79b40a3213d4baf0b0fff3e291b66b0f0edacd3090da6
Instruction Fuzzy Hash: C3212B72104511A6EB31AB2C9C03FB773E8DF75310F15442EF959AB181EB51ED46C2D5

Function 001C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001C3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001C3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001C3876

Strings

Listbox, xrefs: 001C380F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a3d9d501795ac2203cd28997c89ad764310e74ad8949d4779825fdcd1c010be7
Instruction ID: 8b09563100891ef2ba196664cca61f73e83b07e333e9696ec7b3a258c74cef63
Opcode Fuzzy Hash: a3d9d501795ac2203cd28997c89ad764310e74ad8949d4779825fdcd1c010be7
Instruction Fuzzy Hash: F8218E72610218BBEB219F54DC85FBB3B6EEFA9750F118128F9149B190C771DC528BA0

Function 001A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001A4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001A4A5C
SetErrorMode.KERNEL32(00000000,?,?,001CCC08), ref: 001A4AD0

Strings

%lu, xrefs: 001A4A6F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: c2a67374a39a917844f84724ae38284e743a5e4d432906ad1dcd022e1d390ded
Instruction ID: c725e78d06f1cdaf1ab6b682b14c079b763d6d9512597d537329275824da7c11
Opcode Fuzzy Hash: c2a67374a39a917844f84724ae38284e743a5e4d432906ad1dcd022e1d390ded
Instruction Fuzzy Hash: 44316275A00109AFDB10DF54C885EAA7BF8EF49308F1480A9F909DB352D771ED45CBA1

Function 001C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001C424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001C4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001C4271

Strings

msctls_trackbar32, xrefs: 001C4226

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 12be896f9c66860375a0e0b7b60d54dbfce2822695c71f0a8484ca4c5ea1046f
Instruction ID: 45e391f7b804972928be8c85f63f534260f3d0a3fe2e02fdf20d56627ee35cd2
Opcode Fuzzy Hash: 12be896f9c66860375a0e0b7b60d54dbfce2822695c71f0a8484ca4c5ea1046f
Instruction Fuzzy Hash: 0E11E331244248BFEF205E28DC46FAB3BACEFA5B54F010118FA55E2090D371DC619B10

Function 00192F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00136B57: _wcslen.LIBCMT ref: 00136B6A

Part of subcall function 00192DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00192DC5
Part of subcall function 00192DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00192DD6
Part of subcall function 00192DA7: GetCurrentThreadId.KERNEL32 ref: 00192DDD
Part of subcall function 00192DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00192DE4

GetFocus.USER32 ref: 00192F78

Part of subcall function 00192DEE: GetParent.USER32(00000000), ref: 00192DF9

GetClassNameW.USER32(?,?,00000100), ref: 00192FC3
EnumChildWindows.USER32(?,0019303B), ref: 00192FEB

Strings

%s%d, xrefs: 00192FFF

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 52e9186afcdfb5ffc3f7e11abf642abd7bcb9e057d0a6b5cec6dbaa89a539277
Instruction ID: 1b16a1d2670219448c0d9e666008c4fd12dd891c24d9c7ef5098c42953611d75
Opcode Fuzzy Hash: 52e9186afcdfb5ffc3f7e11abf642abd7bcb9e057d0a6b5cec6dbaa89a539277
Instruction Fuzzy Hash: 50118475700205ABCF147FB49C89EEE77AAAFA4304F048075FA199B252DF7099458B60

Function 001C5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001C58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001C58EE
DrawMenuBar.USER32(?), ref: 001C58FD

Strings

0, xrefs: 001C588F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: d5e18388356292cb61ef33fdef251773dd895de0a15bc83b5996643b153e728c
Instruction ID: 1a672b2462ce88a7f4bc84d1e9bc2a9bfed5d4e6853c5e26df9a975859565f0b
Opcode Fuzzy Hash: d5e18388356292cb61ef33fdef251773dd895de0a15bc83b5996643b153e728c
Instruction Fuzzy Hash: 0D015B31600218EEDB219F11DC44FAEBBB9FB55365F10809DE849D6261DB30DAC5DF61

Function 0019007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25c3bc97ff26d5338200bbfc7daca9b53e789461fa62906861474014d0cd3cd
Instruction ID: a51db7962a44c2621fcd04e1a8903b49fd4dfd4ca45b070536ccdece81b36f5d
Opcode Fuzzy Hash: a25c3bc97ff26d5338200bbfc7daca9b53e789461fa62906861474014d0cd3cd
Instruction Fuzzy Hash: 95C16C75A0021AEFCB15CFA4C894EAEB7B5FF48704F218598E905EB251D731EE81DB90

Function 001B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001B3459
CoUninitialize.OLE32 ref: 001B3463
VariantInit.OLEAUT32(?), ref: 001B346E
VariantClear.OLEAUT32(?), ref: 001B371B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 70b1891d65f90adade644c39f42881e83f576ce0be9b680d6051b06365ba37d6
Instruction ID: 183503f2d9114821c2c3416cf4a2e1e8f0c0236802a282d00e599d2aa0236e88
Opcode Fuzzy Hash: 70b1891d65f90adade644c39f42881e83f576ce0be9b680d6051b06365ba37d6
Instruction Fuzzy Hash: 5EA159756043009FCB14DF29C485A6AB7E5FF98724F05885DF99A9B3A2DB30EE01CB91

Function 00190436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001CFC08,?), ref: 001905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001CFC08,?), ref: 00190608
CLSIDFromProgID.OLE32(?,?,00000000,001CCC40,000000FF,?,00000000,00000800,00000000,?,001CFC08,?), ref: 0019062D
_memcmp.LIBVCRUNTIME ref: 0019064E

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 21c23ecb618caf8d3c382a8e24c0a5dd42e50bb0437d193300cf92ca32835997
Instruction ID: 506cfe79fb2edc668800c55b5f17049b473dfd57b12d613bc74d3eb7e62fe16f
Opcode Fuzzy Hash: 21c23ecb618caf8d3c382a8e24c0a5dd42e50bb0437d193300cf92ca32835997
Instruction Fuzzy Hash: 63810871A00109EFCF05DF94C984EEEB7BAFF89315F204558E516AB250DB71AE46CB60

Function 00171391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001714C0

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 87128a305104df41092ce45ae6926b25d660914b145f04c20646242370e73d8e
Instruction ID: e2e89b52283fcaa2383d5abc10011b56ed8466b496f344a003b71fb8c7640d3a
Opcode Fuzzy Hash: 87128a305104df41092ce45ae6926b25d660914b145f04c20646242370e73d8e
Instruction Fuzzy Hash: EF414C71A00500BBDB256BFD9C46ABE3AB5FF61770F14C629FC2ED7291E73488425261

Function 001C6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00D2D670,?), ref: 001C62E2
ScreenToClient.USER32(?,?), ref: 001C6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001C6382

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0bf1fe91b26a688177bc7f47849417f2f6c73cadbc420f7f84a6b842705d1bc2
Instruction ID: 96107c501075362ec9d650e57aaca6c8031ede94f973f4e05925ad6e0d08b4fd
Opcode Fuzzy Hash: 0bf1fe91b26a688177bc7f47849417f2f6c73cadbc420f7f84a6b842705d1bc2
Instruction Fuzzy Hash: 4B512A74A00249AFCB14DF68D984EAE7BB5FF65360F10816DF8599B291D730ED81CB90

Function 001B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001B1AFD
WSAGetLastError.WSOCK32 ref: 001B1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001B1B8A
WSAGetLastError.WSOCK32 ref: 001B1B94

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 48395b34f12a0ac25b702a7a50b1da9489b6fd2fe85b2603c1755544a2173317
Instruction ID: 7a72103fcdfa433dcfc4c8ae27c9e0a5b21d6e9f515b4982c8474b3e4dab9428
Opcode Fuzzy Hash: 48395b34f12a0ac25b702a7a50b1da9489b6fd2fe85b2603c1755544a2173317
Instruction Fuzzy Hash: 2441D075600200AFE720AF24C896F6A7BE5AB58718F54C44CFA1A9F7D2D772ED41CB90

Function 0016B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6638d53db1c35816ec89ab16098624d1dbf03059d40f4a67a636731c2c39af2
Instruction ID: 2ec1f30c18869f37a95495731aeb17743edd419c51b1b652e962fc13d25b25aa
Opcode Fuzzy Hash: a6638d53db1c35816ec89ab16098624d1dbf03059d40f4a67a636731c2c39af2
Instruction Fuzzy Hash: A9414972A04314BFD724AF3CCC81BAABBF9EB94710F10852EF556DB281DB7199518780

Function 001A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001A5783
GetLastError.KERNEL32(?,00000000), ref: 001A57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001A57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001A57FA

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 2e3f36220cc2a48be7d35123d7008876f508b2267bbf4191d4ddfb01f8c091a1
Instruction ID: 981a588154c433190aad92c22e0091b4cd82b4cb4739ba9d05d858931c16ce9e
Opcode Fuzzy Hash: 2e3f36220cc2a48be7d35123d7008876f508b2267bbf4191d4ddfb01f8c091a1
Instruction Fuzzy Hash: 9E413D3A604610DFCB25DF55D444A1EBBE2EF99320F198488E84AAB362CB34FD40CB91

Function 0016D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00156D71,00000000,00000000,001582D9,?,001582D9,?,00000001,00156D71,8BE85006,00000001,001582D9,001582D9), ref: 0016D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0016D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0016D9AB
__freea.LIBCMT ref: 0016D9B4

Part of subcall function 00163820: RtlAllocateHeap.NTDLL(00000000,?,00201444,?,0014FDF5,?,?,0013A976,00000010,00201440,001313FC,?,001313C6,?,00131129), ref: 00163852

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8dda9fd05381fd3b36f5fce9a4abeed250a6b4ba847906aa1362dc985e8b2d97
Instruction ID: 24a408c4e75eedbc2a6b9fd6d55d0a4b31445b4659a7c5e28893e98881b617c2
Opcode Fuzzy Hash: 8dda9fd05381fd3b36f5fce9a4abeed250a6b4ba847906aa1362dc985e8b2d97
Instruction Fuzzy Hash: 8131BE72A0020AABDF259F65EC45EAF7BA5EB41314F054168FC18DB250EB35CDA4CBE0

Function 001C52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 001C5352
GetWindowLongW.USER32(?,000000F0), ref: 001C5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001C5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001C53A8

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e3dc28d1dc036ef82ab067e0ebd3d859302e38afd6abe8a8c606c566f5557c37
Instruction ID: 7a07e4c27b0e7207257a34f2e0fcf473b03306405ba66ef3507b4159a6bcf88c
Opcode Fuzzy Hash: e3dc28d1dc036ef82ab067e0ebd3d859302e38afd6abe8a8c606c566f5557c37
Instruction Fuzzy Hash: 9331A334A55A88AFEB249A54CC05FE87767BB24390F546109FA11962E2C7B0FDC0DB42

Function 0019AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0019ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0019AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0019AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0019ACC6

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5e02638c90658dbe3c4435fa72ba4d066dc2a709b6a27a2a561180b1f34763eb
Instruction ID: 1c774c8346ea54866ed21b5b1145c2d1251fc8a2311807a9637cedb0524cb264
Opcode Fuzzy Hash: 5e02638c90658dbe3c4435fa72ba4d066dc2a709b6a27a2a561180b1f34763eb
Instruction Fuzzy Hash: C3310430A04618AFEF35CB658C04BFA7BB5AF89311F84461AE4859A2D1C375998987D2

Function 001C7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001C769A
GetWindowRect.USER32(?,?), ref: 001C7710
PtInRect.USER32(?,?,001C8B89), ref: 001C7720
MessageBeep.USER32(00000000), ref: 001C778C

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ac37e3e83945972f90537345d519b01f83fcf1103fcbfee201a00efa09f96d65
Instruction ID: 28ea41085c7bf9b2f713740ba75e905ae838d8cd48628349651046c7802f3b06
Opcode Fuzzy Hash: ac37e3e83945972f90537345d519b01f83fcf1103fcbfee201a00efa09f96d65
Instruction Fuzzy Hash: 8B415C346053589FCB11CF68D898FA97BF5BB69314F1541ADE4149B2A1C7B0E941CF90

Function 001C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001C16EB

Part of subcall function 00193A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00193A57
Part of subcall function 00193A3D: GetCurrentThreadId.KERNEL32 ref: 00193A5E
Part of subcall function 00193A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001925B3), ref: 00193A65

GetCaretPos.USER32(?), ref: 001C16FF
ClientToScreen.USER32(00000000,?), ref: 001C174C
GetForegroundWindow.USER32 ref: 001C1752

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 00ffe8ecd5cca7428e25c1c11207cc7334d494e3e5bb6dda963bee4230f08761
Instruction ID: 8c1750303175a53a22b4fcd034092abe4d3aa01063329b1519d11a55d4c23dfb
Opcode Fuzzy Hash: 00ffe8ecd5cca7428e25c1c11207cc7334d494e3e5bb6dda963bee4230f08761
Instruction Fuzzy Hash: 61312C75900249AFDB04EFA9C881DAEBBF9EF59304B5080A9E415E7212D731DE45CBA0

Function 0019D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0019D501
Process32FirstW.KERNEL32(00000000,?), ref: 0019D50F
Process32NextW.KERNEL32(00000000,?), ref: 0019D52F
CloseHandle.KERNEL32(00000000), ref: 0019D5DC

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e1534eef489defd6d02dd60399dcbaf44fff1fcc3d802711deb26e648bd3f4ca
Instruction ID: 6da803aafda34ba8f4bb67b781b0ba542c5cfcf013701669ffc8437d2d3f1730
Opcode Fuzzy Hash: e1534eef489defd6d02dd60399dcbaf44fff1fcc3d802711deb26e648bd3f4ca
Instruction Fuzzy Hash: CC31BF311083009FD300EF64D881AAFBBF8EFA9354F14092DF585861A1EB71D989CB92

Function 001C8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149BB2

GetCursorPos.USER32(?), ref: 001C9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00187711,?,?,?,?,?), ref: 001C9016
GetCursorPos.USER32(?), ref: 001C905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00187711,?,?,?), ref: 001C9094

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 7bd7bb784af3ed390d4afde50e0e89ef669f61a202cbfac6bcd5009962a0d2ed
Instruction ID: 902ec7c340b32a9459a56d5f2eb9e79ec6a70a53a6e3706f2f571709839ed26a
Opcode Fuzzy Hash: 7bd7bb784af3ed390d4afde50e0e89ef669f61a202cbfac6bcd5009962a0d2ed
Instruction Fuzzy Hash: E6217C35600118EFDB258F94D858FEA7BB9EB89350F144169F9058B2A1C731DDA0DBA0

Function 0019D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001CCB68), ref: 0019D2FB
GetLastError.KERNEL32 ref: 0019D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0019D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001CCB68), ref: 0019D376

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 604b7358788ff8f0ae163a078b3ea190b89679c36c045c58196320d8860f1112
Instruction ID: b86842f74c8cb49495cc67091ef6387092cda322bbfadc727a764737588bd42a
Opcode Fuzzy Hash: 604b7358788ff8f0ae163a078b3ea190b89679c36c045c58196320d8860f1112
Instruction Fuzzy Hash: F3219FB05082019FCB00DF68E88186ABBE4BF66365F104A1DF499C72A1D730DE46CB93

Function 00191571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00191014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0019102A
Part of subcall function 00191014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00191036
Part of subcall function 00191014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00191045
Part of subcall function 00191014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0019104C
Part of subcall function 00191014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00191062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001915BE
_memcmp.LIBVCRUNTIME ref: 001915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00191617
HeapFree.KERNEL32(00000000), ref: 0019161E

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2320cabf90ef92e2d0564771da8e7b4a1dcd41d5fa417e8f2e8e01e2adb2e6b7
Instruction ID: 93f95c73207b0adea6e61aeac5c1cc9900bd7ea82bd44cc882a3e37aca572062
Opcode Fuzzy Hash: 2320cabf90ef92e2d0564771da8e7b4a1dcd41d5fa417e8f2e8e01e2adb2e6b7
Instruction Fuzzy Hash: 21215532E4010AFBDF00DFA4C945BEEB7B8FF45354F098459E445AB241E770AA85CBA0

Function 001C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001C280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001C2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001C2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001C2840

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c720d3682bfb80a988898b4fc64e364bc97edbce270dc23799aa69d2d26fcc76
Instruction ID: 1dcb7f39c1995d2966dc1b60e8a835ed41b056caf1a346ad9baccd95ada0eead
Opcode Fuzzy Hash: c720d3682bfb80a988898b4fc64e364bc97edbce270dc23799aa69d2d26fcc76
Instruction Fuzzy Hash: E221A135208611AFD7149B24C895FAA7B95AF65324F14815CF42A8BAE2CB71FC82CBD0

Function 001978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00198D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0019790A,?,000000FF,?,00198754,00000000,?,0000001C,?,?), ref: 00198D8C
Part of subcall function 00198D7D: lstrcpyW.KERNEL32(00000000,?,?,0019790A,?,000000FF,?,00198754,00000000,?,0000001C,?,?,00000000), ref: 00198DB2
Part of subcall function 00198D7D: lstrcmpiW.KERNEL32(00000000,?,0019790A,?,000000FF,?,00198754,00000000,?,0000001C,?,?), ref: 00198DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00198754,00000000,?,0000001C,?,?,00000000), ref: 00197923
lstrcpyW.KERNEL32(00000000,?,?,00198754,00000000,?,0000001C,?,?,00000000), ref: 00197949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00198754,00000000,?,0000001C,?,?,00000000), ref: 00197984

Strings

cdecl, xrefs: 0019797B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: df90a0ff0a7a9dfa2ee2e715d79bcbddf67119618de88e1dc9dd27531a731ad8
Instruction ID: 65a110971452f55a4a7c56c1d1fb853a66fc93a2c1304d43494e6c6996bd95e2
Opcode Fuzzy Hash: df90a0ff0a7a9dfa2ee2e715d79bcbddf67119618de88e1dc9dd27531a731ad8
Instruction Fuzzy Hash: 1711037A200242AFCF15AF35D844E7A77A9FF95364B10402AF906CB2A4EB31D801C7A1

Function 001C5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001C56BB
_wcslen.LIBCMT ref: 001C56CD
_wcslen.LIBCMT ref: 001C56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 001C5816

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 6b035d2ad6dbacff6a7b25844b57c65be64ca292c1514e8341b106179ec06ef3
Instruction ID: 14e13cd071e04edc7183f4a0fd5820874156e8a4a95a893e17eff270fa40e5db
Opcode Fuzzy Hash: 6b035d2ad6dbacff6a7b25844b57c65be64ca292c1514e8341b106179ec06ef3
Instruction Fuzzy Hash: 9711B175A0061896DB209FA5CC85FEE7BBCAF31768B10406EF915D6081E770EAC4CB60

Function 00191A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00191A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00191A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00191A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00191A8A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9342070341c078419b904978260440b0318f837852abbc39c4b827bfb2c319f4
Instruction ID: 78f927b01d0b1ee81bf44fe5f7b0dde362ebd23138ee2558cd9a727fa37e8baf
Opcode Fuzzy Hash: 9342070341c078419b904978260440b0318f837852abbc39c4b827bfb2c319f4
Instruction Fuzzy Hash: 4411FA3AD01219FFEF119BA5C985FADBB79EB04750F200091E605B7290D7716E50DB94

Function 0019E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0019E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0019E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0019E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0019E24D

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 32d5325168c3bcdbeee152bc3170a5c5de1e9f0ee6d02439a274155e4d012104
Instruction ID: a6fe775957e9643ae8709a11a868acee292bd77be4bf294f551c30dec31780dc
Opcode Fuzzy Hash: 32d5325168c3bcdbeee152bc3170a5c5de1e9f0ee6d02439a274155e4d012104
Instruction Fuzzy Hash: 7411C476904358BBCB01DBA8EC09E9E7FACEB45720F144255F929E3692D7B0CD148BA0

Function 0015D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0015CFF9,00000000,00000004,00000000), ref: 0015D218
GetLastError.KERNEL32 ref: 0015D224
__dosmaperr.LIBCMT ref: 0015D22B
ResumeThread.KERNEL32(00000000), ref: 0015D249

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 0649637e78bc42a1f636034899038a5cf0302d240be253f2208f069b766a0e6a
Instruction ID: 382beadb9ef7c9972902b6f31ab4ec02560b22edd4e4b90f0dcd46104378039f
Opcode Fuzzy Hash: 0649637e78bc42a1f636034899038a5cf0302d240be253f2208f069b766a0e6a
Instruction Fuzzy Hash: DD01C076805204FBCB215BA6EC09AAA7E69EF91732F100219FD359A1D0DB70C94A87E0

Function 0013600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0013604C
GetStockObject.GDI32(00000011), ref: 00136060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0013606A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 6bb72eb30eb0d251de038456b75eaed8958367e4a8b33cc3f3f6350134737906
Instruction ID: f4e2773b235eb03cec01b6d2a93d54c8e4a6065706a8200fb59bc2ac91f8accb
Opcode Fuzzy Hash: 6bb72eb30eb0d251de038456b75eaed8958367e4a8b33cc3f3f6350134737906
Instruction Fuzzy Hash: AC116D72501648BFEF164FA49C45EEABF69EF193A4F044215FA1852110D736DCA0DBA0

Function 00153B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00153B56

Part of subcall function 00153AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00153AD2
Part of subcall function 00153AA3: ___AdjustPointer.LIBCMT ref: 00153AED

_UnwindNestedFrames.LIBCMT ref: 00153B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00153B7C
CallCatchBlock.LIBVCRUNTIME ref: 00153BA4

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: cb815e3f9f775657cd4d808db00ad826daf8fb43deebb212f618a1396f74bceb
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D7012932100148FBDF125E95CC42EEB3B69EF58799F044014FE689B121C732E965EBA0

Function 00163073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001313C6,00000000,00000000,?,0016301A,001313C6,00000000,00000000,00000000,?,0016328B,00000006,FlsSetValue), ref: 001630A5
GetLastError.KERNEL32(?,0016301A,001313C6,00000000,00000000,00000000,?,0016328B,00000006,FlsSetValue,001D2290,FlsSetValue,00000000,00000364,?,00162E46), ref: 001630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0016301A,001313C6,00000000,00000000,00000000,?,0016328B,00000006,FlsSetValue,001D2290,FlsSetValue,00000000), ref: 001630BF

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 628192c17727d6cccbac09918027b2d8a24f79166b4133ab9a088d6b1049b434
Instruction ID: d17ca770896afea03105cfd2c569bb54ec283af87440fc1b017665c66d7c9bbc
Opcode Fuzzy Hash: 628192c17727d6cccbac09918027b2d8a24f79166b4133ab9a088d6b1049b434
Instruction Fuzzy Hash: 5A012B32302322ABCB314B79EC48E577B98EF05BA1B110620F929E3540CB31DD59C6E0

Function 00197464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0019747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00197497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001974CA

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: de2a888a704bab982f31a7169529b7ad0e06d15ee1ded4cc5ee71bb66d31990e
Instruction ID: e323dcdc8e4a254a3fbde73c0cfd963f54e2f22a42ee100c1c63236f1fae27b7
Opcode Fuzzy Hash: de2a888a704bab982f31a7169529b7ad0e06d15ee1ded4cc5ee71bb66d31990e
Instruction Fuzzy Hash: D411ADB1219310ABEB208F14DC09FA27FFCEF00B00F108569E61AD7592D7B0E944DBA0

Function 0019B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0019ACD3,?,00008000), ref: 0019B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0019ACD3,?,00008000), ref: 0019B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0019ACD3,?,00008000), ref: 0019B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0019ACD3,?,00008000), ref: 0019B126

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c93e076c22593e6c919df485d8a328d78ee324d7b9141d91d7b470bea5bb04f6
Instruction ID: b43ae6a331ea2561311e80e59fdaa8f4c66c043b89b5e8d43593bf47d691743d
Opcode Fuzzy Hash: c93e076c22593e6c919df485d8a328d78ee324d7b9141d91d7b470bea5bb04f6
Instruction Fuzzy Hash: 73115E71C0552CD7CF049FE5FAA8AEEBF78FF49711F154095D941B2141CB3099508B91

Function 00192DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00192DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00192DD6
GetCurrentThreadId.KERNEL32 ref: 00192DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00192DE4

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1e491e48f07d3e36fe58431be10929e734dfb7ae244433cd8cdef84429003416
Instruction ID: 002ed3b1d8bba05d6e5fa08c74236b390a11dd313c4de25ee08f4b37884bfe7d
Opcode Fuzzy Hash: 1e491e48f07d3e36fe58431be10929e734dfb7ae244433cd8cdef84429003416
Instruction Fuzzy Hash: 55E06D71501234BADB201BA29C0DEEB3EACEF42BA1F010015F10AD15809AA0C881C6F0

Function 001C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00149639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00149693
Part of subcall function 00149639: SelectObject.GDI32(?,00000000), ref: 001496A2
Part of subcall function 00149639: BeginPath.GDI32(?), ref: 001496B9
Part of subcall function 00149639: SelectObject.GDI32(?,00000000), ref: 001496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001C8887
LineTo.GDI32(?,?,?), ref: 001C8894
EndPath.GDI32(?), ref: 001C88A4
StrokePath.GDI32(?), ref: 001C88B2

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 33e35cf8f7f1bc175520a966dea4d49829e7fdb0ce77a9f51a93672111c052c0
Instruction ID: 4340abd62787f23795a7e9673d89178398c69dc33f462fdb268bea9206495eb9
Opcode Fuzzy Hash: 33e35cf8f7f1bc175520a966dea4d49829e7fdb0ce77a9f51a93672111c052c0
Instruction Fuzzy Hash: 23F0823A041258FBDB125F94AC0DFDE3F59AF16310F048004FA55658E2C7759961CFE5

Function 001498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001498CC
SetTextColor.GDI32(?,?), ref: 001498D6
SetBkMode.GDI32(?,00000001), ref: 001498E9
GetStockObject.GDI32(00000005), ref: 001498F1

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 06db8d2a611ab2226219667eeb05f97882648051b4c4ac0b204216a8099faad5
Instruction ID: bd44502294f91bc8f9d29af9a37c0a158a9c2f690eaeb15220593e78e673d937
Opcode Fuzzy Hash: 06db8d2a611ab2226219667eeb05f97882648051b4c4ac0b204216a8099faad5
Instruction Fuzzy Hash: 11E03931644280AADB215B75AC09BE93F21AB52336F188219F6BA984E1C3718A809F10

Function 0019162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00191634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001911D9), ref: 0019163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001911D9), ref: 00191648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001911D9), ref: 0019164F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: eba84f98e8b3970c1e60b91c0a348f43dfc0212be177c4b0d71c56920abcbb49
Instruction ID: b1e114cfc9b5ac804afd025918980e05d37d8c33314e55ea5746b462069d076f
Opcode Fuzzy Hash: eba84f98e8b3970c1e60b91c0a348f43dfc0212be177c4b0d71c56920abcbb49
Instruction Fuzzy Hash: 8CE04F75A01211ABDB201BA0AD0DF473F68BF54B91F184808F249C9480D774C8C1C790

Function 0018D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0018D858
GetDC.USER32(00000000), ref: 0018D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0018D882
ReleaseDC.USER32(?), ref: 0018D8A3

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e76bc89c16cb0c37b3e459bcae16a35547c0a6bdbe04163549586dcf04a5cdb2
Instruction ID: ffb7dcdc5345cc18143f731b416f54d2ee8553e29c59459343dad5546dc6792d
Opcode Fuzzy Hash: e76bc89c16cb0c37b3e459bcae16a35547c0a6bdbe04163549586dcf04a5cdb2
Instruction Fuzzy Hash: 85E01AB4800214DFCF41AFA0D90CA6DBFB5FB08310F158009F84AE7750C7388992AF80

Function 0018D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0018D86C
GetDC.USER32(00000000), ref: 0018D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0018D882
ReleaseDC.USER32(?), ref: 0018D8A3

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d47fe3fad0b07d659eeedf14dd8b6a31852a19c158bc937e3113fcb3e52fb1a9
Instruction ID: d5efd148f8b2b8daa45c7643cd39a6b7211d22544cc70a3b5970253c748b3e9e
Opcode Fuzzy Hash: d47fe3fad0b07d659eeedf14dd8b6a31852a19c158bc937e3113fcb3e52fb1a9
Instruction Fuzzy Hash: 33E012B4800210EFCF40AFA0D90CA6DBFB5BB08310F148008F84AE7760CB389982AF80

Function 001A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00137620: _wcslen.LIBCMT ref: 00137625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001A4ED4

Strings

*, xrefs: 001A4E10
LPT, xrefs: 001A4DFB

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 0a4e6029a1df24e3151fb640c60653e1ecbf81cd9dfa6f05ced44c71fdfd6164
Instruction ID: aba6d74a010dcc03acbb8f13e2926981c0eb113f23ad5a96bf4149c276370b81
Opcode Fuzzy Hash: 0a4e6029a1df24e3151fb640c60653e1ecbf81cd9dfa6f05ced44c71fdfd6164
Instruction Fuzzy Hash: E6917179A00204DFDB14DF58C484EAABBF1BF95304F198099E80A9F3A2D775ED85CB91

Function 0015E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0015E30D

Strings

pow, xrefs: 0015E2E5, 0015E302

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2c6f43efee231566cdd55ea5f1dec8db10e85c42a747b129b1b549eac5c7c6f9
Instruction ID: e56505df953eed3adeb6ab28b7397abc8d62c1e863d3622c87dc8b170a0f98d7
Opcode Fuzzy Hash: 2c6f43efee231566cdd55ea5f1dec8db10e85c42a747b129b1b549eac5c7c6f9
Instruction Fuzzy Hash: 57519C61E0D202D6CB1D7714CD013797BE4AB20746F304D99E8F68A2E9EB358DEDDA42

Function 0014E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0014E1B1

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ad7ff1a02ad4ac13adb26d08390fb602ccf515422820a5aa78c944fa1c622c31
Instruction ID: 96796c7056163de5f30142ae25a631b7b2179ee3273ee7c21aaadd246dcaaca8
Opcode Fuzzy Hash: ad7ff1a02ad4ac13adb26d08390fb602ccf515422820a5aa78c944fa1c622c31
Instruction Fuzzy Hash: CF510475604246DFDB19EF68C481ABA7BE4FF66310F248059FC919B2E0D7749E42CB90

Function 0014F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0014F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0014F2BB

Strings

@, xrefs: 0014F2AF

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6c398dcf61c62ff68ad2d9d97936a8eaffc91462c4ada9b6ddd3a15df5b41798
Instruction ID: 56cd381534f00f7b5eae837112708a629bf2dd0ab0c34cf045e05eaab6d8188e
Opcode Fuzzy Hash: 6c398dcf61c62ff68ad2d9d97936a8eaffc91462c4ada9b6ddd3a15df5b41798
Instruction Fuzzy Hash: 83515671408748ABE320AF54DC86BAFBBF8FB95300F81884CF1D9411A5EB308569CB66

Function 001B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001B57E0
_wcslen.LIBCMT ref: 001B57EC

Strings

CALLARGARRAY, xrefs: 001B57E6, 001B57EB

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 3f39de6b0b9f884cbe3e9ff155b16ff0bc19b3dcf5fec51c7e5056bc0d44a052
Instruction ID: 18259ec122b610eae8e4a7f3c6717f6336e618cadcb253fa166163f12f1affe4
Opcode Fuzzy Hash: 3f39de6b0b9f884cbe3e9ff155b16ff0bc19b3dcf5fec51c7e5056bc0d44a052
Instruction Fuzzy Hash: 9D417171E001099FCF14DFAAC885AFEBBB6FF69324F144069E505AB291E7709D81CB90

Function 001AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001AD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001AD13A

Strings

|, xrefs: 001AD10B

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d44f9450d8a2dbd540d0e40475d034591206b152bef3d8070ece4d8a9113da73
Instruction ID: 68ab8eeb002db23fe4ec9de4a45cbae37c40351a9f4472a76a7065db42204282
Opcode Fuzzy Hash: d44f9450d8a2dbd540d0e40475d034591206b152bef3d8070ece4d8a9113da73
Instruction Fuzzy Hash: B3315075D00209ABCF15EFA4DC85EEEBFB9FF19300F004069F815A6162D735AA46CB90

Function 001C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001C3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001C365C

Strings

static, xrefs: 001C35BC

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: bcff780c5bf469b8da5bd48cdbf0ec674227be09614321995b840d42f5c30d0c
Instruction ID: 69f4e2e2e6e68567fa70ae7c772bf7ca243bfed892796dad00cc5095a30bb3b1
Opcode Fuzzy Hash: bcff780c5bf469b8da5bd48cdbf0ec674227be09614321995b840d42f5c30d0c
Instruction Fuzzy Hash: 24318C71110204AADB149F68DC81FFB73A9FFA8760F00961DF9A597290DB31ED91DB60

Function 001C4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 001C461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001C4634

Strings

', xrefs: 001C458E

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0d350f75a30351fd1295c84a315c42ae57f04995dbf3e7c6cea84e1ff3411774
Instruction ID: 4680dd9e098a3b8fdbccef56de4d71f9be55b4884d8af5e283c25a02c9b569a8
Opcode Fuzzy Hash: 0d350f75a30351fd1295c84a315c42ae57f04995dbf3e7c6cea84e1ff3411774
Instruction Fuzzy Hash: 71311374A0431A9FDB14CFA9C9A1BEABBB5FB19300F10406AE904AB385D770E941CF90

Function 001C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001C327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C3287

Strings

Combobox, xrefs: 001C3249

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ad1f145613544ed334b00d9b6da4723b0490f9033856f7980e107a4f36a6c749
Instruction ID: 706d4239b9886373b0b9d2a23864ca39323c7d695913c6d715050571dc38570e
Opcode Fuzzy Hash: ad1f145613544ed334b00d9b6da4723b0490f9033856f7980e107a4f36a6c749
Instruction Fuzzy Hash: 911190712002087FEF259E94DC85FBB3B6AEBA43A4F108129F92897291D771DD519760

Function 001C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0013600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0013604C
Part of subcall function 0013600E: GetStockObject.GDI32(00000011), ref: 00136060
Part of subcall function 0013600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0013606A

GetWindowRect.USER32(00000000,?), ref: 001C377A
GetSysColor.USER32(00000012), ref: 001C3794

Strings

static, xrefs: 001C3757

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 087620f317895bd761823e0442ec057ea8940dfa99feedb48902c3d12ecd7011
Instruction ID: 0ff41b396cb28bc9d519d9cee95fa4752dc7a5fe965622e26d95393288c3d9d4
Opcode Fuzzy Hash: 087620f317895bd761823e0442ec057ea8940dfa99feedb48902c3d12ecd7011
Instruction Fuzzy Hash: D6113AB2610209AFDF01DFA8CC4AEEA7BF8FB18354F004518F965E2250D735E9519B50

Function 001ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001ACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001ACDA6

Strings

<local>, xrefs: 001ACD66

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7e92fdf09a3930fd83d78c82fe5652ca9ff596b1911df6fdee0fe58cc1857b01
Instruction ID: 4b2a58a123bf467c7097a542d2f95adc339b6e59677577f3487f573fe5131633
Opcode Fuzzy Hash: 7e92fdf09a3930fd83d78c82fe5652ca9ff596b1911df6fdee0fe58cc1857b01
Instruction Fuzzy Hash: 1511C279205635BAD7384BA68C49EF7BEACEF137A4F00422AB11983180D7709840D6F0

Function 001C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001C34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001C34BA

Strings

edit, xrefs: 001C348F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 7f79446ee6a3be70ecde85c3e98efd818d354886e81cd7b2d6b2b95dbf5150ce
Instruction ID: 08e0c4cb390b70ad3d9c73ddfc665527d359eb501fa60b5ba8f6d24370edbaef
Opcode Fuzzy Hash: 7f79446ee6a3be70ecde85c3e98efd818d354886e81cd7b2d6b2b95dbf5150ce
Instruction Fuzzy Hash: 49116D71100208AAEB164E64DC85FEA3B6AEB25774F508328F975931D0C771DD919B50

Function 00196C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

CharUpperBuffW.USER32(?,?,?), ref: 00196CB6
_wcslen.LIBCMT ref: 00196CC2

Strings

STOP, xrefs: 00196CBC, 00196CC1

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: ec06bcd7006cd5c0823c4f1e8172b4747a3157737c1492455f82f1f3cbb00508
Instruction ID: d519db36442ef3520fb3489eca92b9fa92ad705c4bef4bbfb33e961a86561365
Opcode Fuzzy Hash: ec06bcd7006cd5c0823c4f1e8172b4747a3157737c1492455f82f1f3cbb00508
Instruction Fuzzy Hash: 3F01C032A1452A8BCF21AFFDDC819BF77E5EF61754B510528F8A296190EB31E940C660

Function 00191BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 00193CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00193CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00191C46

Strings

ComboBox, xrefs: 00191BE5
ListBox, xrefs: 00191C10

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0e78fa5c28f0da7451cb5d2d9e399061913bdc2018573bfca609ad0a7f669f31
Instruction ID: 382405f1849dc6964a0e0feb7af70c07d40a1b4c7f0008df1f60dc06e5831637
Opcode Fuzzy Hash: 0e78fa5c28f0da7451cb5d2d9e399061913bdc2018573bfca609ad0a7f669f31
Instruction Fuzzy Hash: DC01A275A851097ACF09EBA0CA52EFF77A99F61340F14001AB91667281EB609F48D6B1

Function 00191C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00139CB3: _wcslen.LIBCMT ref: 00139CBD

Part of subcall function 00193CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00193CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00191CC8

Strings

ComboBox, xrefs: 00191C69
ListBox, xrefs: 00191C94

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cbc070d70ece93746998f971cc04edecbb21d1b5bec93f6779acaeb77be4ea91
Instruction ID: 4f046dd056fe37fb144c956eed3c9d30d4511c19e73d548c8de6a5fc950c5695
Opcode Fuzzy Hash: cbc070d70ece93746998f971cc04edecbb21d1b5bec93f6779acaeb77be4ea91
Instruction Fuzzy Hash: 0B01D1B5A8011977CF04EBA0CA02EFE77A99B21380F540016B906B7281EBA09F48D6B1

Function 001C8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00203018,0020305C), ref: 001C81BF
CloseHandle.KERNEL32 ref: 001C81D1

Strings

\0 , xrefs: 001C818A

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0
API String ID: 3712363035-2127501565
Opcode ID: 750793a0e7c27cdcb0fdc00956d35b0172eb8e3d4e291f59158d48508fb048a6
Instruction ID: 4c1501d1da4189b050300cf41308a99fef41c6c8622881b65b7aced264f713a2
Opcode Fuzzy Hash: 750793a0e7c27cdcb0fdc00956d35b0172eb8e3d4e291f59158d48508fb048a6
Instruction Fuzzy Hash: 21F03AB2641300BAE320AB61BC49FB73A5DEB19751F004461FA08D91A2D6758E5482E8

Function 001B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B7493
_wcslen.LIBCMT ref: 001B74B9

Strings

3, 3, 16, 1, xrefs: 001B7483

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 5ed2ff7d2e13b9e3da031e253b028089355917c92c3723ddbd6f3dd24671429c
Instruction ID: 84a4c1a2c3a06a6a7363a40e8cc1c414799f75c1be424c089a40bb5754e9b464
Opcode Fuzzy Hash: 5ed2ff7d2e13b9e3da031e253b028089355917c92c3723ddbd6f3dd24671429c
Instruction Fuzzy Hash: 15E02B026042206192311279ACC29BF5689DFD9756710182BFD81C62E6EBA48DD193A0

Function 00190B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00190B23

Strings

AutoIt, xrefs: 00190B17
Error allocating memory., xrefs: 00190B1C

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 614bf7de05a6bd85b848f2d36459b4da0fe9052f8126679320853c17cd4d04d4
Instruction ID: a660d7b16b70d996988949f536b7c8b47310f67f3d5bd1164f5fa1197f73763e
Opcode Fuzzy Hash: 614bf7de05a6bd85b848f2d36459b4da0fe9052f8126679320853c17cd4d04d4
Instruction Fuzzy Hash: C9E0D8312443083AD21437947C03FC97A85CF15F15F10042EFB9C659D38BE2689106E9

Function 00150D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0014F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00150D71,?,?,?,0013100A), ref: 0014F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0013100A), ref: 00150D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0013100A), ref: 00150D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00150D7F

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: f99de91f9a2f49a4fe4346559134d9c28681dc58835957b491e12375f8cb54eb
Instruction ID: 39169d452013438a0d0ea810e5fbaf929b7163b2573ee88d81ec8dbf31651697
Opcode Fuzzy Hash: f99de91f9a2f49a4fe4346559134d9c28681dc58835957b491e12375f8cb54eb
Instruction Fuzzy Hash: DEE06D742003418BD3219FF8E508B42BBF1AF18741F00492DE896CA652DBB4E8898B91

Function 0014E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0014E3D5

Strings

0% , xrefs: 0014E3B5
8% , xrefs: 0014E3CA

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0% $8%
API String ID: 1385522511-1964686787
Opcode ID: 7635c2bb300fc79c691ca2659a5f17d8ea656a21b9d30408d5dec0dcc6aac4ca
Instruction ID: 562ac4730d03fa55be9c6272a87b99fdcf7da13756022c544b542e5ac0237ada
Opcode Fuzzy Hash: 7635c2bb300fc79c691ca2659a5f17d8ea656a21b9d30408d5dec0dcc6aac4ca
Instruction Fuzzy Hash: 3BE08631414B10CBCB0E9B18BEDDE883795BB19320F9111AAF5228B1E39B71684A865D

Function 0018D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0018D220

Strings

%.3d, xrefs: 0018D22B
X64, xrefs: 0018D2A8

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 41d8f42625dbe67fa8d3123526134d0535a5ec36f3b42da066d2af4cbd1f16c6
Instruction ID: fa5b8baebcb0b018b29d6fe3bd3eeec726009eded947d19c0b86e6b2280b0ae8
Opcode Fuzzy Hash: 41d8f42625dbe67fa8d3123526134d0535a5ec36f3b42da066d2af4cbd1f16c6
Instruction Fuzzy Hash: 42D01261808208F9CB54A7D0EC49CBAB37DFB18341F528452F90792080D724C6486F61

Function 001C2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001C232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001C233F

Part of subcall function 0019E97B: Sleep.KERNEL32 ref: 0019E9F3

Strings

Shell_TrayWnd, xrefs: 001C2325

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 74be32afb7421962aeff970ba20e0a18980aa485fa5184ca1734ae085d236a26
Instruction ID: b8cff3c25c2c8fcc8533bac49f634c4a43bea4a085b52bf9f271c3a0c9aa41ec
Opcode Fuzzy Hash: 74be32afb7421962aeff970ba20e0a18980aa485fa5184ca1734ae085d236a26
Instruction Fuzzy Hash: CBD0C936794350B6E664B771DC0FFD67A549B10B14F004A16B74AAA1D0CAA4A841CA94

Function 001C2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001C236C
PostMessageW.USER32(00000000), ref: 001C2373

Part of subcall function 0019E97B: Sleep.KERNEL32 ref: 0019E9F3

Strings

Shell_TrayWnd, xrefs: 001C2365

Memory Dump Source

Source File: 00000001.00000002.1361065604.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000001.00000002.1361024890.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361121577.00000000001F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361173269.00000000001FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1361190989.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_130000_3WgNXsWvMO.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 99146ef4f8c072a503613edc8f36b94be3188ee6acf48eb96c22563058ea85fe
Instruction ID: 2ee80d98b5b6f651c2c988875d5cc57e31909437b0e8bfe063c3b558aa46334a
Opcode Fuzzy Hash: 99146ef4f8c072a503613edc8f36b94be3188ee6acf48eb96c22563058ea85fe
Instruction Fuzzy Hash: 5DD0C9327C13507AE664B771DC0FFC67A549B14B14F004A16B74AEA1D0CAA4A841CA94

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3WgNXsWvMO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut2230.tmp

C:\Users\user\AppData\Local\Temp\sticket

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
3WgNXsWvMO.exe

Function 001342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 001342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00172BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00132CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0017065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0013344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00132B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00133170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00168D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 00F3EDB0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00132C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00F3EBA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
fileCOMMON

Function 001A2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00133B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre