Edit tour

Windows Analysis Report
ZV2G9QQzlR.exe

Overview

General Information

Sample name:	ZV2G9QQzlR.exe renamed because original name is a hash value
Original sample name:	8034e571846e99f8e3a7edf472dea0bc0b903201ca63a572dd74a2a637345f7d.exe
Analysis ID:	1587974
MD5:	97285a8373f6dc1d7250e24a46972849
SHA1:	615cd2f15c22d33c15f19169dca5a4bbb5beb121
SHA256:	8034e571846e99f8e3a7edf472dea0bc0b903201ca63a572dd74a2a637345f7d
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ZV2G9QQzlR.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\ZV2G9QQzlR.exe" MD5: 97285A8373F6DC1D7250E24A46972849)

svchost.exe (PID: 7808 cmdline: "C:\Users\user\Desktop\ZV2G9QQzlR.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1552395026.0000000000310000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1552577849.0000000002760000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.310000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.310000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\ZV2G9QQzlR.exe", CommandLine: "C:\Users\user\Desktop\ZV2G9QQzlR.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ZV2G9QQzlR.exe", ParentImage: C:\Users\user\Desktop\ZV2G9QQzlR.exe, ParentProcessId: 7752, ParentProcessName: ZV2G9QQzlR.exe, ProcessCommandLine: "C:\Users\user\Desktop\ZV2G9QQzlR.exe", ProcessId: 7808, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\ZV2G9QQzlR.exe", CommandLine: "C:\Users\user\Desktop\ZV2G9QQzlR.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ZV2G9QQzlR.exe", ParentImage: C:\Users\user\Desktop\ZV2G9QQzlR.exe, ParentProcessId: 7752, ParentProcessName: ZV2G9QQzlR.exe, ProcessCommandLine: "C:\Users\user\Desktop\ZV2G9QQzlR.exe", ProcessId: 7808, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ZV2G9QQzlR.exe	Virustotal: Detection: 69%			Perma Link
Source: ZV2G9QQzlR.exe	ReversingLabs: Detection: 76%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.310000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1552395026.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1552577849.0000000002760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ZV2G9QQzlR.exe

Joe Sandbox ML: detected

Source: ZV2G9QQzlR.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: ZV2G9QQzlR.exe, 00000000.00000003.1342047668.0000000003970000.00000004.00001000.00020000.00000000.sdmp, ZV2G9QQzlR.exe, 00000000.00000003.1342920899.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1510534654.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1552949009.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1552949009.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1513120599.0000000002E00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZV2G9QQzlR.exe, 00000000.00000003.1342047668.0000000003970000.00000004.00001000.00020000.00000000.sdmp, ZV2G9QQzlR.exe, 00000000.00000003.1342920899.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1510534654.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1552949009.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1552949009.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1513120599.0000000002E00000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FB445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FB445A
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FBC6D1 FindFirstFileW,FindClose,	0_2_00FBC6D1
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FBC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FBC75C
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FBEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FBEF95
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FBF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FBF0F2
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FBF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FBF3F3
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FB37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FB37EF
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FB3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FB3B12
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FBBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FBBCBC

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FC22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00FC22EE

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FC4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FC4164

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FC4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FC4164

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FC3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FC3F66

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FB001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00FB001C

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FDCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00FDCABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.310000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1552395026.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1552577849.0000000002760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F53B3A
Source: ZV2G9QQzlR.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: ZV2G9QQzlR.exe, 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a24015f3-8
Source: ZV2G9QQzlR.exe, 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_00eb9ec4-6
Source: ZV2G9QQzlR.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a93a8e20-e
Source: ZV2G9QQzlR.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b190920d-c

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0033C5B3 NtClose,	2_2_0033C5B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B60 NtClose,LdrInitializeThunk,	2_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,	2_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074340 NtSetContextThread,	2_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03074650 NtSuspendThread,	2_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072B80 NtQueryInformationFile,	2_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BA0 NtEnumerateValueKey,	2_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BE0 NtQueryValueKey,	2_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072BF0 NtAllocateVirtualMemory,	2_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AB0 NtWaitForSingleObject,	2_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AD0 NtReadFile,	2_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072AF0 NtWriteFile,	2_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F30 NtCreateSection,	2_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F60 NtCreateProcessEx,	2_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072F90 NtProtectVirtualMemory,	2_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FA0 NtQuerySection,	2_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FB0 NtResumeThread,	2_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072FE0 NtCreateFile,	2_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E30 NtWriteVirtualMemory,	2_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072E80 NtReadVirtualMemory,	2_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EA0 NtAdjustPrivilegesToken,	2_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072EE0 NtQueueApcThread,	2_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D00 NtSetInformationFile,	2_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D10 NtMapViewOfSection,	2_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072D30 NtUnmapViewOfSection,	2_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DB0 NtEnumerateKey,	2_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072DD0 NtDelayExecution,	2_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C00 NtQueryInformationProcess,	2_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C60 NtCreateKey,	2_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072C70 NtFreeVirtualMemory,	2_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CA0 NtQueryInformationToken,	2_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CC0 NtQueryVirtualMemory,	2_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072CF0 NtOpenProcess,	2_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073010 NtOpenDirectoryObject,	2_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073090 NtSetValueKey,	2_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030739B0 NtGetContextThread,	2_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D10 NtOpenProcessToken,	2_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03073D70 NtOpenThread,	2_2_03073D70

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FBA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00FBA1EF

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FA8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FA8310

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FB51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FB51BD

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F7D975	0_2_00F7D975
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F721C5	0_2_00F721C5
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F862D2	0_2_00F862D2
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FD03DA	0_2_00FD03DA
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F8242E	0_2_00F8242E
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F725FA	0_2_00F725FA
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F666E1	0_2_00F666E1
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F5E6A0	0_2_00F5E6A0
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FAE616	0_2_00FAE616
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F8878F	0_2_00F8878F
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FB8889	0_2_00FB8889
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FD0857	0_2_00FD0857
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F86844	0_2_00F86844
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F68808	0_2_00F68808
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F7CB21	0_2_00F7CB21
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F86DB6	0_2_00F86DB6
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F66F9E	0_2_00F66F9E
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F63030	0_2_00F63030
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F7F1D9	0_2_00F7F1D9
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F73187	0_2_00F73187
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F51287	0_2_00F51287
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F71484	0_2_00F71484
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F65520	0_2_00F65520
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F77696	0_2_00F77696
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F65760	0_2_00F65760
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F71978	0_2_00F71978
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F89AB5	0_2_00F89AB5
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F5FCE0	0_2_00F5FCE0
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FD7DDB	0_2_00FD7DDB
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F7BDA6	0_2_00F7BDA6
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F71D90	0_2_00F71D90
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F63FE0	0_2_00F63FE0
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F5DF00	0_2_00F5DF00
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_012073B0	0_2_012073B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00313030	2_2_00313030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003110DC	2_2_003110DC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0031E133	2_2_0031E133
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0031E127	2_2_0031E127
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0031E17C	2_2_0031E17C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003111C0	2_2_003111C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0033EBA3	2_2_0033EBA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00312480	2_2_00312480
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0031FDD3	2_2_0031FDD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0031FDCB	2_2_0031FDCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0032677E	2_2_0032677E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00312760	2_2_00312760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00326783	2_2_00326783
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0031FFF3	2_2_0031FFF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0031DFE3	2_2_0031DFE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031003E6	2_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C02C0	2_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030100	2_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F41A2	2_2_030F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031001AA	2_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F81CC	2_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064750	2_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C6E0	2_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03100591	2_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4420	2_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F2446	2_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EE4F6	2_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F6BD7	2_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310A9A6	2_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304A840	2_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030268B8	2_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E8F0	2_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03082F28	2_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060F30	2_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E2F30	2_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40	2_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BEFA0	2_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032FC8	2_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304CFE0	2_2_0304CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEE26	2_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040E59	2_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052E90	2_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FCE93	2_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FEEDB	2_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304AD00	2_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DCD1F	2_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03058DBF	2_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303ADE0	2_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040C00	2_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0CB5	2_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030CF2	2_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F132D	2_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302D34C	2_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0308739A	2_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030452A0	2_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B2C0	2_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E12ED	2_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307516C	2_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302F172	2_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0310B16B	2_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304B1B0	2_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EF0CC	2_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030470C0	2_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F70E9	2_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF0E0	2_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF7B0	2_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F16CC	2_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7571	2_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DD5B0	2_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FF43F	2_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03031460	2_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFB76	2_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FB80	2_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B5BF0	2_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307DBF9	2_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFA49	2_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7A46	2_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B3A6C	2_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DDAAC	2_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03085AA0	2_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E1AA3	2_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EDAC6	2_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D5910	2_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049950	2_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305B950	2_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AD800	2_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030438E0	2_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFF09	2_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03041F92	2_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFFB1	2_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03049EB0	2_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03043D40	2_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F1D5A	2_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F7D73	2_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305FDC0	2_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B9C32	2_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FFCF2	2_2_030FFCF2

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 102 times
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: String function: 00F78900 appears 42 times
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: String function: 00F70AE3 appears 70 times
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: String function: 00F57DE1 appears 35 times

Source: ZV2G9QQzlR.exe, 00000000.00000003.1340971500.0000000003A93000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZV2G9QQzlR.exe
Source: ZV2G9QQzlR.exe, 00000000.00000003.1340290725.0000000003C3D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZV2G9QQzlR.exe

Source: ZV2G9QQzlR.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FBA06A GetLastError,FormatMessageW,

0_2_00FBA06A

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FA81CB AdjustTokenPrivileges,CloseHandle,		0_2_00FA81CB
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FA87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FA87E1

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FBB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FBB3FB

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FCEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FCEE0D

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FC83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00FC83BB

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F54E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F54E89

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

File created: C:\Users\user\AppData\Local\Temp\aut967A.tmp

Jump to behavior

Source: ZV2G9QQzlR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ZV2G9QQzlR.exe	Virustotal: Detection: 69%
Source: ZV2G9QQzlR.exe	ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\ZV2G9QQzlR.exe "C:\Users\user\Desktop\ZV2G9QQzlR.exe"
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ZV2G9QQzlR.exe"
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ZV2G9QQzlR.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: ZV2G9QQzlR.exe

Static file information: File size 1203712 > 1048576

Source: ZV2G9QQzlR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ZV2G9QQzlR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ZV2G9QQzlR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ZV2G9QQzlR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ZV2G9QQzlR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ZV2G9QQzlR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ZV2G9QQzlR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: ZV2G9QQzlR.exe, 00000000.00000003.1342047668.0000000003970000.00000004.00001000.00020000.00000000.sdmp, ZV2G9QQzlR.exe, 00000000.00000003.1342920899.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1510534654.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1552949009.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1552949009.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1513120599.0000000002E00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZV2G9QQzlR.exe, 00000000.00000003.1342047668.0000000003970000.00000004.00001000.00020000.00000000.sdmp, ZV2G9QQzlR.exe, 00000000.00000003.1342920899.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1510534654.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1552949009.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1552949009.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1513120599.0000000002E00000.00000004.00000020.00020000.00000000.sdmp

Source: ZV2G9QQzlR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ZV2G9QQzlR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ZV2G9QQzlR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ZV2G9QQzlR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ZV2G9QQzlR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F54B37 LoadLibraryA,GetProcAddress,

0_2_00F54B37

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F78945 push ecx; ret	0_2_00F78958
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_01207CD7 push ebp; iretd	0_2_01207CD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0032E9E9 push edx; retf	2_2_0032E9EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003132B0 push eax; ret	2_2_003132B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0031D286 pushad ; ret	2_2_0031D29D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_003222D5 pushad ; ret	2_2_003222FD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00318306 push ds; retf	2_2_00318307
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00314D95 push edx; retf	2_2_00314D96
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00328FFD push esi; iretd	2_2_00328FFE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx	2_2_030309B6

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F548D7
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FD5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00FD5376

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F73187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F73187

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

API/Special instruction interceptor: Address: 1206FD4

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ZV2G9QQzlR.exe, 00000000.00000003.1332655641.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, ZV2G9QQzlR.exe, 00000000.00000002.1345477826.0000000001240000.00000004.00000020.00020000.00000000.sdmp, ZV2G9QQzlR.exe, 00000000.00000003.1332758206.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEAGE
Source: ZV2G9QQzlR.exe, 00000000.00000003.1332655641.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, ZV2G9QQzlR.exe, 00000000.00000002.1345477826.0000000001240000.00000004.00000020.00020000.00000000.sdmp, ZV2G9QQzlR.exe, 00000000.00000003.1332758206.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	API coverage: 4.3 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 7812

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FB445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FB445A
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FBC6D1 FindFirstFileW,FindClose,	0_2_00FBC6D1
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FBC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FBC75C
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FBEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FBEF95
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FBF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FBF0F2
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FBF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FBF3F3
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FB37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FB37EF
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FB3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FB3B12
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FBBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FBBCBC

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F549A0

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0307096E rdtsc

2_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00327713 LdrLoadDll,

2_2_00327713

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FC3F09 BlockInput,

0_2_00FC3F09

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F53B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F53B3A

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F85A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00F85A7C

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F54B37 LoadLibraryA,GetProcAddress,

0_2_00F54B37

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_01207240 mov eax, dword ptr fs:[00000030h]	0_2_01207240
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_012072A0 mov eax, dword ptr fs:[00000030h]	0_2_012072A0
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_01205C20 mov eax, dword ptr fs:[00000030h]	0_2_01205C20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]	2_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]	2_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]	2_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]	2_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]	2_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]	2_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]	2_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]	2_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]	2_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]	2_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]	2_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]	2_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]	2_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]	2_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]	2_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]	2_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]	2_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]	2_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]	2_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]	2_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]	2_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]	2_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]	2_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]	2_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]	2_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]	2_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]	2_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]	2_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]	2_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]	2_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]	2_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]	2_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]	2_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]	2_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]	2_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]	2_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]	2_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]	2_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]	2_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]	2_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]	2_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]	2_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]	2_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]	2_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]	2_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]	2_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]	2_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]	2_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]	2_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]	2_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]	2_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]	2_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]	2_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]	2_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]	2_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]	2_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]	2_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]	2_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]	2_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]	2_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]	2_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]	2_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]	2_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]	2_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]	2_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]	2_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]	2_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]	2_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]	2_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]	2_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]	2_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]	2_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]	2_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]	2_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]	2_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]	2_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]	2_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]	2_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]	2_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]	2_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]	2_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]	2_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]	2_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]	2_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]	2_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]	2_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]	2_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]	2_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]	2_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]	2_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]	2_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]	2_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]	2_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]	2_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]	2_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]	2_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]	2_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]	2_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]	2_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]	2_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]	2_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]	2_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]	2_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]	2_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]	2_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]	2_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]	2_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]	2_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]	2_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]	2_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]	2_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]	2_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]	2_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]	2_2_0306A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]	2_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]	2_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]	2_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]	2_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]	2_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]	2_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]	2_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]	2_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]	2_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]	2_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]	2_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]	2_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]	2_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]	2_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]	2_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]	2_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]	2_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]	2_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]	2_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]	2_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]	2_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]	2_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]	2_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]	2_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]	2_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]	2_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]	2_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]	2_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]	2_2_0306CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]	2_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]	2_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]	2_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]	2_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]	2_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]	2_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]	2_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]	2_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]	2_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]	2_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]	2_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]	2_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]	2_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]	2_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]	2_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]	2_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]	2_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]	2_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]	2_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]	2_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]	2_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]	2_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]	2_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]	2_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]	2_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]	2_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]	2_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]	2_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]	2_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]	2_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]	2_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]	2_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]	2_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]	2_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]	2_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03060854 mov eax, dword ptr fs:[00000030h]	2_2_03060854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]	2_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]	2_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]	2_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]	2_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]	2_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]	2_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03030887 mov eax, dword ptr fs:[00000030h]	2_2_03030887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030BC89D mov eax, dword ptr fs:[00000030h]	2_2_030BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0305E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_030FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0306C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0306C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030E6F00 mov eax, dword ptr fs:[00000030h]	2_2_030E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03032F12 mov eax, dword ptr fs:[00000030h]	2_2_03032F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0306CF1F mov eax, dword ptr fs:[00000030h]	2_2_0306CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0305EF28 mov eax, dword ptr fs:[00000030h]	2_2_0305EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40 mov eax, dword ptr fs:[00000030h]	2_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40 mov eax, dword ptr fs:[00000030h]	2_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40 mov eax, dword ptr fs:[00000030h]	2_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030B4F40 mov eax, dword ptr fs:[00000030h]	2_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030D4F42 mov eax, dword ptr fs:[00000030h]	2_2_030D4F42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302CF50 mov eax, dword ptr fs:[00000030h]	2_2_0302CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0302CF50 mov eax, dword ptr fs:[00000030h]	2_2_0302CF50

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FA80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00FA80A9

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F7A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00F7A155
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00F7A124 SetUnhandledExceptionFilter,		0_2_00F7A124

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 4E3008

Jump to behavior

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FA87B1 LogonUserW,

0_2_00FA87B1

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F53B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F53B3A

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F548D7

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FB4C7F mouse_event,

0_2_00FB4C7F

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ZV2G9QQzlR.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FA7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00FA7CAF

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00FA874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FA874B

Source: ZV2G9QQzlR.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ZV2G9QQzlR.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F7862B cpuid

0_2_00F7862B

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F84E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F84E87

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F91E06 GetUserNameW,

0_2_00F91E06

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F83F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F83F3A

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe

Code function: 0_2_00F549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F549A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.310000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1552395026.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1552577849.0000000002760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: ZV2G9QQzlR.exe	Binary or memory string: WIN_81
Source: ZV2G9QQzlR.exe	Binary or memory string: WIN_XP
Source: ZV2G9QQzlR.exe	Binary or memory string: WIN_XPe
Source: ZV2G9QQzlR.exe	Binary or memory string: WIN_VISTA
Source: ZV2G9QQzlR.exe	Binary or memory string: WIN_7
Source: ZV2G9QQzlR.exe	Binary or memory string: WIN_8
Source: ZV2G9QQzlR.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.310000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1552395026.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1552577849.0000000002760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FC6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00FC6283
Source: C:\Users\user\Desktop\ZV2G9QQzlR.exe	Code function: 0_2_00FC6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FC6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	25 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZV2G9QQzlR.exe	69%	Virustotal		Browse
ZV2G9QQzlR.exe	76%	ReversingLabs	Win32.Trojan.AutoitInject
ZV2G9QQzlR.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587974
Start date and time:	2025-01-10 20:02:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZV2G9QQzlR.exe renamed because original name is a hash value
Original Sample Name:	8034e571846e99f8e3a7edf472dea0bc0b903201ca63a572dd74a2a637345f7d.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 46 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
14:04:00	API Interceptor	3x Sleep call for process: svchost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	xrAlbTvRsz.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Xf3rn1smZw.exe	Get hash	malicious	RedLine	Browse	13.107.246.45
	ThBJg59JRC.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	293816234142143228.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	Voicemail_+Transcription+_ATT006151.docx	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modal	Get hash	malicious	Unknown	Browse	13.107.246.45
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Encrypted_Archive_2025_LHC1W64SMW.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\ZV2G9QQzlR.exe
File Type:	, SYS SQYMD\253\252LQ\212CEAMZLR\016W07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ\212CEACE\366\N\3439\372u\353T\025\200e
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.9950599745544615
Encrypted:	true
SSDEEP:	6144:0IdTh3E1PTRnp4bkfdGZm1UT19z81G/JTfb7K6TVWYXnJL:RJmlP4bkM7f81kExYXnJL
MD5:	9BF9EC636360B1519FFF0948D4DC8867
SHA1:	99BBD852EB8C83065962CE014757FAE466278EE9
SHA-256:	AF2C5F0DB1D4D94A54AD727024DC62A870D203A4D00AD5234D2E7CC0C3ACBDB8
SHA-512:	19EF5B648B7D8559AB151A4B3F297B3EE5E9855C17A87E4FDABE3A5DBFBC16A05758AAD19186E69396A10FC62AEE1346C2D9D433CBF4987FE59031CED68CD0EA
Malicious:	false
Reputation:	low
Preview:	...W37TSQYMD..LQ.CEAMZLR.W07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ.CEACE.\N.9.u.T..e.=%".37.(-?n4QY:<!y/!t'9?.+a...r#8TRz^XSiDTULQ2C<@D.q2)..W3.h9.N...#".W..r7W.N...q$3..8Q+x!.LRNW07TS..MD.TMQ...MZLRNW07.SWXFE_UL.6CEAMZLRNW.#TSUIMDT%HQ2C.AMJLRNU07RSUYMDTUJQ2CEAMZL"JW05TSUYMDVU..2CUAMJLRNW 7TCUYMDTU\Q2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTUb%W;1AMZ..JW0'TSU.IDTELQ2CEAMZLRNW07tSU9MDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUY

C:\Users\user\AppData\Local\Temp\aut967A.tmp

Download File

Process:	C:\Users\user\Desktop\ZV2G9QQzlR.exe
File Type:	, SYS SQYMD\253\252LQ\212CEAMZLR\016W07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ\212CEACE\366\N\3439\372u\353T\025\200e
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.9950599745544615
Encrypted:	true
SSDEEP:	6144:0IdTh3E1PTRnp4bkfdGZm1UT19z81G/JTfb7K6TVWYXnJL:RJmlP4bkM7f81kExYXnJL
MD5:	9BF9EC636360B1519FFF0948D4DC8867
SHA1:	99BBD852EB8C83065962CE014757FAE466278EE9
SHA-256:	AF2C5F0DB1D4D94A54AD727024DC62A870D203A4D00AD5234D2E7CC0C3ACBDB8
SHA-512:	19EF5B648B7D8559AB151A4B3F297B3EE5E9855C17A87E4FDABE3A5DBFBC16A05758AAD19186E69396A10FC62AEE1346C2D9D433CBF4987FE59031CED68CD0EA
Malicious:	false
Reputation:	low
Preview:	...W37TSQYMD..LQ.CEAMZLR.W07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ.CEACE.\N.9.u.T..e.=%".37.(-?n4QY:<!y/!t'9?.+a...r#8TRz^XSiDTULQ2C<@D.q2)..W3.h9.N...#".W..r7W.N...q$3..8Q+x!.LRNW07TS..MD.TMQ...MZLRNW07.SWXFE_UL.6CEAMZLRNW.#TSUIMDT%HQ2C.AMJLRNU07RSUYMDTUJQ2CEAMZL"JW05TSUYMDVU..2CUAMJLRNW 7TCUYMDTU\Q2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTUb%W;1AMZ..JW0'TSU.IDTELQ2CEAMZLRNW07tSU9MDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUYMDTULQ2CEAMZLRNW07TSUY

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.185350309576046
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZV2G9QQzlR.exe
File size:	1'203'712 bytes
MD5:	97285a8373f6dc1d7250e24a46972849
SHA1:	615cd2f15c22d33c15f19169dca5a4bbb5beb121
SHA256:	8034e571846e99f8e3a7edf472dea0bc0b903201ca63a572dd74a2a637345f7d
SHA512:	1ee90159693c1346ec37c6172603dea718e85f4b98448ffea593c9386fcf948a3c07fab73afb3d1c46d7386ab3ceeb7310f0aeb782de37b66d49945259f7539a
SSDEEP:	24576:zu6J33O0c+JY5UZ+XC0kGso6FasZggDpyBzGp57zVkkT7qsTWY:du0c++OCvkGs9FasZJDwB6pfkkP8Y
TLSH:	2045CF2273DDC361CB669133BF69B7016EBF7C614630B95B2F881D7DA850162262C7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675F7424 [Mon Dec 16 00:28:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F723891324Ah
jmp 00007F7238906014h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F723890619Ah
cmp edi, eax
jc 00007F72389064FEh
bt dword ptr [004C31FCh], 01h
jnc 00007F7238906199h
rep movsb
jmp 00007F72389064ACh
cmp ecx, 00000080h
jc 00007F7238906364h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F72389061A0h
bt dword ptr [004BE324h], 01h
jc 00007F7238906670h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F723890633Dh
test edi, 00000003h
jne 00007F723890634Eh
test esi, 00000003h
jne 00007F723890632Dh
bt edi, 02h
jnc 00007F723890619Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F72389061A3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F72389061F5h
bt esi, 03h
jnc 00007F7238906248h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5d554	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x125000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5d554	0x5d600	bbbc869a0bde3267d7a6e04491e54dfe	False	0.9298313043842035	data	7.897749086727052	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x125000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x5481b	data			1.0003351254842707
RT_GROUP_ICON	0x123fd4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x12404c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x124060	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x124074	0x14	data	English	Great Britain	1.25
RT_VERSION	0x124088	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x124164	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 20:03:37.442125082 CET	1.1.1.1	192.168.2.11	0x5dd2	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:03:37.442125082 CET	1.1.1.1	192.168.2.11	0x5dd2	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:03:41
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ZV2G9QQzlR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZV2G9QQzlR.exe"
Imagebase:	0xf50000
File size:	1'203'712 bytes
MD5 hash:	97285A8373F6DC1D7250E24A46972849
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:03:42
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZV2G9QQzlR.exe"
Imagebase:	0x710000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1552395026.0000000000310000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1552577849.0000000002760000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	163

Executed Functions

Function 00F53B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F53B68
IsDebuggerPresent.KERNEL32 ref: 00F53B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,010152F8,010152E0,?,?), ref: 00F53BEB

Part of subcall function 00F57BCC: _memmove.LIBCMT ref: 00F57C06

Part of subcall function 00F6092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F53C14,010152F8,?,?,?), ref: 00F6096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00F53C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,01007770,00000010), ref: 00F8D281
SetCurrentDirectoryW.KERNEL32(?,010152F8,?,?,?), ref: 00F8D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01004260,010152F8,?,?,?), ref: 00F8D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00F8D346

Part of subcall function 00F53A46: GetSysColorBrush.USER32(0000000F), ref: 00F53A50
Part of subcall function 00F53A46: LoadCursorW.USER32(00000000,00007F00), ref: 00F53A5F
Part of subcall function 00F53A46: LoadIconW.USER32(00000063), ref: 00F53A76
Part of subcall function 00F53A46: LoadIconW.USER32(000000A4), ref: 00F53A88
Part of subcall function 00F53A46: LoadIconW.USER32(000000A2), ref: 00F53A9A
Part of subcall function 00F53A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F53AC0
Part of subcall function 00F53A46: RegisterClassExW.USER32(?), ref: 00F53B16

Part of subcall function 00F539D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F53A03
Part of subcall function 00F539D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F53A24
Part of subcall function 00F539D5: ShowWindow.USER32(00000000,?,?), ref: 00F53A38
Part of subcall function 00F539D5: ShowWindow.USER32(00000000,?,?), ref: 00F53A41

Part of subcall function 00F5434A: _memset.LIBCMT ref: 00F54370
Part of subcall function 00F5434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F54415

Strings

runas, xrefs: 00F8D33A
This is a third-party compiled AutoIt script., xrefs: 00F8D279

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 7acbd86c4ebfde83e680772528dd7cb8ac4ba45f3198a9903972c51474b05fcb
Instruction ID: 0b44b80e8cb88c4eb56845cd6666646f792fe64b251be21ad1469d4ea13223ba
Opcode Fuzzy Hash: 7acbd86c4ebfde83e680772528dd7cb8ac4ba45f3198a9903972c51474b05fcb
Instruction Fuzzy Hash: 69511831D04208AADF11FBB8EC06EED7BB5AF86751F004059FD91AA191CA7D5609FB21

Function 00F549A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F549CD

Part of subcall function 00F57BCC: _memmove.LIBCMT ref: 00F57C06

GetCurrentProcess.KERNEL32(?,00FDFAEC,00000000,00000000,?), ref: 00F54A9A
IsWow64Process.KERNEL32(00000000), ref: 00F54AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00F54AE7
FreeLibrary.KERNEL32(00000000), ref: 00F54AF2
GetSystemInfo.KERNEL32(00000000), ref: 00F54B23
GetSystemInfo.KERNEL32(00000000), ref: 00F54B2F

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: d097cbab0feea27c194070bb40031c06f2b2f52c16003c4e1e801135bc2921b7
Instruction ID: 855e0730d24499c5f9f43616fe3fde62eb3cc587a0eb8045afdccc17b1d79d81
Opcode Fuzzy Hash: d097cbab0feea27c194070bb40031c06f2b2f52c16003c4e1e801135bc2921b7
Instruction Fuzzy Hash: 6C91453188A7C0DEC731DB7884502AAFFF5AF2A315B0809AED5CB83A41D224B54CE719

Function 00F54E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F54D8E,?,?,00000000,00000000), ref: 00F54E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F54D8E,?,?,00000000,00000000), ref: 00F54EB0
LoadResource.KERNEL32(?,00000000,?,?,00F54D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F54E2F), ref: 00F8D937
SizeofResource.KERNEL32(?,00000000,?,?,00F54D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F54E2F), ref: 00F8D94C
LockResource.KERNEL32(00F54D8E,?,?,00F54D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F54E2F,00000000), ref: 00F8D95F

Strings

SCRIPT, xrefs: 00F54EA6

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 3a27d693c83692e5b2bd91dcbbad62045117806cf0e2f876c35d1a041c93cc80
Instruction ID: c1d7fc59af28bd84287de0257aac6d86a185ccf5e222fbd994767148c65b4a14
Opcode Fuzzy Hash: 3a27d693c83692e5b2bd91dcbbad62045117806cf0e2f876c35d1a041c93cc80
Instruction Fuzzy Hash: C2119E71600304BFD7218B65EC49F677BBAFFC5B12F14426DF90686250DB61E848AA60

Function 00FB445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00F8E398), ref: 00FB446A
FindFirstFileW.KERNELBASE(?,?), ref: 00FB447B
FindClose.KERNEL32(00000000), ref: 00FB448B

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 463af34bd3ffe7952905475ef08dc50146ac586072c6d4fe700217d63db21d10
Instruction ID: 8dc936b50ea4f3870a15262f55c8e37d8e97cc949db186299f128523b6576b4c
Opcode Fuzzy Hash: 463af34bd3ffe7952905475ef08dc50146ac586072c6d4fe700217d63db21d10
Instruction Fuzzy Hash: 81E0D833811504AB4210AB38EC0D8E9775D9E05335F100716FC36C10D0E7746914B995

Function 00F609D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F60A5B
timeGetTime.WINMM ref: 00F60D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F60E53
Sleep.KERNEL32(0000000A), ref: 00F60E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00F60EFA
DestroyWindow.USER32 ref: 00F60F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F60F20
Sleep.KERNEL32(0000000A,?,?), ref: 00F94E83
TranslateMessage.USER32(?), ref: 00F95C60
DispatchMessageW.USER32(?), ref: 00F95C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F95C82

Strings

@GUI_WINHANDLE, xrefs: 00F94F8F
@COM_EVENTOBJ, xrefs: 00F954F0
@TRAY_ID, xrefs: 00F9578F
@GUI_CTRLHANDLE, xrefs: 00F94FE4
@GUI_CTRLID, xrefs: 00F94F3A

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 43d8ea941fd7c0b9d686d445ddde87e8f4b0907063e5b6f8145670a6bd363b82
Instruction ID: 534ec5ed2acc0f765cc6765d8ce6a4297428d75d9b26318fe63ce2f3590a9dc4
Opcode Fuzzy Hash: 43d8ea941fd7c0b9d686d445ddde87e8f4b0907063e5b6f8145670a6bd363b82
Instruction Fuzzy Hash: 54B20470608741DFEB25DF24C884BABB7E1BF85714F14491DF98A87291CB79E848EB42

Function 00FB9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB8F5F: __time64.LIBCMT ref: 00FB8F69

Part of subcall function 00F54EE5: _fseek.LIBCMT ref: 00F54EFD

__wsplitpath.LIBCMT ref: 00FB9234

Part of subcall function 00F740FB: __wsplitpath_helper.LIBCMT ref: 00F7413B

_wcscpy.LIBCMT ref: 00FB9247
_wcscat.LIBCMT ref: 00FB925A
__wsplitpath.LIBCMT ref: 00FB927F
_wcscat.LIBCMT ref: 00FB9295
_wcscat.LIBCMT ref: 00FB92A8

Part of subcall function 00FB8FA5: _memmove.LIBCMT ref: 00FB8FDE
Part of subcall function 00FB8FA5: _memmove.LIBCMT ref: 00FB8FED

_wcscmp.LIBCMT ref: 00FB91EF

Part of subcall function 00FB9734: _wcscmp.LIBCMT ref: 00FB9824
Part of subcall function 00FB9734: _wcscmp.LIBCMT ref: 00FB9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FB9452
_wcsncpy.LIBCMT ref: 00FB94C5
DeleteFileW.KERNEL32(?,?), ref: 00FB94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FB9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB9534

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 638970da29d3e8ee39d8f977b3356e1602fcee057b934d88c3b87b7fea1c5f9b
Instruction ID: 52c9a05988e1bc6bd82359661af2c01b5a3742f04ab1b9156f7055a9a5f378c4
Opcode Fuzzy Hash: 638970da29d3e8ee39d8f977b3356e1602fcee057b934d88c3b87b7fea1c5f9b
Instruction Fuzzy Hash: B4C15BB1D04219AADF21DFA5CC85EDEBBBDEF45310F0040AAF609E7141DB749A84AF61

Function 00F53015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F53074
RegisterClassExW.USER32(00000030), ref: 00F5309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F530AF
InitCommonControlsEx.COMCTL32(?), ref: 00F530CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F530DC
LoadIconW.USER32(000000A9), ref: 00F530F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F53101

Strings

+, xrefs: 00F5305D
AutoIt v3 GUI, xrefs: 00F53090
0, xrefs: 00F53056
TaskbarCreated, xrefs: 00F530A4

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6430a8b82c634b666cb9f4b0625ac100ced0e1ff365243d7109c224ff0142a38
Instruction ID: 6d7fe182301ceff008b5f002e306b96007c19977bf04bdd45d04f7476e699b74
Opcode Fuzzy Hash: 6430a8b82c634b666cb9f4b0625ac100ced0e1ff365243d7109c224ff0142a38
Instruction Fuzzy Hash: A9314971941349AFDB11CFA4DC89ACDBBF1FB0A310F14456EE981EA290D3BA0589DF51

Function 00F53041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F53074
RegisterClassExW.USER32(00000030), ref: 00F5309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F530AF
InitCommonControlsEx.COMCTL32(?), ref: 00F530CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F530DC
LoadIconW.USER32(000000A9), ref: 00F530F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F53101

Strings

+, xrefs: 00F5305D
AutoIt v3 GUI, xrefs: 00F53090
0, xrefs: 00F53056
TaskbarCreated, xrefs: 00F530A4

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2f1c0fe017e02e063e429188af91b66e53c43ae213667f858b05082439e18136
Instruction ID: 3596bc2d857597ba6936cc33ea3be6dbce89f97366dd63785123d8ac5414c9a7
Opcode Fuzzy Hash: 2f1c0fe017e02e063e429188af91b66e53c43ae213667f858b05082439e18136
Instruction Fuzzy Hash: 1821F7B1D11208AFDB10DFA4EC48BDDBBF5FB09700F04812AF951AA290D7BA45489F91

Function 00F5708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F54706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010152F8,?,00F537AE,?), ref: 00F54724

Part of subcall function 00F7050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F57165), ref: 00F7052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F571A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F8E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F8E909
RegCloseKey.ADVAPI32(?), ref: 00F8E947
_wcscat.LIBCMT ref: 00F8E9A0

Strings

\, xrefs: 00F8E9C3
Include, xrefs: 00F8E8BF, 00F8E900
Software\AutoIt v3\AutoIt, xrefs: 00F5719E
\Include\, xrefs: 00F57165

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: be7f85b68084c9774e8a23aec333a44f4565065e404774dfe7473b4a5f502731
Instruction ID: e5139547c720775450c7b486539b17c201d8261d190af0c342b8a32d00035cf6
Opcode Fuzzy Hash: be7f85b68084c9774e8a23aec333a44f4565065e404774dfe7473b4a5f502731
Instruction Fuzzy Hash: 67719F715097019EC314EF65EC419AFBBE8FF84350F40452EF985872A0DBBE9948EB52

Function 00F53A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F53A50
LoadCursorW.USER32(00000000,00007F00), ref: 00F53A5F
LoadIconW.USER32(00000063), ref: 00F53A76
LoadIconW.USER32(000000A4), ref: 00F53A88
LoadIconW.USER32(000000A2), ref: 00F53A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F53AC0
RegisterClassExW.USER32(?), ref: 00F53B16

Part of subcall function 00F53041: GetSysColorBrush.USER32(0000000F), ref: 00F53074
Part of subcall function 00F53041: RegisterClassExW.USER32(00000030), ref: 00F5309E
Part of subcall function 00F53041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F530AF
Part of subcall function 00F53041: InitCommonControlsEx.COMCTL32(?), ref: 00F530CC
Part of subcall function 00F53041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F530DC
Part of subcall function 00F53041: LoadIconW.USER32(000000A9), ref: 00F530F2
Part of subcall function 00F53041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F53101

Strings

#, xrefs: 00F53AFB
AutoIt v3, xrefs: 00F53B05
0, xrefs: 00F53AF4

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: aa329875c07c7782b8844f75b86a63da974fafe25178ef8c1505bbb468994840
Instruction ID: 358d360e2e0821689e2ff38e2ee7c93c4ac0fff74c93ac0a08abc1db6fd4e8bf
Opcode Fuzzy Hash: aa329875c07c7782b8844f75b86a63da974fafe25178ef8c1505bbb468994840
Instruction Fuzzy Hash: 05215C72D01308AFEB20DFA4EC09BDD7BB1FB4A711F00012AF640AA295D3BE56449F94

Function 00F53633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00F536D2
KillTimer.USER32(?,00000001), ref: 00F536FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F5371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F5372A
CreatePopupMenu.USER32 ref: 00F5373E
PostQuitMessage.USER32(00000000), ref: 00F5374D

Strings

TaskbarCreated, xrefs: 00F53725

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b4186efe93e02455929850da99aa6ebeb9f63f588f2a23f4b88c4ca57a7cb6b0
Instruction ID: b95046f6fca4b50db916ab4ad23bc4c216168ce3c0a277b8ad5567a6de4d9ec8
Opcode Fuzzy Hash: b4186efe93e02455929850da99aa6ebeb9f63f588f2a23f4b88c4ca57a7cb6b0
Instruction Fuzzy Hash: F8415AB3A04109BBDB206F3CEC09FB93755EB46352F140129FF429A295CA6D994DB721

Function 00F53766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 00F538BC
CMDLINERAW, xrefs: 00F537FB
CMDLINE, xrefs: 00F53822
/ErrorStdOut, xrefs: 00F5387D
/AutoIt3OutputDebug, xrefs: 00F53892
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00F537AE
/AutoIt3ExecuteLine, xrefs: 00F538A7

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 90e64a61116445e2d6f151a74664ffd5750a62998b36a56fd89368ca74d754aa
Instruction ID: f19e4d805f55e9c0b2568893ba4feeb19dc86935e154916cdbe5ed82e71d59b3
Opcode Fuzzy Hash: 90e64a61116445e2d6f151a74664ffd5750a62998b36a56fd89368ca74d754aa
Instruction Fuzzy Hash: D8A19E72D0021D9ACB04EBA4DC52EEEB779BF15351F44041AFA06B7191DF789A0DEB60

Function 01206390 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01206461
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01206687

Memory Dump Source

Source File: 00000000.00000002.1345424818.0000000001203000.00000040.00000020.00020000.00000000.sdmp, Offset: 01203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1203000_ZV2G9QQzlR.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: f70e35bef226477c0682055bf71376c4503ac3747553cfc4264172282a9adb93
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: CAA1F770E10209EFDB15CFA4D895BAEBBB5FF48304F208259E601BB2C2D7759A91CB54

Function 00F539D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F53A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F53A24
ShowWindow.USER32(00000000,?,?), ref: 00F53A38
ShowWindow.USER32(00000000,?,?), ref: 00F53A41

Strings

AutoIt v3, xrefs: 00F539FB, 00F53A00, 00F53A01
edit, xrefs: 00F53A1E

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ea19158627a784f904b4746016afde264865441e760e2f3f2e590cacb92070c3
Instruction ID: 8f39086d08674da7ebcf48bce39ab98128eebe0cb00fc01b71df109bbc696353
Opcode Fuzzy Hash: ea19158627a784f904b4746016afde264865441e760e2f3f2e590cacb92070c3
Instruction Fuzzy Hash: 4BF030725012947EEA305623AC08EA73E7ED7C7F50B00002AF901A7164C16E0801DB70

Function 01206160 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01206050: Sleep.KERNELBASE(000001F4), ref: 01206061

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0120627E

Strings

LRNW07TSUYMDTULQ2CEAMZ, xrefs: 012062E1, 012062E4

Memory Dump Source

Source File: 00000000.00000002.1345424818.0000000001203000.00000040.00000020.00020000.00000000.sdmp, Offset: 01203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1203000_ZV2G9QQzlR.jbxd

Similarity

API ID: CreateFileSleep
String ID: LRNW07TSUYMDTULQ2CEAMZ
API String ID: 2694422964-3731089094
Opcode ID: 71680c4ce16f250b7a50941d0dcdb05bdc690e2763ef4194049b1cc3a20a88af
Instruction ID: 2ce6de7dddc9b37648bcf1d6980ae712377d3a510409bdb8ef0440b15c30e061
Opcode Fuzzy Hash: 71680c4ce16f250b7a50941d0dcdb05bdc690e2763ef4194049b1cc3a20a88af
Instruction Fuzzy Hash: 2551B470D14289DAEF12DBE4C859BEFBBB5AF14304F044199E6087B2C1C7B90B44CBA5

Function 00F5407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F8D3D7

Part of subcall function 00F57BCC: _memmove.LIBCMT ref: 00F57C06

_memset.LIBCMT ref: 00F540FC
_wcscpy.LIBCMT ref: 00F54150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F54160

Strings

Line: , xrefs: 00F8D400

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 04c9ba69b6a69996713669b8589e5cd9547f1632b16c94cd84f9774095ef986f
Instruction ID: 26c03f7376456704962bb66f53b46392d5695f56c759cde2b42d4363d886425f
Opcode Fuzzy Hash: 04c9ba69b6a69996713669b8589e5cd9547f1632b16c94cd84f9774095ef986f
Instruction Fuzzy Hash: 9A31BE72408304ABD331EB60EC46FDB77E8AF85315F20451EFA8596091EB7CA64CE782

Function 00F5686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F54DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F54E0F

_free.LIBCMT ref: 00F8E263
_free.LIBCMT ref: 00F8E2AA

Part of subcall function 00F56A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F56BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F8E039
Bad directive syntax error, xrefs: 00F8E292

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 7a4357d584aa0efbf7311c2c19936bc254dd72f0616597436be6f5159aafc9ee
Instruction ID: 3d76675a4a8501052086abe4cf4c663c6bdd881fb41ac45bfef694f35944dfba
Opcode Fuzzy Hash: 7a4357d584aa0efbf7311c2c19936bc254dd72f0616597436be6f5159aafc9ee
Instruction Fuzzy Hash: 78917D71D04219EFCF04EFA4CC919EDB7B8FF05311B14442AF916AB2A1DB78A949EB50

Function 00F535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F535A1,SwapMouseButtons,00000004,?), ref: 00F535D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F535A1,SwapMouseButtons,00000004,?,?,?,?,00F52754), ref: 00F535F5
RegCloseKey.KERNELBASE(00000000,?,?,00F535A1,SwapMouseButtons,00000004,?,?,?,?,00F52754), ref: 00F53617

Strings

Control Panel\Mouse, xrefs: 00F535D2

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 021d0c17ddf178fc4009540550c6601897e191ff72f58fb9a6121f7bd7d83623
Instruction ID: 8d1a7077d0d2d7656ffc98a441214e54905282dc3ced6a7244c512b960ddd7de
Opcode Fuzzy Hash: 021d0c17ddf178fc4009540550c6601897e191ff72f58fb9a6121f7bd7d83623
Instruction Fuzzy Hash: 2D115A71911208BFDB208F68DC44EAEBBB9EF04791F00846AF905D7210D2719F58A760

Function 01205050 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0120580B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 012058A1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 012058C3

Memory Dump Source

Source File: 00000000.00000002.1345424818.0000000001203000.00000040.00000020.00020000.00000000.sdmp, Offset: 01203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1203000_ZV2G9QQzlR.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: f88bcfbfe6850911d8e4f6d10fd0bfbeca5a06d31a650ff816f03e7c33aff8f1
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: 91621C30A246589BEB24CFA4C841BDEB772EF58300F1091A9D20DEB2D5E7759E81CF59

Function 00FB955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00F54EE5: _fseek.LIBCMT ref: 00F54EFD

Part of subcall function 00FB9734: _wcscmp.LIBCMT ref: 00FB9824
Part of subcall function 00FB9734: _wcscmp.LIBCMT ref: 00FB9837

_free.LIBCMT ref: 00FB96A2
_free.LIBCMT ref: 00FB96A9
_free.LIBCMT ref: 00FB9714

Part of subcall function 00F72D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F79A24), ref: 00F72D69
Part of subcall function 00F72D55: GetLastError.KERNEL32(00000000,?,00F79A24), ref: 00F72D7B

_free.LIBCMT ref: 00FB971C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: d7305a993f5c4801b60f8ab7ddc52d9654a9ebf5fc170b6f7fc0969a89e5622c
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: CE517BB1D04218ABDF249F65CC85AEEBBB9EF48300F10409EF60DA3241DB755A81DF59

Function 00F7470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F747A0
__flush.LIBCMT ref: 00F747C0
__write.LIBCMT ref: 00F747F3
__flsbuf.LIBCMT ref: 00F74821

Part of subcall function 00F78B28: __getptd_noexit.LIBCMT ref: 00F78B28

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 4073a32892797cea358444c272ced6da8262cb6a57054147630ad1fb5cc4153f
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: AF41B675E007499BDB1C8E69C8809AE77A5AF46360B24C13FE81DC7640D774ED41AB43

Function 00F57285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F8EA39
GetOpenFileNameW.COMDLG32(?), ref: 00F8EA83

Part of subcall function 00F54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F54743,?,?,00F537AE,?), ref: 00F54770

Part of subcall function 00F70791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F707B0

Strings

X, xrefs: 00F8EA51

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 74727920963f3e3ad96b7427bea8929a087271c2cac15490db6ecf0de2d20ed1
Instruction ID: 59531ad8869c3c3fbd4f977db1120f9530d00bda56241ea37e7fa4f9ad79667a
Opcode Fuzzy Hash: 74727920963f3e3ad96b7427bea8929a087271c2cac15490db6ecf0de2d20ed1
Instruction Fuzzy Hash: 7E21F631E002489BDB05AF94DC45BDE7BFCAF49711F00805AE948E7281DBB8598D9FA1

Function 00FB98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00FB98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FB990F

Strings

aut, xrefs: 00FB9909

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d2b51abeed56b8f8ddf817513ee8d4953a519b9379e16acefb1eccc53fc39605
Instruction ID: 61c7d0ec5f15f088fbbe781494702a7bd3880271b59be767951bdf3de072498f
Opcode Fuzzy Hash: d2b51abeed56b8f8ddf817513ee8d4953a519b9379e16acefb1eccc53fc39605
Instruction Fuzzy Hash: DBD05E7994130DABDB509BA0EC0EF9A773CE704701F0042B2BA95951A1EAB096989B95

Function 00FCCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a516a2992d18ee43cec57288055849cc4bf67bebb101b447bf332c7f0169f53
Instruction ID: 90e0733686c92f042846067da4035d4c5785b0974e92df7c95f2690ce828ad34
Opcode Fuzzy Hash: 0a516a2992d18ee43cec57288055849cc4bf67bebb101b447bf332c7f0169f53
Instruction Fuzzy Hash: 63F16A71A083019FC714DF28C981A6ABBE5FF88314F14892EF8999B351D734E905DF82

Function 00F5F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F70162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F70193
Part of subcall function 00F70162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F7019B
Part of subcall function 00F70162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F701A6
Part of subcall function 00F70162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F701B1
Part of subcall function 00F70162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F701B9
Part of subcall function 00F70162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F701C1

Part of subcall function 00F660F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F5F930), ref: 00F66154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F5F9CD
OleInitialize.OLE32(00000000), ref: 00F5FA4A
CloseHandle.KERNEL32(00000000), ref: 00F945C8

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 8f5806ee27feec338d02f068ddb874b7ebe53aa35fba58254dc2ed2e49974317
Instruction ID: 6d670672ccf92797686a3b70655b08252f67a75ed345004e44161d03d495e544
Opcode Fuzzy Hash: 8f5806ee27feec338d02f068ddb874b7ebe53aa35fba58254dc2ed2e49974317
Instruction Fuzzy Hash: B281CDB0A81240CF83A4DF79FC456597BE5FBDA30AB50812AA089CF25AEB7E40049F15

Function 00F5434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F54370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F54415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F54432

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 9124cf5f8db41d278265c67473df4e14db8663368baa88562a0b5bf37f95095c
Instruction ID: 1421b60e337cd19d14684b6fb86517adb22c20ea9176a853b7323db861b4c8a2
Opcode Fuzzy Hash: 9124cf5f8db41d278265c67473df4e14db8663368baa88562a0b5bf37f95095c
Instruction Fuzzy Hash: C331B4719053018FC720DF34D88469BBBF8FB49319F00092EFACA87241D779A988DB52

Function 00F7571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00F75733

Part of subcall function 00F7A16B: __NMSG_WRITE.LIBCMT ref: 00F7A192
Part of subcall function 00F7A16B: __NMSG_WRITE.LIBCMT ref: 00F7A19C

__NMSG_WRITE.LIBCMT ref: 00F7573A

Part of subcall function 00F7A1C8: GetModuleFileNameW.KERNEL32(00000000,010133BA,00000104,?,00000001,00000000), ref: 00F7A25A
Part of subcall function 00F7A1C8: ___crtMessageBoxW.LIBCMT ref: 00F7A308

Part of subcall function 00F7309F: ___crtCorExitProcess.LIBCMT ref: 00F730A5
Part of subcall function 00F7309F: ExitProcess.KERNEL32 ref: 00F730AE

Part of subcall function 00F78B28: __getptd_noexit.LIBCMT ref: 00F78B28

RtlAllocateHeap.NTDLL(01160000,00000000,00000001,00000000,?,?,?,00F70DD3,?), ref: 00F7575F

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 5593b51ca4fd5e3780ac78f917311b960a3e7640af02dc12b9ddd015d1e8e8a5
Instruction ID: 27e3de5f98ed97cfe3274191988d56d0532295f1f52083189959c589d845d0b7
Opcode Fuzzy Hash: 5593b51ca4fd5e3780ac78f917311b960a3e7640af02dc12b9ddd015d1e8e8a5
Instruction Fuzzy Hash: 5B01D631640A0ADAE6282678AC42B6D77489B81B71F108027F40DEA181DEF89C027763

Function 00FB98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00FB9548,?,?,?,?,?,00000004), ref: 00FB98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FB9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00FB98D1
CloseHandle.KERNEL32(00000000,?,00FB9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FB98D8

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 3c3d8de335910551d0dcbfcc790fcf297928805d78688efdbcb8735843655715
Instruction ID: 36036a31d33bd88dfdc72c19ef5e07725a5ea19d7c4c2be0712335f0784f387c
Opcode Fuzzy Hash: 3c3d8de335910551d0dcbfcc790fcf297928805d78688efdbcb8735843655715
Instruction Fuzzy Hash: D4E08632241228B7D7211B64EC09FCA7F1AAF06770F104221FB15690E087B15615A798

Function 00FB8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FB8D1B

Part of subcall function 00F72D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F79A24), ref: 00F72D69
Part of subcall function 00F72D55: GetLastError.KERNEL32(00000000,?,00F79A24), ref: 00F72D7B

_free.LIBCMT ref: 00FB8D2C
_free.LIBCMT ref: 00FB8D3E

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 95e459651bb983a6e1e99d8bd4cb66ddaf9579521b1923cc43b37daa875b1928
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: A3E012A1A0160146CB74A57AAD40AD363DC4F9C3A2714491FB80DD7186CE68F843E524

Function 00F5A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00F8FC01

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 59b7861f596b93717ae58049803cfa61b1e376dae7cbf87449f839a2be719724
Instruction ID: 5e9ab927e83843f9f5b6dd0ce543ed6d79dfdd505d7d9a09726188db4c092745
Opcode Fuzzy Hash: 59b7861f596b93717ae58049803cfa61b1e376dae7cbf87449f839a2be719724
Instruction Fuzzy Hash: 9A228C71908301DFCB24DF14C854B6ABBE1BF85311F14895DE98A8B361DB35EC59EB82

Function 00F54C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F54CBA

Strings

EA06, xrefs: 00F8D8CC

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 410c4e28639858795908414a39cb890e4677be1996bf02d7ef1a44d3ad431054
Instruction ID: eab94ec7f98d2018395e9effd343be98528b348d73b2a1facaf23091aeb9dd6b
Opcode Fuzzy Hash: 410c4e28639858795908414a39cb890e4677be1996bf02d7ef1a44d3ad431054
Instruction Fuzzy Hash: 3E417D22E0415857CF219B548C567BE7FB19F4531AF284075EF82DB282D6287DCDB3A1

Function 00F57A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F57AAB
_memmove.LIBCMT ref: 00F57B16

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction ID: fb0a233aa39479a9bc680d5287ec3e276cc2adf90e05ef11c06a66e827dcb32a
Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction Fuzzy Hash: 6B31C7B2604606AFC704EF68D8D1E69B3A9FF483207148629F919CB291EB34E914DB90

Function 00F547D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F54834

Part of subcall function 00F7336C: __lock.LIBCMT ref: 00F73372
Part of subcall function 00F7336C: DecodePointer.KERNEL32(00000001,?,00F54849,00FA7C74), ref: 00F7337E
Part of subcall function 00F7336C: EncodePointer.KERNEL32(?,?,00F54849,00FA7C74), ref: 00F73389

Part of subcall function 00F548FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F54915
Part of subcall function 00F548FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F5492A

Part of subcall function 00F53B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F53B68
Part of subcall function 00F53B3A: IsDebuggerPresent.KERNEL32 ref: 00F53B7A
Part of subcall function 00F53B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,010152F8,010152E0,?,?), ref: 00F53BEB
Part of subcall function 00F53B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00F53C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F54874

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: d44785ee26c18b8cbab86ffe80c8e0e2ccd688c51cce34af11cea8be8a8ce0a5
Instruction ID: db53fb4d422a4bd09cad887e1831df60fcafc72ec71d1621270b66c2bbaf8c79
Opcode Fuzzy Hash: d44785ee26c18b8cbab86ffe80c8e0e2ccd688c51cce34af11cea8be8a8ce0a5
Instruction Fuzzy Hash: 1911D2729083019FC710DF68EC0594ABFE8EF9A751F00451FF584872A1DBB99548DB82

Function 00F70DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F7571C: __FF_MSGBANNER.LIBCMT ref: 00F75733
Part of subcall function 00F7571C: __NMSG_WRITE.LIBCMT ref: 00F7573A
Part of subcall function 00F7571C: RtlAllocateHeap.NTDLL(01160000,00000000,00000001,00000000,?,?,?,00F70DD3,?), ref: 00F7575F

std::exception::exception.LIBCMT ref: 00F70DEC
__CxxThrowException@8.LIBCMT ref: 00F70E01

Part of subcall function 00F7859B: RaiseException.KERNEL32(?,?,?,01009E78,00000000,?,?,?,?,00F70E06,?,01009E78,?,00000001), ref: 00F785F0

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 05b61e865deb9b2d93cfbdf6c60834d3e075d7ac1936adf1957c8995cefa022f
Instruction ID: aecccecd6c18fd0e649eb7da74a14f621dfbfbbc2b00067f5d8da72d4b339327
Opcode Fuzzy Hash: 05b61e865deb9b2d93cfbdf6c60834d3e075d7ac1936adf1957c8995cefa022f
Instruction Fuzzy Hash: F7F0A93194031EA6DB20AA95EC059DF77AC9F01361F108427F90C96152EFF49A51B1D3

Function 00F753A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F78B28: __getptd_noexit.LIBCMT ref: 00F78B28

__lock_file.LIBCMT ref: 00F753EB

Part of subcall function 00F76C11: __lock.LIBCMT ref: 00F76C34

__fclose_nolock.LIBCMT ref: 00F753F6

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 792b87cbe13b28840d33a6c719e230515e2ae53a67f3d934c6bb366abd00f64d
Instruction ID: 54cd20269e8e02b76d056c88e5fa1b63cea838ce9f3accad4c7245d5acea68a0
Opcode Fuzzy Hash: 792b87cbe13b28840d33a6c719e230515e2ae53a67f3d934c6bb366abd00f64d
Instruction Fuzzy Hash: DEF0F631800B049ADB51AFA59C057AD76A16F41BB0F20C21BA42CAB1D1CFFC8902BB53

Function 0120504D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0120580B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 012058A1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 012058C3

Memory Dump Source

Source File: 00000000.00000002.1345424818.0000000001203000.00000040.00000020.00020000.00000000.sdmp, Offset: 01203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1203000_ZV2G9QQzlR.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: 6a0a3db790f16cdc16b58abaea3e24110894aef147ea7a2c5144f541dd940930
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 6912EE24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A

Function 00F70C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00F70CB7

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: ed7edb988424bb5017c2065cc0f4234cfecc8575f8f6c8d0388ebcb6ae61d59b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: DE31A271A00105DBC71ADF58C484A69FBA6FF59310B64C6A6E80ACB355DA31EDC1EB82

Function 00F8FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00F8FCB7

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 4e80b7dcd2cc5f1e90d4132ae107a7e8097649e483a52a1be3d392eb8d3eaa91
Instruction ID: 48300d7a1009467e326fd83dc69131aba62cad25cb899abb215361cd9d233939
Opcode Fuzzy Hash: 4e80b7dcd2cc5f1e90d4132ae107a7e8097649e483a52a1be3d392eb8d3eaa91
Instruction Fuzzy Hash: F3412974904341CFDB14DF14C448B1ABBE1BF45315F0989ACE99A8B362C736E849DF52

Function 00F57B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F57BB3

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e0697126b38e6f47aa4c2d4404504c4c4fddea326ad89a1e6dc5aa7ba61ffbe8
Instruction ID: e5904cf4b635213a0da6b7b4b37d0d4349ce5a2fb71dc3c72ba1ef52a01bc998
Opcode Fuzzy Hash: e0697126b38e6f47aa4c2d4404504c4c4fddea326ad89a1e6dc5aa7ba61ffbe8
Instruction Fuzzy Hash: DA212172A04709FBDB206F21F8417AA7BB8FF54351F21842AE98AC5194EB319590E701

Function 00F54DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F54BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00F54BEF

Part of subcall function 00F7525B: __wfsopen.LIBCMT ref: 00F75266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F54E0F

Part of subcall function 00F54B6A: FreeLibrary.KERNEL32(00000000), ref: 00F54BA4

Part of subcall function 00F54C70: _memmove.LIBCMT ref: 00F54CBA

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: c327bc37e676c2d8b354dfacbee2ca5606880a9bf940c1e2decd8c445e9dc55d
Instruction ID: d9f88e2bd563762a0f80b165f889f934c14b53875b9974d8434a3ab23d5e1e94
Opcode Fuzzy Hash: c327bc37e676c2d8b354dfacbee2ca5606880a9bf940c1e2decd8c445e9dc55d
Instruction Fuzzy Hash: 1611E732600206BBCF14FF74CC17FAD77A5AF84715F108429FA42A7181DB79AA48BB51

Function 00F8FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00F8FD91

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c717ce5f4e34fda861725b11c0d29591af800dca5fa0e2ed9c63480454d1eb43
Instruction ID: 9ecfe88b0f1edba85ec811c3947703f977f5b71be81d17c06c213b05cad42df3
Opcode Fuzzy Hash: c717ce5f4e34fda861725b11c0d29591af800dca5fa0e2ed9c63480454d1eb43
Instruction Fuzzy Hash: 1C212270908301DFCB14DF24C844B1ABBE1BF88315F058968E98A57722D731E819EB92

Function 00F74863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00F748A6

Part of subcall function 00F78B28: __getptd_noexit.LIBCMT ref: 00F78B28

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: e4b15e5d1d949cc36fcb10c4ad09e68960151c2e9a27539013fd6df313518321
Instruction ID: 045101402a0667c6a4228946d22c8fb3f25077efd6cf0388569c38c99b7eaaa3
Opcode Fuzzy Hash: e4b15e5d1d949cc36fcb10c4ad09e68960151c2e9a27539013fd6df313518321
Instruction Fuzzy Hash: E4F0AF31941609ABDF12AFA48C0A7AE36A0AF00366F15C51AF42CDA191CB7C9952FB53

Function 00F54E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F54E7E

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ed2bd8d419ac3de1e7e8334e63db2fae3f5ef053fc83a704cbb1532639f6781f
Instruction ID: f1602e677b3a77b74dd3eb10a56e09c0bcd2a9ba293a750a2eda4c52ccc7c0a5
Opcode Fuzzy Hash: ed2bd8d419ac3de1e7e8334e63db2fae3f5ef053fc83a704cbb1532639f6781f
Instruction Fuzzy Hash: 1DF03071501751CFCB349F64E495816B7E1BF1433E320893EE6D782620C771A888EF40

Function 00F70791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F707B0

Part of subcall function 00F57BCC: _memmove.LIBCMT ref: 00F57C06

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 5b7181f1faafae0189510326befc07633603fee731776aae89f7d05f82d83dac
Instruction ID: 9a2aa9b10b87b40881fab748107254adea41a176eef581a90b1e3fd313900665
Opcode Fuzzy Hash: 5b7181f1faafae0189510326befc07633603fee731776aae89f7d05f82d83dac
Instruction Fuzzy Hash: 62E0CD3690522857C720E6689C05FEA77DDDFC87A1F0441F6FD0CD7248D9649C9496D0

Function 00F7525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00F75266

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: dc17ff63bac3aed415199946a69c6943cb9892668f29686fc0b3f48e0f837833
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: CCB0927644020C77CE012A82EC02A493B199B46B64F408021FB0C18162A6B7A664AA8A

Function 01206050 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01206061

Memory Dump Source

Source File: 00000000.00000002.1345424818.0000000001203000.00000040.00000020.00020000.00000000.sdmp, Offset: 01203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1203000_ZV2G9QQzlR.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: adb569a4b27f3653b9fb334b95b349eddeafb65c9d67998eaeb8a82dca604753
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 77E0E67498010DDFDB00EFB4D54969E7FB4FF04301F100261FD01D2281D6319D608A62

Non-executed Functions

Function 00FDCABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FDCB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FDCB95
GetWindowLongW.USER32(?,000000F0), ref: 00FDCBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FDCC00
SendMessageW.USER32 ref: 00FDCC29
_wcsncpy.LIBCMT ref: 00FDCC95
GetKeyState.USER32(00000011), ref: 00FDCCB6
GetKeyState.USER32(00000009), ref: 00FDCCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FDCCD9
GetKeyState.USER32(00000010), ref: 00FDCCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FDCD0C
SendMessageW.USER32 ref: 00FDCD33
SendMessageW.USER32(?,00001030,?,00FDB348), ref: 00FDCE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FDCE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FDCE60
SetCapture.USER32(?), ref: 00FDCE69
ClientToScreen.USER32(?,?), ref: 00FDCECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FDCEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FDCEF5
ReleaseCapture.USER32 ref: 00FDCF00
GetCursorPos.USER32(?), ref: 00FDCF3A
ScreenToClient.USER32(?,?), ref: 00FDCF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FDCFA3
SendMessageW.USER32 ref: 00FDCFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FDD00E
SendMessageW.USER32 ref: 00FDD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FDD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FDD06D
GetCursorPos.USER32(?), ref: 00FDD08D
ScreenToClient.USER32(?,?), ref: 00FDD09A
GetParent.USER32(?), ref: 00FDD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FDD123
SendMessageW.USER32 ref: 00FDD154
ClientToScreen.USER32(?,?), ref: 00FDD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FDD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FDD20C
SendMessageW.USER32 ref: 00FDD22F
ClientToScreen.USER32(?,?), ref: 00FDD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FDD2B5

Part of subcall function 00F525DB: GetWindowLongW.USER32(?,000000EB), ref: 00F525EC

GetWindowLongW.USER32(?,000000F0), ref: 00FDD351

Strings

@GUI_DRAGID, xrefs: 00FDCE9C
F, xrefs: 00FDD235

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 9e4273286fe33ba1ce3c2757d3281a0448de09860502c525af08c948f59494c1
Instruction ID: e703447f43c703c73bb2e49110bd17aebba0110f51d0d572b60af0bc40e4cc43
Opcode Fuzzy Hash: 9e4273286fe33ba1ce3c2757d3281a0448de09860502c525af08c948f59494c1
Instruction Fuzzy Hash: 86429F74605241AFD725CF24C845FAABBE6FF89320F18061BF6969B3A1C731D844EB91

Function 00FD7DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00FD84D0

Strings

%d/%02d/%02d, xrefs: 00FD8209

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: bf11c60a5482daa553e5d742ccd7a9f8aa8b045f05931cb6fbd070e5864100df
Instruction ID: 9277581ff1beb2ffa1eb74ce884486353d3a8103ce5761ab90110de78b20ea00
Opcode Fuzzy Hash: bf11c60a5482daa553e5d742ccd7a9f8aa8b045f05931cb6fbd070e5864100df
Instruction Fuzzy Hash: E512F671901309ABEB249F24CC49FAF7BA6EF46350F18412AF906DB2D1DF748946EB50

Function 00F66F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F671C3
_memset.LIBCMT ref: 00F67539
_memmove.LIBCMT ref: 00F676AC

Strings

Q\E, xrefs: 00F67FCB
DEFINE, xrefs: 00FA2103
[:<:]], xrefs: 00F67479
\b(?=\w), xrefs: 00FA3769
\b(?<=\w), xrefs: 00FA3773
[:>:]], xrefs: 00F67492

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: ffbf4b89143c2c324ea049d1b72a5189c3349151c6e168fc4022e38d69f594ef
Instruction ID: a3a2b7a026527ffebf4ad32bc059cfbfae766c39bad3c03c0ebcbe79f01b0e59
Opcode Fuzzy Hash: ffbf4b89143c2c324ea049d1b72a5189c3349151c6e168fc4022e38d69f594ef
Instruction Fuzzy Hash: BB93C3B1E04215DFDB24CF98C881BADB7B1FF49324F25816AE945AB381E7749D81EB40

Function 00F548D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00F548DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F8D665
IsIconic.USER32(?), ref: 00F8D66E
ShowWindow.USER32(?,00000009), ref: 00F8D67B
SetForegroundWindow.USER32(?), ref: 00F8D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F8D69B
GetCurrentThreadId.KERNEL32 ref: 00F8D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F8D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F8D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F8D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F8D6CF
SetForegroundWindow.USER32(?), ref: 00F8D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8D6E7
keybd_event.USER32(00000012,00000000), ref: 00F8D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8D6FC
keybd_event.USER32(00000012,00000000), ref: 00F8D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8D70A
keybd_event.USER32(00000012,00000000), ref: 00F8D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8D719
keybd_event.USER32(00000012,00000000), ref: 00F8D71E
SetForegroundWindow.USER32(?), ref: 00F8D721
AttachThreadInput.USER32(?,?,00000000), ref: 00F8D748

Strings

Shell_TrayWnd, xrefs: 00F8D660

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 42afb4c9ce8591dbaa140a7662f128e177dd971776c7fd4570bfefd0f65cc44c
Instruction ID: feeba46267f129233512cee462c377cfde1118bec241851c0830b96a251ad0e4
Opcode Fuzzy Hash: 42afb4c9ce8591dbaa140a7662f128e177dd971776c7fd4570bfefd0f65cc44c
Instruction Fuzzy Hash: DA316071A4131CBAEB206B719C89FBF7F6DEF44B60F144066FA05EA1D1D6B05900BBA0

Function 00FA8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00FA87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA882B
Part of subcall function 00FA87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA8858
Part of subcall function 00FA87E1: GetLastError.KERNEL32 ref: 00FA8865

_memset.LIBCMT ref: 00FA8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00FA83A5
CloseHandle.KERNEL32(?), ref: 00FA83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FA83CD
GetProcessWindowStation.USER32 ref: 00FA83E6
SetProcessWindowStation.USER32(00000000), ref: 00FA83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FA840A

Part of subcall function 00FA81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FA8309), ref: 00FA81E0
Part of subcall function 00FA81CB: CloseHandle.KERNEL32(?,?,00FA8309), ref: 00FA81F2

Strings

winsta0, xrefs: 00FA83C8
, xrefs: 00FA8362
default, xrefs: 00FA8405

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: e5a2093b39497f581ad9090e74592de8a2002de0a6959bb925f92e9c5c66f268
Instruction ID: 3833037517e49a149a13cb15a5689553dffb80b3d2d7db74728b6d182d3bfa59
Opcode Fuzzy Hash: e5a2093b39497f581ad9090e74592de8a2002de0a6959bb925f92e9c5c66f268
Instruction Fuzzy Hash: 34818CB1C01209AFDF119FA4CC45EEE7BB9EF05364F18406AFC11A2261DB758E06EB20

Function 00FBC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FBC78D
FindClose.KERNEL32(00000000), ref: 00FBC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FBC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FBC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FBC844
__swprintf.LIBCMT ref: 00FBC890
__swprintf.LIBCMT ref: 00FBC8D3

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

__swprintf.LIBCMT ref: 00FBC927

Part of subcall function 00F73698: __woutput_l.LIBCMT ref: 00F736F1

__swprintf.LIBCMT ref: 00FBC975

Part of subcall function 00F73698: __flsbuf.LIBCMT ref: 00F73713
Part of subcall function 00F73698: __flsbuf.LIBCMT ref: 00F7372B

__swprintf.LIBCMT ref: 00FBC9C4
__swprintf.LIBCMT ref: 00FBCA13
__swprintf.LIBCMT ref: 00FBCA62

Strings

%02d, xrefs: 00FBC91B, 00FBC925, 00FBC973, 00FBC9C2, 00FBCA11, 00FBCA60
%4d%02d%02d%02d%02d%02d, xrefs: 00FBC88A
%4d, xrefs: 00FBC8CD

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: a72497f66b59f69a1c54911e49cd7b0429149649445093642ee48b5a262c526e
Instruction ID: fece7b96efeaec30baab89e5a0be62ce06e85787e7a06c8a966d9659ad59d57e
Opcode Fuzzy Hash: a72497f66b59f69a1c54911e49cd7b0429149649445093642ee48b5a262c526e
Instruction Fuzzy Hash: 14A110B2408344ABD704EFA4CC85DAFB7ECBF94705F40491EFA9586151EB78DA08DB62

Function 00FBEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00FBEFB6
_wcscmp.LIBCMT ref: 00FBEFCB
_wcscmp.LIBCMT ref: 00FBEFE2
GetFileAttributesW.KERNEL32(?), ref: 00FBEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00FBF00E
FindNextFileW.KERNEL32(00000000,?), ref: 00FBF026
FindClose.KERNEL32(00000000), ref: 00FBF031
FindFirstFileW.KERNEL32(*.*,?), ref: 00FBF04D
_wcscmp.LIBCMT ref: 00FBF074
_wcscmp.LIBCMT ref: 00FBF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00FBF09D
SetCurrentDirectoryW.KERNEL32(01008920), ref: 00FBF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FBF0C5
FindClose.KERNEL32(00000000), ref: 00FBF0D2
FindClose.KERNEL32(00000000), ref: 00FBF0E4

Strings

*.*, xrefs: 00FBF048

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 953ed17d005cbca3c8cc4ad91556244c18da28fb358f49d9d8c71c6b816295c6
Instruction ID: 559616212d3793941c4ed5a57225ee3907007daa08c9ae4189b291a481e05835
Opcode Fuzzy Hash: 953ed17d005cbca3c8cc4ad91556244c18da28fb358f49d9d8c71c6b816295c6
Instruction Fuzzy Hash: 1431033690120D7ADB10ABB5DC48EEE77ADAF483A0F044177E845D20A1DB30DA48FE61

Function 00FD0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FD0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FDF910,00000000,?,00000000,?,?), ref: 00FD09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00FD0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00FD0A92
RegCloseKey.ADVAPI32(?), ref: 00FD0DB2
RegCloseKey.ADVAPI32(00000000), ref: 00FD0DBF

Strings

REG_MULTI_SZ, xrefs: 00FD0B7A
REG_QWORD, xrefs: 00FD0D00
REG_DWORD, xrefs: 00FD0C83
REG_SZ, xrefs: 00FD0AD0
REG_BINARY, xrefs: 00FD0D4D
REG_EXPAND_SZ, xrefs: 00FD0A2F

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 3919f0ef67266cad0b386c4257adba52d5e8053fbbfc4750f50cb7592b2067eb
Instruction ID: 2724fbe36921f05a78ec298135d56646a36587ad1c1e415f54ebadbe822f7473
Opcode Fuzzy Hash: 3919f0ef67266cad0b386c4257adba52d5e8053fbbfc4750f50cb7592b2067eb
Instruction Fuzzy Hash: ED027C756046019FCB14EF24C841E2AB7E6FF89325F08845EF98A9B362CB74ED05DB81

Function 00FBF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00FBF113
_wcscmp.LIBCMT ref: 00FBF128
_wcscmp.LIBCMT ref: 00FBF13F

Part of subcall function 00FB4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FB43A0

FindNextFileW.KERNEL32(00000000,?), ref: 00FBF16E
FindClose.KERNEL32(00000000), ref: 00FBF179
FindFirstFileW.KERNEL32(*.*,?), ref: 00FBF195
_wcscmp.LIBCMT ref: 00FBF1BC
_wcscmp.LIBCMT ref: 00FBF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00FBF1E5
SetCurrentDirectoryW.KERNEL32(01008920), ref: 00FBF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FBF20D
FindClose.KERNEL32(00000000), ref: 00FBF21A
FindClose.KERNEL32(00000000), ref: 00FBF22C

Strings

*.*, xrefs: 00FBF190

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 74af3cf8ff9ad85a4893f60a95588d4165f90bb4ef1e09b79d23489bc31e4054
Instruction ID: 8e357986f04858444b9dfd7a46ec90f6d60964ac6f7ab2b94eb29ceb8f441a92
Opcode Fuzzy Hash: 74af3cf8ff9ad85a4893f60a95588d4165f90bb4ef1e09b79d23489bc31e4054
Instruction Fuzzy Hash: 1831123690120E7ADB20ABB5EC48EEE73AC9F45330F184176E845E20A0DB30DE48FE54

Function 00FBA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FBA20F
__swprintf.LIBCMT ref: 00FBA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FBA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FBA293
_memset.LIBCMT ref: 00FBA2B2
_wcsncpy.LIBCMT ref: 00FBA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FBA323
CloseHandle.KERNEL32(00000000), ref: 00FBA32E
RemoveDirectoryW.KERNEL32(?), ref: 00FBA337
CloseHandle.KERNEL32(00000000), ref: 00FBA341

Strings

:, xrefs: 00FBA252
\, xrefs: 00FBA247
\??\%s, xrefs: 00FBA22B

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: fa3e119330e393c22c469e690e820c4654a30c1301c36a10779fbe40e5a901bd
Instruction ID: 1f1f942baeabb3a5f9af0b6b67398ebfac07ecf1c45f1fb5e7ea9eefbba6c233
Opcode Fuzzy Hash: fa3e119330e393c22c469e690e820c4654a30c1301c36a10779fbe40e5a901bd
Instruction Fuzzy Hash: F631EFB2900109ABDB21DFA1DC49FEB37BDEF88710F1440B6F509D2160EB749744AB25

Function 00FA7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA821E
Part of subcall function 00FA8202: GetLastError.KERNEL32(?,00FA7CE2,?,?,?), ref: 00FA8228
Part of subcall function 00FA8202: GetProcessHeap.KERNEL32(00000008,?,?,00FA7CE2,?,?,?), ref: 00FA8237
Part of subcall function 00FA8202: HeapAlloc.KERNEL32(00000000,?,00FA7CE2,?,?,?), ref: 00FA823E
Part of subcall function 00FA8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA8255

Part of subcall function 00FA829F: GetProcessHeap.KERNEL32(00000008,00FA7CF8,00000000,00000000,?,00FA7CF8,?), ref: 00FA82AB
Part of subcall function 00FA829F: HeapAlloc.KERNEL32(00000000,?,00FA7CF8,?), ref: 00FA82B2
Part of subcall function 00FA829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FA7CF8,?), ref: 00FA82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FA7D13
_memset.LIBCMT ref: 00FA7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FA7D47
GetLengthSid.ADVAPI32(?), ref: 00FA7D58
GetAce.ADVAPI32(?,00000000,?), ref: 00FA7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FA7DB1
GetLengthSid.ADVAPI32(?), ref: 00FA7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FA7DDD
HeapAlloc.KERNEL32(00000000), ref: 00FA7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FA7E05
CopySid.ADVAPI32(00000000), ref: 00FA7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FA7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FA7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FA7E77

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 3bf0d7ec3bec332e6ec62901c3c98bb85a0185397811833c3b7205b0d97d7854
Instruction ID: 423a437060b541d489b2b866e4d89c60aadd5f93b8a69f6bda8c85bdb88a333b
Opcode Fuzzy Hash: 3bf0d7ec3bec332e6ec62901c3c98bb85a0185397811833c3b7205b0d97d7854
Instruction Fuzzy Hash: 73613EB1904209AFDF00DFA4DC85EEEBB7AFF05310F04816AE915A7291DB759E05EB60

Function 00F666E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

UTF), xrefs: 00FA10FA
BSR_UNICODE), xrefs: 00FA1338
ANYCRLF), xrefs: 00FA12FB
NO_AUTO_POSSESS), xrefs: 00FA112E
NO_START_OPT), xrefs: 00FA114F
LF), xrefs: 00FA12A4
ANY), xrefs: 00FA12DE
BSR_ANYCRLF), xrefs: 00FA131E
LIMIT_MATCH=, xrefs: 00FA1170
LIMIT_RECURSION=, xrefs: 00FA11FC
UTF16), xrefs: 00FA10CF
UCP), xrefs: 00FA110D
CRLF), xrefs: 00FA12C1
CR), xrefs: 00FA1287

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 579e74905e6a82a56962c9345f287ccdbb934d419e8c223f3fdbfae6a3cad603
Instruction ID: af12baa23bf8b7e406802afc54be2686705df0c694d249c23b633006174de073
Opcode Fuzzy Hash: 579e74905e6a82a56962c9345f287ccdbb934d419e8c223f3fdbfae6a3cad603
Instruction Fuzzy Hash: 597271B5E00219DBDF14CF58C8807AEB7B5FF49720F15816AE849EB291EB349D41EB90

Function 00FB001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FB0097
SetKeyboardState.USER32(?), ref: 00FB0102
GetAsyncKeyState.USER32(000000A0), ref: 00FB0122
GetKeyState.USER32(000000A0), ref: 00FB0139
GetAsyncKeyState.USER32(000000A1), ref: 00FB0168
GetKeyState.USER32(000000A1), ref: 00FB0179
GetAsyncKeyState.USER32(00000011), ref: 00FB01A5
GetKeyState.USER32(00000011), ref: 00FB01B3
GetAsyncKeyState.USER32(00000012), ref: 00FB01DC
GetKeyState.USER32(00000012), ref: 00FB01EA
GetAsyncKeyState.USER32(0000005B), ref: 00FB0213
GetKeyState.USER32(0000005B), ref: 00FB0221

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 45df1fa19b9b8ed04b8c8e26d4c37db01a89d8b969cb9c463d397db765e0c747
Instruction ID: 3105378d33bc999f77a85d8d6c63c84a743a193db2be761e6190159c80b513c1
Opcode Fuzzy Hash: 45df1fa19b9b8ed04b8c8e26d4c37db01a89d8b969cb9c463d397db765e0c747
Instruction Fuzzy Hash: 6851D820D0478829FB35EBB588547EBBFB49F01390F08459A95C2561C2DEA49B8CEF61

Function 00FD03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCFDAD,?,?), ref: 00FD0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FD04AC

Part of subcall function 00F59837: __itow.LIBCMT ref: 00F59862
Part of subcall function 00F59837: __swprintf.LIBCMT ref: 00F598AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FD054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FD05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00FD0822
RegCloseKey.ADVAPI32(00000000), ref: 00FD082F

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 686db99ed279ad95c5a730ea3e3f1957fa59a36efefcfde79ca607d5c167a1f8
Instruction ID: 69b47334c6e6a7303fbbbe3151a3ac11fc499debd1c5948217d82c09929b4ccc
Opcode Fuzzy Hash: 686db99ed279ad95c5a730ea3e3f1957fa59a36efefcfde79ca607d5c167a1f8
Instruction Fuzzy Hash: 58E15F71604204AFCB14DF24CC95E2ABBE5EF89314F08856EF94ADB361DA34ED05EB52

Function 00FC83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F59837: __itow.LIBCMT ref: 00F59862
Part of subcall function 00F59837: __swprintf.LIBCMT ref: 00F598AC

CoInitialize.OLE32 ref: 00FC8403
CoUninitialize.OLE32 ref: 00FC840E
CoCreateInstance.OLE32(?,00000000,00000017,00FE2BEC,?), ref: 00FC846E
IIDFromString.OLE32(?,?), ref: 00FC84E1
VariantInit.OLEAUT32(?), ref: 00FC857B
VariantClear.OLEAUT32(?), ref: 00FC85DC

Strings

NULL Pointer assignment, xrefs: 00FC84B3
Failed to create object, xrefs: 00FC8479, 00FC852F
Invalid parameter, xrefs: 00FC84FA

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 641073f71cc11ae785e62ab0dc1900fed2c01548a3a59edf15d2458cf5d33a6c
Instruction ID: 8588b8af20a2aac4f1e81f1bd614d787bb21738f1fb299f8910cb18a859a698a
Opcode Fuzzy Hash: 641073f71cc11ae785e62ab0dc1900fed2c01548a3a59edf15d2458cf5d33a6c
Instruction Fuzzy Hash: A961F271608312DFC714DF20C94AF6AB7E4AF457A4F04481DF9829B291CBB4ED49EB92

Function 00FC4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FC418B
EmptyClipboard.USER32 ref: 00FC4191
GlobalAlloc.KERNEL32(00000002,?), ref: 00FC41A6
CloseClipboard.USER32 ref: 00FC4245

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 85914d95412a39867ff228ff54d4c56a8229d29f785b307ee4c37f62d7de6011
Instruction ID: 6f6b8d14af41781fd500835798e077a38e78008f9914a7a54c67a7e26e5a0ae4
Opcode Fuzzy Hash: 85914d95412a39867ff228ff54d4c56a8229d29f785b307ee4c37f62d7de6011
Instruction Fuzzy Hash: 3221D1356012159FDB11AF20DC1AF6D7BA9EF45322F18802AF986DB2A1CB74ED00EB44

Function 00FB37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F54743,?,?,00F537AE,?), ref: 00F54770

Part of subcall function 00FB4A31: GetFileAttributesW.KERNEL32(?,00FB370B), ref: 00FB4A32

FindFirstFileW.KERNEL32(?,?), ref: 00FB38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00FB394B
MoveFileW.KERNEL32(?,?), ref: 00FB395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00FB397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FB399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00FB39B9

Strings

\*.*, xrefs: 00FB384E, 00FB3857, 00FB386C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: e09d22c9915c31934f67ef1a8e90d0bba81c1ead1a08dfc607b759785ba207f5
Instruction ID: 4edbf64e7fddc6cfc53d8f7d89665ec6e7c2debaff8c1692160cbd939c971c24
Opcode Fuzzy Hash: e09d22c9915c31934f67ef1a8e90d0bba81c1ead1a08dfc607b759785ba207f5
Instruction Fuzzy Hash: 1A516E3184514CAACF01FBA1DE929EDB779AF14311F600169E806B61A1EB296F0DEF61

Function 00FBF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00FBF440
Sleep.KERNEL32(0000000A), ref: 00FBF470
_wcscmp.LIBCMT ref: 00FBF484
_wcscmp.LIBCMT ref: 00FBF49F
FindNextFileW.KERNEL32(?,?), ref: 00FBF53D
FindClose.KERNEL32(00000000), ref: 00FBF553

Strings

*.*, xrefs: 00FBF425

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 6b7de38d041ffc6a6b7e82cd7aed84a01d0336a2979504bd9a6a5c0770b11f87
Instruction ID: d63d2a7264698e2b3d0ba4e00343b67afb5aa647e6e3f317a8f90537a4d29d07
Opcode Fuzzy Hash: 6b7de38d041ffc6a6b7e82cd7aed84a01d0336a2979504bd9a6a5c0770b11f87
Instruction Fuzzy Hash: BC417C71D0021AAFCF10EF65DC49AEEBBB4FF05320F184466E815A3291DB349A58EF50

Function 00F65760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F658A5
_memmove.LIBCMT ref: 00F658F5
_memmove.LIBCMT ref: 00F6595B

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d1e67dfbbc21c9640528d7eeba72167a85397b01a6b2a9bc68bb59c695268349
Instruction ID: 30908e891a00ea5ee2e36c5a6e7b757738c1b5173d44145d7c7984305fdcdb89
Opcode Fuzzy Hash: d1e67dfbbc21c9640528d7eeba72167a85397b01a6b2a9bc68bb59c695268349
Instruction Fuzzy Hash: 0D12AAB0A00609DFCF14DFA4D981AAEB7F5FF48310F104529E846E7290EB3AAD15EB51

Function 00FB3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F54743,?,?,00F537AE,?), ref: 00F54770

Part of subcall function 00FB4A31: GetFileAttributesW.KERNEL32(?,00FB370B), ref: 00FB4A32

FindFirstFileW.KERNEL32(?,?), ref: 00FB3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FB3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FB3BEA
FindClose.KERNEL32(00000000), ref: 00FB3C01
FindClose.KERNEL32(00000000), ref: 00FB3C0A

Strings

\*.*, xrefs: 00FB3B5B

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 8f78ddc15f0141d6a04f930716bd459981d9c2008b67008df315de203e2525e9
Instruction ID: 63d60df0bf38e530a12e47105fcc2f4cc68137b1e9dd1e97ca4797e5a950e21a
Opcode Fuzzy Hash: 8f78ddc15f0141d6a04f930716bd459981d9c2008b67008df315de203e2525e9
Instruction Fuzzy Hash: C831A1310493849BC200EF64DC91CEFBBE8AE91315F404E2DF9D592191EB25DA0CEB53

Function 00FB51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA882B
Part of subcall function 00FA87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA8858
Part of subcall function 00FA87E1: GetLastError.KERNEL32 ref: 00FA8865

ExitWindowsEx.USER32(?,00000000), ref: 00FB51F9

Strings

SeShutdownPrivilege, xrefs: 00FB51C9
@, xrefs: 00FB51EC
, xrefs: 00FB51E7

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: e67c58b2ac2d016bfb5de4c97ea943333b016d0c26c59162e3d30a271fd75dc0
Instruction ID: dc12ba49075b2c5404b70ec705fb9c00d86f793ff525cb45e8e0d11d7e6c8ad4
Opcode Fuzzy Hash: e67c58b2ac2d016bfb5de4c97ea943333b016d0c26c59162e3d30a271fd75dc0
Instruction Fuzzy Hash: C3014732A936152BF728227AAC8BFFA7358AB05B50F240421F803E20C2DA591C05BD90

Function 00FC6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FC62DC
WSAGetLastError.WSOCK32(00000000), ref: 00FC62EB
bind.WSOCK32(00000000,?,00000010), ref: 00FC6307
listen.WSOCK32(00000000,00000005), ref: 00FC6316
WSAGetLastError.WSOCK32(00000000), ref: 00FC6330
closesocket.WSOCK32(00000000,00000000), ref: 00FC6344

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: adc3587633fcc7a3c901bffd2c19d917de6fad3be10a485110710c6df3527012
Instruction ID: f4af9bcfbe938a8e3c10bb5770cb1647f266bbbb79887547472e32fed2574c88
Opcode Fuzzy Hash: adc3587633fcc7a3c901bffd2c19d917de6fad3be10a485110710c6df3527012
Instruction Fuzzy Hash: F821CC31A04205AFCB00AF64CD46F6EB7A9EF48321F188159E916E73D1C774AD09EB51

Function 00F65520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00F70DB6: std::exception::exception.LIBCMT ref: 00F70DEC
Part of subcall function 00F70DB6: __CxxThrowException@8.LIBCMT ref: 00F70E01

_memmove.LIBCMT ref: 00FA0258
_memmove.LIBCMT ref: 00FA036D
_memmove.LIBCMT ref: 00FA0414

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 3fab6ca70bc63599526c8590f51dc90f8b520f20ac9dafd28c3d02a533361019
Instruction ID: e31c34dcb1e320bd92e641584af19aefaba84b754ae556e28cb6b4bfcbd7a536
Opcode Fuzzy Hash: 3fab6ca70bc63599526c8590f51dc90f8b520f20ac9dafd28c3d02a533361019
Instruction Fuzzy Hash: 6F02BFB1A00209DBCF04DF64D981AAE7BB5EF45310F548069E80AEB295EF39DD14EB91

Function 00F51287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F519FA
GetSysColor.USER32(0000000F), ref: 00F51A4E
SetBkColor.GDI32(?,00000000), ref: 00F51A61

Part of subcall function 00F51290: DefDlgProcW.USER32(?,00000020,?), ref: 00F512D8

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 4d0af6bd5eec23f53df1adcdb54eff01553b0e047f5f708a7fbfb22a76ef2fd9
Instruction ID: bc2d9e9ff645b4bddc8604b28b7b5b43be624e7c851edd30f4e03784e0d2a471
Opcode Fuzzy Hash: 4d0af6bd5eec23f53df1adcdb54eff01553b0e047f5f708a7fbfb22a76ef2fd9
Instruction Fuzzy Hash: 94A15B76502586BAE639BA285C45FBF395DFB42353B14010AFF02D5182CA1DAD09F3B1

Function 00FBBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FBBCE6
_wcscmp.LIBCMT ref: 00FBBD16
_wcscmp.LIBCMT ref: 00FBBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00FBBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00FBBD6C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: c0e95d8cd78a632d644bf7d72a08e9d4d25466e21407db581f970f983aa48168
Instruction ID: ccb6e6d0c6f06a1c15d2030578f15cabb8f447cf50602a7daadea81b89359ff7
Opcode Fuzzy Hash: c0e95d8cd78a632d644bf7d72a08e9d4d25466e21407db581f970f983aa48168
Instruction Fuzzy Hash: 86518E35A047029FC714DF69C890E9AB3E4EF49320F14461EE9568B3A1DB78ED04EF91

Function 00FC6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00FC7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FC679E
WSAGetLastError.WSOCK32(00000000), ref: 00FC67C7
bind.WSOCK32(00000000,?,00000010), ref: 00FC6800
WSAGetLastError.WSOCK32(00000000), ref: 00FC680D
closesocket.WSOCK32(00000000,00000000), ref: 00FC6821

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: f19b679ab75e1427bd50a07a7259f0a185e5ef69a32cc98fa15de967868624cb
Instruction ID: aa13066c73774e589073a681a1f182d9e313f155a00b86790d12f4b8e74b3c67
Opcode Fuzzy Hash: f19b679ab75e1427bd50a07a7259f0a185e5ef69a32cc98fa15de967868624cb
Instruction Fuzzy Hash: 9341F371A00600AFDB14AF248C86F2E77E89F05715F44845CFE06AB3D2CAB89D04AB91

Function 00FD5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FD53C5
IsWindowEnabled.USER32 ref: 00FD53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00FD53E0
IsIconic.USER32 ref: 00FD53EE
IsZoomed.USER32 ref: 00FD53FC

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c155cfac2202a64dbbfbbbabde0884bd724be16cf86fe331e52979e398da3ba0
Instruction ID: 167f2a1563d9dc18803e4c1becda6b928917547775c6435145f39ffa7288efc3
Opcode Fuzzy Hash: c155cfac2202a64dbbfbbbabde0884bd724be16cf86fe331e52979e398da3ba0
Instruction Fuzzy Hash: 8C1104327019146FDB216F26DC44F6E7B9BEF45BA2B48402AF846D7341CBB4DD01AAA0

Function 00FA80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FA80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FA80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FA80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FA80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FA80F6

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d382d72dace445f352e25ec899e02494e0846868a3540707e7ea7fb8af2f637a
Instruction ID: bbe07f9573a65d618c88b06ba206e0af556cf381c3571f936456d8b6d5965099
Opcode Fuzzy Hash: d382d72dace445f352e25ec899e02494e0846868a3540707e7ea7fb8af2f637a
Instruction Fuzzy Hash: 20F06271641208AFEB100FB5EC8DE673BBDEF4A7A5B040026F946C7150CBA19D46EA60

Function 00F54B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F54AD0), ref: 00F54B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F54B57

Strings

GetNativeSystemInfo, xrefs: 00F54B51
kernel32.dll, xrefs: 00F54B40

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 8a086014487af463eb86653bbebb2d6f907392c861b73b5d9c71c9d700bda664
Instruction ID: 2bc97f723ec918d25636d08cec14f53f33616c80410076c6f68b747117fafb42
Opcode Fuzzy Hash: 8a086014487af463eb86653bbebb2d6f907392c861b73b5d9c71c9d700bda664
Instruction Fuzzy Hash: 99D0C230E00317DFC7208F31D818F0272D5AF81355B18883B9883C2250D770E4C8E614

Function 00F63030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 0d775bbc584e1e2c0f69c4cee5af9d6f636b48a44497f2eb96c67860debe42f7
Instruction ID: ac953a1e637f5bfc706f66c355c12c2e15da69dc53bee0ef12682e437c5e4569
Opcode Fuzzy Hash: 0d775bbc584e1e2c0f69c4cee5af9d6f636b48a44497f2eb96c67860debe42f7
Instruction Fuzzy Hash: 0522CD71A083009FDB24DF24C881B6FB7E4EF84714F04492DF99A97291DB75E908EB92

Function 00FCEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FCEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00FCEE4B

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

Process32NextW.KERNEL32(00000000,?), ref: 00FCEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00FCEF1A

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 60bd3a34a16df1d8ca18ffd60b910b4d0a4ea23d36fc083e64f7894b9d538966
Instruction ID: b8c4d4edc35e8fa60ac65cb7b51c1b3ab7f652cc043de97910f23dcf397d3a4f
Opcode Fuzzy Hash: 60bd3a34a16df1d8ca18ffd60b910b4d0a4ea23d36fc083e64f7894b9d538966
Instruction Fuzzy Hash: DD51AF71508701AFD310EF20DC86E6BBBE8EF84750F50482DF995972A1EB74E908DB92

Function 00F5FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 81ae574ecbd5a039c9266b265201b0174da2d4438ad3139219d1d05616f3cfae
Instruction ID: 513909ab07e2ad2503763883e60931d50f02b772eb2ac5cf80cd9193d57177ab
Opcode Fuzzy Hash: 81ae574ecbd5a039c9266b265201b0174da2d4438ad3139219d1d05616f3cfae
Instruction Fuzzy Hash: 17926971A083419FD724DF14C480B2BB7E1BF85314F24896DE98A8B352DB75EC49EB92

Function 00FAE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FAE628

Strings

|, xrefs: 00FAE658
(, xrefs: 00FAE66E

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 29629ef8138225c79713dde28818a392dc0b39da12f9d557379efffea27966da
Instruction ID: a369be4d9aa1a5f40d20c07b70759953b3b98122b2c8e6bc020f01bdd7b52cbe
Opcode Fuzzy Hash: 29629ef8138225c79713dde28818a392dc0b39da12f9d557379efffea27966da
Instruction Fuzzy Hash: 623225B5A007059FD728CF59C481A6AB7F1FF49320B15C46EE89ADB3A1E770E941CB50

Function 00FC22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FC180A,00000000), ref: 00FC23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00FC2418

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 109d0daec60c169e16374bcd106c7360987c6eb44861cbd3593569ac1516ffe3
Instruction ID: 7826e2cc10fce6779cca31317cd6848883ae9a384651297e3d1f87f96d6e9e41
Opcode Fuzzy Hash: 109d0daec60c169e16374bcd106c7360987c6eb44861cbd3593569ac1516ffe3
Instruction Fuzzy Hash: 3641F47290420AFFEB50DE95DE82FBB77ADEB40724F10406EF605A6141DA749E41B650

Function 00FBB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FBB40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FBB465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00FBB4B2

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 35c9fa9cafd298905277eb7cacfaa331d0d737e45e6850106753fafcef77363b
Instruction ID: 9c01fda6161a971a5a1bf6152d7f0619ea5e152a57477a48001bd9a6792331ad
Opcode Fuzzy Hash: 35c9fa9cafd298905277eb7cacfaa331d0d737e45e6850106753fafcef77363b
Instruction Fuzzy Hash: D3214A75A00118EFCB00EFA5DC80AEDBBB8FF49315F1480AAE905AB261CB359919DF50

Function 00FA87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F70DB6: std::exception::exception.LIBCMT ref: 00F70DEC
Part of subcall function 00F70DB6: __CxxThrowException@8.LIBCMT ref: 00F70E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA8858
GetLastError.KERNEL32 ref: 00FA8865

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 8fdce949053eb61877d90ee0bc90ee7f49035223c3f88d222f9f644ad7d5c992
Instruction ID: 4bd98a2db33bb57b2950d68f8aae396947f32a0f13700c6ff912335f987e3e19
Opcode Fuzzy Hash: 8fdce949053eb61877d90ee0bc90ee7f49035223c3f88d222f9f644ad7d5c992
Instruction Fuzzy Hash: 4A119DB2814304AFE728EFA4DC85D2BBBE9EF05310B20852EE45683201EE74AC419B60

Function 00FA874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FA8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FA878B
FreeSid.ADVAPI32(?), ref: 00FA879B

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 43a50efa0ae37721df882fee6b1ea4e91c02d692520926838532ec37841f8a5f
Instruction ID: 2fec283f55bc6a40253b87e51ca8d303e009ae9b64d523a861a5fad3c9a46979
Opcode Fuzzy Hash: 43a50efa0ae37721df882fee6b1ea4e91c02d692520926838532ec37841f8a5f
Instruction Fuzzy Hash: 64F03C7591120CBBDB00DFF49C89EADB7B9EF08311F504469A502E2281D6715A089B50

Function 00FB4C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00FB4CB3

Strings

DOWN, xrefs: 00FB4C98

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 60834ff747d8a426a7a6b31bc7fa2b187776f5d4db0f83c6970a7758afdb22a8
Instruction ID: 9ce590eb3970d7d05b321586e23f85dba0263c3175f5fd519c45b29b00725cdb
Opcode Fuzzy Hash: 60834ff747d8a426a7a6b31bc7fa2b187776f5d4db0f83c6970a7758afdb22a8
Instruction Fuzzy Hash: 66E0867619D7213CB985251AFD03EF7274C8B12731B104147F814D54C2DD442C8238BE

Function 00FBC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FBC6FB
FindClose.KERNEL32(00000000), ref: 00FBC72B

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e51b9e839c8feae22f98d3e477214057b7ababf6ffe57a89e4a19d117197e99b
Instruction ID: 6c7bc20591fa69ae8d1ca33b7e01fffa614e107abc414e6055d51e5311cb5d3b
Opcode Fuzzy Hash: e51b9e839c8feae22f98d3e477214057b7ababf6ffe57a89e4a19d117197e99b
Instruction Fuzzy Hash: 7C11CE726002048FCB00EF29CC44A2AF7E9EF85321F04851EF9AACB290CB74A804DF80

Function 00FBA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00FC9468,?,00FDFB84,?), ref: 00FBA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00FC9468,?,00FDFB84,?), ref: 00FBA0A9

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f601af891654cea530755aa6a2f3e34433e9698fcc5468f573c6f22a5ff531a0
Instruction ID: 22a207ea1392527acfe799b5bc718617d767133759377d3687c6a2dae287da21
Opcode Fuzzy Hash: f601af891654cea530755aa6a2f3e34433e9698fcc5468f573c6f22a5ff531a0
Instruction Fuzzy Hash: 35F0823651522DBBDB21AFA4DC48FEA776DBF08361F004266F909D6181D6309944DBA1

Function 00FA81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FA8309), ref: 00FA81E0
CloseHandle.KERNEL32(?,?,00FA8309), ref: 00FA81F2

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 004eb504bd4ee3e013e006bf89b3e5d6c5c545ff0b93352de708f03f3b6e45a9
Instruction ID: 8e0d4025479fbc6ddcb2e6d6f39068b098e73ea07da63d5266e4462a28118724
Opcode Fuzzy Hash: 004eb504bd4ee3e013e006bf89b3e5d6c5c545ff0b93352de708f03f3b6e45a9
Instruction Fuzzy Hash: 66E0E671011511EFE7252B74EC09D7777EAEF04350714C82EF45684470DB615C91EB50

Function 00F7A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F78D57,?,?,?,00000001), ref: 00F7A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F7A163

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e4c236976a73036ea2fa7fd9c35f9f6f6086068a17334d1ef7e281bfe733e23c
Instruction ID: 95c28c70508bbd9b1bfd29cb6cf8a523057104d1d82fb60620d76c13044cb355
Opcode Fuzzy Hash: e4c236976a73036ea2fa7fd9c35f9f6f6086068a17334d1ef7e281bfe733e23c
Instruction Fuzzy Hash: 25B0923105520CABCA002BA5EC09F883F6AEB44AA2F418022F60E84060CB625454AA91

Function 00F5E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F93E62

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 5b80494db2bf9c9e3d0a1ea76bc993d281d6a06264bdc383968e25f04d70b7bb
Instruction ID: b6aca345f00d4d3d1da7288138ed7f58d02574c69a95302d8341c06d3395d072
Opcode Fuzzy Hash: 5b80494db2bf9c9e3d0a1ea76bc993d281d6a06264bdc383968e25f04d70b7bb
Instruction Fuzzy Hash: 92A29D75E00205CFCB28CF54C880AA9B7B2FF59321F248059EE559B351D779EE4AEB90

Function 00F7F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa83a8c807146abb7474eed28486ad3af3035df4609a6ab147c4c5916565e64b
Instruction ID: 7d7f02bcd72b4816a18c9d0e815581e65db95fce48e084e9c4c06e33866688ad
Opcode Fuzzy Hash: fa83a8c807146abb7474eed28486ad3af3035df4609a6ab147c4c5916565e64b
Instruction Fuzzy Hash: 00325622D29F454DD7239634DC72336A248AFB73D4F14C737F81AB99AAEB28C4836101

Function 00F8242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5d4e88bc15539a2ab08b433a39e0e1d35bca4dc561c87e5a91f15f1dad0871
Instruction ID: 74f818cf6919498731d75d8513e58c14e1a18fcda76493786d40c4980bbeacb1
Opcode Fuzzy Hash: 4a5d4e88bc15539a2ab08b433a39e0e1d35bca4dc561c87e5a91f15f1dad0871
Instruction Fuzzy Hash: D8B10330D2AF844DD323A6398871336B65CAFBB2C5F52D71BFC2674D62EB2295835241

Function 00FB8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00FB889B

Part of subcall function 00F7520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00FB8F6E,00000000,?,?,?,?,00FB911F,00000000,?), ref: 00F75213
Part of subcall function 00F7520A: __aulldiv.LIBCMT ref: 00F75233

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: b0a8c094a7f007da476c2c734748b137684aa9c9c5b3faad19dfa9616ae7e351
Instruction ID: 305486f579dfd534f8bfe6196ad72366fbc0d7a4f48890e055ada0f5fc651ef1
Opcode Fuzzy Hash: b0a8c094a7f007da476c2c734748b137684aa9c9c5b3faad19dfa9616ae7e351
Instruction Fuzzy Hash: F321A232A255108BC729CF25D841A92B3E5EFA5321F688E6CD0F5CB2C4CA79A905DB54

Function 00FA87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00FA8389), ref: 00FA87D1

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: cd9beda7fd302d4b76e690172490a85ee405bb097ad898b48cee2a60f316f5d1
Instruction ID: 445492f3f7627d141de012ee05e508b348630a9d229fd2aea926dab496e18cdd
Opcode Fuzzy Hash: cd9beda7fd302d4b76e690172490a85ee405bb097ad898b48cee2a60f316f5d1
Instruction Fuzzy Hash: 98D09E3226450EABEF019EA4DD05EAE3B6AEB04B01F408511FE16D61A1C775D935AB60

Function 00F7A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F7A12A

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0b1d1ba1c1b759f36a6154df89125ea003f925435fa7f70a895a139b326ba47b
Instruction ID: b740b1acaecb47c5ab8faef46be91e5fb460cc57570380620b09629ce5ab9254
Opcode Fuzzy Hash: 0b1d1ba1c1b759f36a6154df89125ea003f925435fa7f70a895a139b326ba47b
Instruction Fuzzy Hash: CFA0243000010CF7CF001F55FC04C447F5DD7001D07004031F40D40031C733541055C0

Function 00F68808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69bcca8ca814b5e071b676d254d500224511490c898fa470c0ca22b6af5638f
Instruction ID: 697dec4f6a9e9bf7fe1a9531280268a393167b308ac1776cfc90a737218d7947
Opcode Fuzzy Hash: f69bcca8ca814b5e071b676d254d500224511490c898fa470c0ca22b6af5638f
Instruction Fuzzy Hash: A9224271D04146DBDF388AA4C49477C77A1BF427A4F28822FD982CB492DB789C92FB41

Function 00F721C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 2bb049c488cab6d8fd3709a038eb0e67c405c79fb40b37e4d0566881688a2e7f
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 73C1B7326050930ADF6D463D843513EFBA16EA27B131A876FD4BBCB1D5EE10C939E621

Function 00F725FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 270bff8f696db71d889feefc0d3658bc7a8f57e9067b647bda54c123f6865106
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: F3C1C63360509309DF6D463DC43513EBAA16EA27B131A876FD4BADB1D4EE20C939F621

Function 00F71978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 10b214f452f72d848befc02a87f06c624e65a78848c529f7e371266efa7fede5
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: A7C1843260519309DF2D463D847513EBAA16EA27B131A876FD4BACB1C4EE20C93DEA11

Function 00FC7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FC785B
DeleteObject.GDI32(00000000), ref: 00FC786D
DestroyWindow.USER32 ref: 00FC787B
GetDesktopWindow.USER32 ref: 00FC7895
GetWindowRect.USER32(00000000), ref: 00FC789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00FC79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00FC79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC7A35
GetClientRect.USER32(00000000,?), ref: 00FC7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FC7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC7ABB
GlobalLock.KERNEL32(00000000), ref: 00FC7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC7AD3
GlobalUnlock.KERNEL32(00000000), ref: 00FC7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC7AE3
GlobalFree.KERNEL32(00000000), ref: 00FC7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00FE2CAC,00000000), ref: 00FC7B16
GlobalFree.KERNEL32(00000000), ref: 00FC7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00FC7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00FC7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC7D7A

Strings

AutoIt v3, xrefs: 00FC7A2D
DISPLAY, xrefs: 00FC7BDD
static, xrefs: 00FC7A75, 00FC7BCC
, xrefs: 00FC7D00

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8883f05dd23c3e169221108e19a7e53c8dc48431cc3c85dfbd99bf8d72888bfb
Instruction ID: 15d74829f059b7448e0dfe03359b63935bad2655458105825486741655d3e34e
Opcode Fuzzy Hash: 8883f05dd23c3e169221108e19a7e53c8dc48431cc3c85dfbd99bf8d72888bfb
Instruction Fuzzy Hash: 5E029B71900219EFDB14DFA4CD89EAE7BB9EF49310F148159F906AB2A0C774AD05EF60

Function 00FD356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00FDF910), ref: 00FD3627
IsWindowVisible.USER32(?), ref: 00FD364B

Strings

ISENABLED, xrefs: 00FD366B
TABRIGHT, xrefs: 00FD369D
SETCURRENTSELECTION, xrefs: 00FD37B6
GETLINECOUNT, xrefs: 00FD38C6
HIDEDROPDOWN, xrefs: 00FD3700
CURRENTTAB, xrefs: 00FD36BD
ISVISIBLE, xrefs: 00FD3637
GETCURRENTCOL, xrefs: 00FD3928
EDITPASTE, xrefs: 00FD395F
GETLINE, xrefs: 00FD399B
FINDSTRING, xrefs: 00FD3776
SHOWDROPDOWN, xrefs: 00FD36E0
ADDSTRING, xrefs: 00FD3716
UNCHECK, xrefs: 00FD3883
GETSELECTED, xrefs: 00FD38A3
GETCURRENTLINE, xrefs: 00FD38ED
GETCURRENTSELECTION, xrefs: 00FD37E3
SELECTSTRING, xrefs: 00FD3806
SENDCOMMANDID, xrefs: 00FD39DA
ISCHECKED, xrefs: 00FD3839
TABLEFT, xrefs: 00FD3687
DELSTRING, xrefs: 00FD3749
CHECK, xrefs: 00FD386D

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: a9f462dac856412d0872eefebc012fe1c9dcdebc3f5f9e884f0dc592e0caea19
Instruction ID: 344fe3bc5740e43d67e4db5ed4edd116abaaca020573c3f90a3435c404719e32
Opcode Fuzzy Hash: a9f462dac856412d0872eefebc012fe1c9dcdebc3f5f9e884f0dc592e0caea19
Instruction Fuzzy Hash: 90D1B471608301DBDA04EF10CC52A6E77A2AF85754F18445AF9865B3E3CB79DE0AEB43

Function 00FDA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FDA630
GetSysColorBrush.USER32(0000000F), ref: 00FDA661
GetSysColor.USER32(0000000F), ref: 00FDA66D
SetBkColor.GDI32(?,000000FF), ref: 00FDA687
SelectObject.GDI32(?,00000000), ref: 00FDA696
InflateRect.USER32(?,000000FF,000000FF), ref: 00FDA6C1
GetSysColor.USER32(00000010), ref: 00FDA6C9
CreateSolidBrush.GDI32(00000000), ref: 00FDA6D0
FrameRect.USER32(?,?,00000000), ref: 00FDA6DF
DeleteObject.GDI32(00000000), ref: 00FDA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00FDA731
FillRect.USER32(?,?,00000000), ref: 00FDA763
GetWindowLongW.USER32(?,000000F0), ref: 00FDA78E

Part of subcall function 00FDA8CA: GetSysColor.USER32(00000012), ref: 00FDA903
Part of subcall function 00FDA8CA: SetTextColor.GDI32(?,?), ref: 00FDA907
Part of subcall function 00FDA8CA: GetSysColorBrush.USER32(0000000F), ref: 00FDA91D
Part of subcall function 00FDA8CA: GetSysColor.USER32(0000000F), ref: 00FDA928
Part of subcall function 00FDA8CA: GetSysColor.USER32(00000011), ref: 00FDA945
Part of subcall function 00FDA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FDA953
Part of subcall function 00FDA8CA: SelectObject.GDI32(?,00000000), ref: 00FDA964
Part of subcall function 00FDA8CA: SetBkColor.GDI32(?,00000000), ref: 00FDA96D
Part of subcall function 00FDA8CA: SelectObject.GDI32(?,?), ref: 00FDA97A
Part of subcall function 00FDA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00FDA999
Part of subcall function 00FDA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FDA9B0
Part of subcall function 00FDA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00FDA9C5
Part of subcall function 00FDA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FDA9ED

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: a4c948f4f8f6844a04e26f6aa2e386f54669e734ace1c2fea95aa90ab0a62405
Instruction ID: 31070df92bbff5434e5a44ded0c655817b4b31c2bd44d85b042681a0b17c7e7f
Opcode Fuzzy Hash: a4c948f4f8f6844a04e26f6aa2e386f54669e734ace1c2fea95aa90ab0a62405
Instruction Fuzzy Hash: 82915D72409305EFC7119F64DC08E5B7BAAFF88331F184A2AF962961A0D771D948EB52

Function 00F52C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00F52CA2
DeleteObject.GDI32(00000000), ref: 00F52CE8
DeleteObject.GDI32(00000000), ref: 00F52CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00F52CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00F52D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F8C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F8C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F8C89D

Part of subcall function 00F51B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F52036,?,00000000,?,?,?,?,00F516CB,00000000,?), ref: 00F51B9A

SendMessageW.USER32(?,00001053), ref: 00F8C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F8C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F8C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F8C912

Strings

0, xrefs: 00F8C731

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 813e971553da627d33e909cd668d0ecce51cb6e48900a02364b877105c68c796
Instruction ID: 51887b7bd57d983c174253b0793d3e1dcde1641fe6298f790d5738ed607206f9
Opcode Fuzzy Hash: 813e971553da627d33e909cd668d0ecce51cb6e48900a02364b877105c68c796
Instruction Fuzzy Hash: 9B129030A00201DFDB11EF24C888BA9B7E1FF05321F584679F95ACB662C731E845EBA1

Function 00FC74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00FC74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FC759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00FC75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00FC75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00FC7633
GetClientRect.USER32(00000000,?), ref: 00FC763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00FC7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FC7692
GetStockObject.GDI32(00000011), ref: 00FC76A2
SelectObject.GDI32(00000000,00000000), ref: 00FC76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00FC76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FC76BF
DeleteDC.GDI32(00000000), ref: 00FC76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FC76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00FC770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00FC7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FC775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00FC776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00FC779B
GetStockObject.GDI32(00000011), ref: 00FC77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FC77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00FC77BB

Strings

AutoIt v3, xrefs: 00FC762B
DISPLAY, xrefs: 00FC7688
msctls_progress32, xrefs: 00FC773C
static, xrefs: 00FC767D, 00FC7795

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 4d720f5a8a7dd59c70097ea7c90b960f7ddd20ac99274bde37162172247fcd78
Instruction ID: a276f58664508ff7928e68c8c25bf88bc758abcd13ed49b799c11f02c7651f99
Opcode Fuzzy Hash: 4d720f5a8a7dd59c70097ea7c90b960f7ddd20ac99274bde37162172247fcd78
Instruction Fuzzy Hash: 36A18471A00219BFEB14DBA4DC4AFAE7BB9EB45714F044119FA15AB2E0C7B4AD04DB60

Function 00FBAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FBAD1E
GetDriveTypeW.KERNEL32(?,00FDFAC0,?,\\.\,00FDF910), ref: 00FBADFB
SetErrorMode.KERNEL32(00000000,00FDFAC0,?,\\.\,00FDF910), ref: 00FBAF59

Strings

SSA, xrefs: 00FBAEE2
\\.\, xrefs: 00FBAD70
Unknown, xrefs: 00FBAE1B, 00FBAEBF
SAS, xrefs: 00FBAF05
FileBackedVirtual, xrefs: 00FBAF28
SCSI, xrefs: 00FBAEC6
ATA, xrefs: 00FBAED4
Virtual, xrefs: 00FBAF21
Network, xrefs: 00FBAE39
1394, xrefs: 00FBAEDB
ATAPI, xrefs: 00FBAECD
Fibre, xrefs: 00FBAEE9
Fixed, xrefs: 00FBAE43
USB, xrefs: 00FBAEF0
SATA, xrefs: 00FBAF0C
CDROM, xrefs: 00FBAE2F
RAID, xrefs: 00FBAEF7
iSCSI, xrefs: 00FBAEFE
RAMDisk, xrefs: 00FBAE25
MMC, xrefs: 00FBAF1A
Removable, xrefs: 00FBAE4D
PhysicalDrive, xrefs: 00FBADA7
SSD, xrefs: 00FBAE86

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 1cd443338feafafa4a5c85f674bf9dfeb3b8e5d2bce84f6bfb68fbfb93bff767
Instruction ID: a03c6641bc1c0b44d797c30f7673a43aee85738c7fb7639d5162bd4c8785f9c6
Opcode Fuzzy Hash: 1cd443338feafafa4a5c85f674bf9dfeb3b8e5d2bce84f6bfb68fbfb93bff767
Instruction Fuzzy Hash: D851B0B1A48705EA9B00EB13CD42DFD73A1FB09711B24806AF847AB291DA749D49FF43

Function 00F568DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F56931
__wcsnicmp.LIBCMT ref: 00F56949
__wcsnicmp.LIBCMT ref: 00F56961
__wcsnicmp.LIBCMT ref: 00F56979
__wcsnicmp.LIBCMT ref: 00F56991
__wcsnicmp.LIBCMT ref: 00F569A9
__wcsnicmp.LIBCMT ref: 00F569C1
__wcsnicmp.LIBCMT ref: 00F569D5
__wcsnicmp.LIBCMT ref: 00F56A16
__wcsnicmp.LIBCMT ref: 00F56A2A
__wcsnicmp.LIBCMT ref: 00F56A3E
__wcsnicmp.LIBCMT ref: 00F56A52

Strings

#ce, xrefs: 00F56A4C
Bad directive syntax error, xrefs: 00F8E31A
Unterminated group of comments, xrefs: 00F8E403
#pragma compile, xrefs: 00F5692B
#comments-start, xrefs: 00F569BB, 00F56A10
Cannot parse #include, xrefs: 00F8E3F0
#OnAutoItStartRegister, xrefs: 00F56973
#notrayicon, xrefs: 00F56943
#requireadmin, xrefs: 00F5695B
#include, xrefs: 00F569A3
#comments-end, xrefs: 00F56A38
#cs, xrefs: 00F569CF, 00F56A24
#include-once, xrefs: 00F5698B

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: f9dcf70085e905752e3624eff6b3cac9dd046e0eb3d2ec8c5dd0b8d4aeca6930
Instruction ID: bbc5d8f9037f5822bf5cc2297e6998ea1765d1a1f1aae7d4429f18e13c5f79ab
Opcode Fuzzy Hash: f9dcf70085e905752e3624eff6b3cac9dd046e0eb3d2ec8c5dd0b8d4aeca6930
Instruction Fuzzy Hash: D4812BB1A00205BACB20BB60DC42FAF3B68AF15711F444026FE15AB192EB74DE49F352

Function 00FD9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00FD9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00FD9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00FD9BA7

Strings

0, xrefs: 00FD9BE4

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: f5c67301db0f7b2a6c49613df1f5185df3e91a182bbef0824a1736bf17d6576f
Instruction ID: 072e76422cc728e1c8e1b7b147862d27eac6534c157edda74638b7212718c8f4
Opcode Fuzzy Hash: f5c67301db0f7b2a6c49613df1f5185df3e91a182bbef0824a1736bf17d6576f
Instruction Fuzzy Hash: F2020131508301AFD725CF64C848BAABBE6FF49320F08852EF999D63A1C7B5D944EB51

Function 00FDA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FDA903
SetTextColor.GDI32(?,?), ref: 00FDA907
GetSysColorBrush.USER32(0000000F), ref: 00FDA91D
GetSysColor.USER32(0000000F), ref: 00FDA928
CreateSolidBrush.GDI32(?), ref: 00FDA92D
GetSysColor.USER32(00000011), ref: 00FDA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FDA953
SelectObject.GDI32(?,00000000), ref: 00FDA964
SetBkColor.GDI32(?,00000000), ref: 00FDA96D
SelectObject.GDI32(?,?), ref: 00FDA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00FDA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FDA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00FDA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FDA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FDAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00FDAA32
DrawFocusRect.USER32(?,?), ref: 00FDAA3D
GetSysColor.USER32(00000011), ref: 00FDAA4B
SetTextColor.GDI32(?,00000000), ref: 00FDAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00FDAA67
SelectObject.GDI32(?,00FDA5FA), ref: 00FDAA7E
DeleteObject.GDI32(?), ref: 00FDAA89
SelectObject.GDI32(?,?), ref: 00FDAA8F
DeleteObject.GDI32(?), ref: 00FDAA94
SetTextColor.GDI32(?,?), ref: 00FDAA9A
SetBkColor.GDI32(?,?), ref: 00FDAAA4

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: bf420a6f0a0259062cfa8bae45328a797d77c8dc4990ac3dfa115341c759a638
Instruction ID: 038281631d889aba930f20049e56d46a409d9487f5d7839edca5b72b3b91b7bf
Opcode Fuzzy Hash: bf420a6f0a0259062cfa8bae45328a797d77c8dc4990ac3dfa115341c759a638
Instruction Fuzzy Hash: 7B513F71901208FFDB119FB4DC48EAE7BBAEF08320F154226F916AB2A1D7759944EF50

Function 00FD89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FD8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD8AD2
CharNextW.USER32(0000014E), ref: 00FD8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FD8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FD8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00FD8B86
SetWindowTextW.USER32(?,0000014E), ref: 00FD8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00FD8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FD8C1F
_memset.LIBCMT ref: 00FD8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00FD8C8D
_memset.LIBCMT ref: 00FD8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FD8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00FD8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00FD8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00FD8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FD8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FD8EB4
DrawMenuBar.USER32(?), ref: 00FD8EC3
SetWindowTextW.USER32(?,0000014E), ref: 00FD8EEB

Strings

0, xrefs: 00FD8E55

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: bcaeb63c283724da103ac517a86bed800a891877b4983797e78d0b5f3b49112b
Instruction ID: 7a560d722c896aee849ceec5df52eb5c91ea0296851ef1cea4930e5a1b1eca85
Opcode Fuzzy Hash: bcaeb63c283724da103ac517a86bed800a891877b4983797e78d0b5f3b49112b
Instruction Fuzzy Hash: D3E18171901209AFDB209F64CC84EEE7B7AEF05760F188157F915AB290DB748986FF60

Function 00FD488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FD49CA
GetDesktopWindow.USER32 ref: 00FD49DF
GetWindowRect.USER32(00000000), ref: 00FD49E6
GetWindowLongW.USER32(?,000000F0), ref: 00FD4A48
DestroyWindow.USER32(?), ref: 00FD4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FD4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00FD4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00FD4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00FD4B09
IsWindowVisible.USER32(?), ref: 00FD4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00FD4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00FD4B58
GetWindowRect.USER32(?,?), ref: 00FD4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00FD4B96
GetMonitorInfoW.USER32(00000000,?), ref: 00FD4BB0
CopyRect.USER32(?,?), ref: 00FD4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00FD4C32

Strings

(, xrefs: 00FD4BA3
0, xrefs: 00FD4975
tooltips_class32, xrefs: 00FD4A96

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: ee5999568056232654919481f9476be8b56bdf0f999360395412930f42788e4a
Instruction ID: 35fc7b52e5266501970ce70697ca5eaaea98c46c3f722b0845bf3dd1465c81c0
Opcode Fuzzy Hash: ee5999568056232654919481f9476be8b56bdf0f999360395412930f42788e4a
Instruction Fuzzy Hash: 3CB1BE71608340AFDB04DF64C848B5ABBE6FF84310F04891EF99A9B2A1D775EC09EB55

Function 00FB449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FB44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FB44D2
_wcscpy.LIBCMT ref: 00FB4500
_wcscmp.LIBCMT ref: 00FB450B
_wcscat.LIBCMT ref: 00FB4521
_wcsstr.LIBCMT ref: 00FB452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FB4548
_wcscat.LIBCMT ref: 00FB4591
_wcscat.LIBCMT ref: 00FB4598
_wcsncpy.LIBCMT ref: 00FB45C3

Strings

DefaultLangCodepage, xrefs: 00FB45AB
StringFileInfo\, xrefs: 00FB451B
\VarFileInfo\Translation, xrefs: 00FB4540
04090000, xrefs: 00FB457E
%u.%u.%u.%u, xrefs: 00FB4626

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 85b6c0a88b8c4a5fe9039967c1b98b8145ad45c67cc45c9a4d66fdd57fc90812
Instruction ID: 9d534f5293f3d2dd3348fbeca64835f8575d3b529c0a9000de847b9eb1d5029a
Opcode Fuzzy Hash: 85b6c0a88b8c4a5fe9039967c1b98b8145ad45c67cc45c9a4d66fdd57fc90812
Instruction Fuzzy Hash: 1741FA329002057BDB11AA75CC07EFF776CDF45710F08806BF909A6182EB38AA11B6A6

Function 00F527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F528BC
GetSystemMetrics.USER32(00000007), ref: 00F528C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F528EF
GetSystemMetrics.USER32(00000008), ref: 00F528F7
GetSystemMetrics.USER32(00000004), ref: 00F5291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F52939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F52949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F5297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F52990
GetClientRect.USER32(00000000,000000FF), ref: 00F529AE
GetStockObject.GDI32(00000011), ref: 00F529CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F529D5

Part of subcall function 00F52344: GetCursorPos.USER32(?), ref: 00F52357
Part of subcall function 00F52344: ScreenToClient.USER32(010157B0,?), ref: 00F52374
Part of subcall function 00F52344: GetAsyncKeyState.USER32(00000001), ref: 00F52399
Part of subcall function 00F52344: GetAsyncKeyState.USER32(00000002), ref: 00F523A7

SetTimer.USER32(00000000,00000000,00000028,00F51256), ref: 00F529FC

Strings

AutoIt v3 GUI, xrefs: 00F52974

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 932a5ddaf76344e2d8e761d448bb2292372952a6453165170f8ee184f7022566
Instruction ID: e80d19f402ba56a0cc7e830855838e0878a56875625f97605159717f213734f9
Opcode Fuzzy Hash: 932a5ddaf76344e2d8e761d448bb2292372952a6453165170f8ee184f7022566
Instruction Fuzzy Hash: DBB15E71A0020ADFDB14DFA8DC85BAD7BB5FB49311F10422AFE16E7290DB789845EB50

Function 00FD3DE2 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FD3E6F
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FD3F2F

Strings

GETITEMCOUNT, xrefs: 00FD3EA1
GETTEXT, xrefs: 00FD3ED8
FINDITEM, xrefs: 00FD40A2
DESELECT, xrefs: 00FD401D
VIEWCHANGE, xrefs: 00FD40EE
ISSELECTED, xrefs: 00FD3F3A
GETSELECTEDCOUNT, xrefs: 00FD3F12
GETSELECTED, xrefs: 00FD405D
SELECT, xrefs: 00FD3FC9
SELECTALL, xrefs: 00FD3F96
SELECTCLEAR, xrefs: 00FD3FAE
SELECTINVERT, xrefs: 00FD3FFF
GETSUBITEMCOUNT, xrefs: 00FD3EBA

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 60bd34803fa482cfbcf28a365908d99ad93b9b27ba8e8bfdfaca89c11e87566f
Instruction ID: 0ca10ea21ad5b8c28e2d5497e101fb3266b1ff23e0e35851491dff06d0f99f07
Opcode Fuzzy Hash: 60bd34803fa482cfbcf28a365908d99ad93b9b27ba8e8bfdfaca89c11e87566f
Instruction Fuzzy Hash: 98A19471604301DBDA04EF10CC56A6A73A6BF45314F18841EBD965B3D2CB74ED09EB52

Function 00FAA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FAA47A
__swprintf.LIBCMT ref: 00FAA51B
_wcscmp.LIBCMT ref: 00FAA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FAA583
_wcscmp.LIBCMT ref: 00FAA5BF
GetClassNameW.USER32(?,?,00000400), ref: 00FAA5F6
GetDlgCtrlID.USER32(?), ref: 00FAA648
GetWindowRect.USER32(?,?), ref: 00FAA67E
GetParent.USER32(?), ref: 00FAA69C
ScreenToClient.USER32(00000000), ref: 00FAA6A3
GetClassNameW.USER32(?,?,00000100), ref: 00FAA71D
_wcscmp.LIBCMT ref: 00FAA731
GetWindowTextW.USER32(?,?,00000400), ref: 00FAA757
_wcscmp.LIBCMT ref: 00FAA76B

Part of subcall function 00F7362C: _iswctype.LIBCMT ref: 00F73634

Strings

%s%u, xrefs: 00FAA515

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: b2682941cf42901ab3e974a3d75759b5787dc66d35ba1753f35f51c524b7eafb
Instruction ID: 68aa250d74351977a82890a284ee2c946cea717d6d7dffdf6e79f7c119f4e670
Opcode Fuzzy Hash: b2682941cf42901ab3e974a3d75759b5787dc66d35ba1753f35f51c524b7eafb
Instruction Fuzzy Hash: 1CA1D2B1604706BFD715DF60C884FAAB7E8FF45320F04852AF999C2190DB34E959EB92

Function 00FAAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00FAAF18
_wcscmp.LIBCMT ref: 00FAAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00FAAF51
CharUpperBuffW.USER32(?,00000000), ref: 00FAAF6E
_wcscmp.LIBCMT ref: 00FAAF8C
_wcsstr.LIBCMT ref: 00FAAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00FAAFD5
_wcscmp.LIBCMT ref: 00FAAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00FAB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00FAB055
_wcscmp.LIBCMT ref: 00FAB065
GetClassNameW.USER32(00000010,?,00000400), ref: 00FAB08D
GetWindowRect.USER32(00000004,?), ref: 00FAB0F6

Strings

ThumbnailClass, xrefs: 00FAAFE0, 00FAB060
@, xrefs: 00FAAEF9

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: edc4b5ea2b7a69eb1e9a29d0186397a2b8bb72da9e87c654c5974fed1b44697f
Instruction ID: f26f21afa4e889050834766dd982e1ebddb6fb65d832465b71374d2251ea8c0e
Opcode Fuzzy Hash: edc4b5ea2b7a69eb1e9a29d0186397a2b8bb72da9e87c654c5974fed1b44697f
Instruction Fuzzy Hash: 3981D6B15083099FDB05DF14C885FAA7BE8FF45724F04846AFD858A092DB34DD49EB62

Function 00FAABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FAAC33

Strings

LAST, xrefs: 00FAABF8
CLASSNAME=, xrefs: 00FAAC70
ACTIVE, xrefs: 00FAAC0E
[ACTIVE, xrefs: 00FAAC20
[CLASS:, xrefs: 00FAAC83
ALL, xrefs: 00FAACC7
[ALL, xrefs: 00FAACD9
[LAST, xrefs: 00FAACE0
[HANDLE:, xrefs: 00FAAC3F
HANDLE=, xrefs: 00FAAC2C
[REGEXPTITLE:, xrefs: 00FAAC5B
REGEXP=, xrefs: 00FAAC48

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 7c2dbb0228a4aa95b22ea688b2ceb1ff514f6a3687143c66411c742dca2593a0
Instruction ID: b8597d1cb99c117a30fb0e0f7cca51d51f8eb2b37ed31d6a95033bffe45f9de1
Opcode Fuzzy Hash: 7c2dbb0228a4aa95b22ea688b2ceb1ff514f6a3687143c66411c742dca2593a0
Instruction Fuzzy Hash: 2C31C3B1944209ABEB15FA91DD03EAE7768AF12721F20001DF982750D1EF5DAF4CF652

Function 00FC4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00FC5013
LoadCursorW.USER32(00000000,00007F00), ref: 00FC501E
LoadCursorW.USER32(00000000,00007F03), ref: 00FC5029
LoadCursorW.USER32(00000000,00007F8B), ref: 00FC5034
LoadCursorW.USER32(00000000,00007F01), ref: 00FC503F
LoadCursorW.USER32(00000000,00007F81), ref: 00FC504A
LoadCursorW.USER32(00000000,00007F88), ref: 00FC5055
LoadCursorW.USER32(00000000,00007F80), ref: 00FC5060
LoadCursorW.USER32(00000000,00007F86), ref: 00FC506B
LoadCursorW.USER32(00000000,00007F83), ref: 00FC5076
LoadCursorW.USER32(00000000,00007F85), ref: 00FC5081
LoadCursorW.USER32(00000000,00007F82), ref: 00FC508C
LoadCursorW.USER32(00000000,00007F84), ref: 00FC5097
LoadCursorW.USER32(00000000,00007F04), ref: 00FC50A2
LoadCursorW.USER32(00000000,00007F02), ref: 00FC50AD
LoadCursorW.USER32(00000000,00007F89), ref: 00FC50B8
GetCursorInfo.USER32(?), ref: 00FC50C8

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: def4c98f62340ff53c012dc24c6135bf8c1704823d648f9d2ffd519c1c77697a
Instruction ID: 1699796245340666aaa78009b1111f250baac3a8373a05eda15acfc6f2c8c055
Opcode Fuzzy Hash: def4c98f62340ff53c012dc24c6135bf8c1704823d648f9d2ffd519c1c77697a
Instruction Fuzzy Hash: 213123B1D4831A6ADF109FB68C89D5FBFE8FB04750F50452AA50DE7280DA78A5409E91

Function 00FDA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FDA259
DestroyWindow.USER32(?,?), ref: 00FDA2D3

Part of subcall function 00F57BCC: _memmove.LIBCMT ref: 00F57C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FDA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FDA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FDA382
DestroyWindow.USER32(00000000), ref: 00FDA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F50000,00000000), ref: 00FDA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FDA3F4
GetDesktopWindow.USER32 ref: 00FDA40D
GetWindowRect.USER32(00000000), ref: 00FDA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FDA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FDA444

Part of subcall function 00F525DB: GetWindowLongW.USER32(?,000000EB), ref: 00F525EC

Strings

tooltips_class32, xrefs: 00FDA346, 00FDA3D4
0, xrefs: 00FDA26F

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 946592bd0ac7c3d894e4d617f9aec45cd92c40c250e051fdfef8a1e0b9e92f44
Instruction ID: 9e56b20f67a35604bc272b76d34c8d23bc7e652d11796878809ae9f3e93d685f
Opcode Fuzzy Hash: 946592bd0ac7c3d894e4d617f9aec45cd92c40c250e051fdfef8a1e0b9e92f44
Instruction Fuzzy Hash: 8F71B071540205AFD721CF28CC49F6677E6FB89310F08451EF9859B3A0CBB5E906EB56

Function 00FDC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

DragQueryPoint.SHELL32(?,?), ref: 00FDC627

Part of subcall function 00FDAB37: ClientToScreen.USER32(?,?), ref: 00FDAB60
Part of subcall function 00FDAB37: GetWindowRect.USER32(?,?), ref: 00FDABD6
Part of subcall function 00FDAB37: PtInRect.USER32(?,?,00FDC014), ref: 00FDABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00FDC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FDC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FDC6BE
_wcscat.LIBCMT ref: 00FDC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FDC705
SendMessageW.USER32(?,000000B0,?,?), ref: 00FDC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00FDC735
SendMessageW.USER32(?,000000B1,?,?), ref: 00FDC757
DragFinish.SHELL32(?), ref: 00FDC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FDC851

Strings

@GUI_DRAGID, xrefs: 00FDC7C9
@GUI_DRAGFILE, xrefs: 00FDC800
@GUI_DROPID, xrefs: 00FDC77E

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 0ea54a5608878cdde2a6774b3f5c1c4358a49d75a88cec4ac3ae8cbb408a74a6
Instruction ID: 11ac2652a3ca47b33fbe78e2d6f238c9b10c67d35f182201c1fbcfbab59f7b81
Opcode Fuzzy Hash: 0ea54a5608878cdde2a6774b3f5c1c4358a49d75a88cec4ac3ae8cbb408a74a6
Instruction Fuzzy Hash: 65619C71108305AFC701EF64CC85D9FBBE9EF89710F00091EFA95962A1DB749A09DB92

Function 00FD4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FD4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FD446F

Strings

EXISTS, xrefs: 00FD44D8
GETSELECTED, xrefs: 00FD457F
GETITEMCOUNT, xrefs: 00FD4551
SELECT, xrefs: 00FD4620
COLLAPSE, xrefs: 00FD44B5
EXPAND, xrefs: 00FD4521
GETTEXT, xrefs: 00FD45C2
ISCHECKED, xrefs: 00FD45F2
GETTOTALCOUNT, xrefs: 00FD4456
CHECK, xrefs: 00FD448F
UNCHECK, xrefs: 00FD464B

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 1a3ee254d5e176801d4da7f6777eb0cf6299844b74f6227680aa794db8b19031
Instruction ID: aceab1b9feb1d34919c877447e7662e4c8c3c7e825b8d6b1a966ef2c3634a36b
Opcode Fuzzy Hash: 1a3ee254d5e176801d4da7f6777eb0cf6299844b74f6227680aa794db8b19031
Instruction Fuzzy Hash: 17919F716047019FCA04EF10C851A6EB7A2AF95754F08885EFC965B3A2CB78ED49EB81

Function 00FDB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FDB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FD91C2), ref: 00FDB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FDB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FDB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FDB9C3
FreeLibrary.KERNEL32(?), ref: 00FDB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FDB9DF
DestroyIcon.USER32(?,?,?,?,?,00FD91C2), ref: 00FDB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FDBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FDBA17

Part of subcall function 00F72EFD: __wcsicmp_l.LIBCMT ref: 00F72F86

Strings

.dll, xrefs: 00FDB86D
.icl, xrefs: 00FDB82A
.exe, xrefs: 00FDB84A

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: bb93e54f33ffa81b01be2bfcf7c8f275f8142197f565e7e662a2120f45e13602
Instruction ID: 0853ce1fa8224833ca75c54e8253564f0e95e227a14a3199442713bfe6a87e53
Opcode Fuzzy Hash: bb93e54f33ffa81b01be2bfcf7c8f275f8142197f565e7e662a2120f45e13602
Instruction Fuzzy Hash: 8961EE71900209FAEB14DF74CC41FBE7BA9EB08721F14851AFA15D62C1DB749A85FBA0

Function 00FBDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FBDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FBDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FBDCF8
__wsplitpath.LIBCMT ref: 00FBDD56
_wcscat.LIBCMT ref: 00FBDD6E
_wcscat.LIBCMT ref: 00FBDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FBDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 00FBDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 00FBDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 00FBDDFC
_wcscpy.LIBCMT ref: 00FBDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FBDE47

Strings

*.*, xrefs: 00FBDE02

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: e4705156e1a1d44964ca215b733712e36c83feef3a8be161c9b7a1a5f00719b1
Instruction ID: 250b392fc80368ea716458fdf0634fd3ed68c70c87854037ac2b03ba78abf913
Opcode Fuzzy Hash: e4705156e1a1d44964ca215b733712e36c83feef3a8be161c9b7a1a5f00719b1
Instruction Fuzzy Hash: E8616CB25082059FCB10EF21C844DAEB7E8FF89324F04491EF98987251EB75E949DF52

Function 00FB9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00FB9C7F

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FB9CA0
__swprintf.LIBCMT ref: 00FB9CF9
__swprintf.LIBCMT ref: 00FB9D12
_wprintf.LIBCMT ref: 00FB9DB9
_wprintf.LIBCMT ref: 00FB9DD7

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00FB9DB4
^ ERROR , xrefs: 00FB9D4E
Error: , xrefs: 00FB9D81
Incorrect parameters to object property !, xrefs: 00FB9D5B
Line %d (File "%s"):, xrefs: 00FB9CF3, 00FB9D0C
"%s" (%d) : ==> %s:, xrefs: 00FB9DD2

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 07d46d1501a17dfa09f81fbc3c9f245a7f8a4dbe5e032e0db9c614fbd98910fc
Instruction ID: e4e7347dd97f676ad0b8d07dd1f7fb520efe5cd1daaa49fcfb52ba94337d712b
Opcode Fuzzy Hash: 07d46d1501a17dfa09f81fbc3c9f245a7f8a4dbe5e032e0db9c614fbd98910fc
Instruction Fuzzy Hash: 6251AF72900209AACF15FBE1DD46EEEB778AF08301F104065FA0576062EB396F4CEB61

Function 00FBA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F59837: __itow.LIBCMT ref: 00F59862
Part of subcall function 00F59837: __swprintf.LIBCMT ref: 00F598AC

CharLowerBuffW.USER32(?,?), ref: 00FBA3CB
GetDriveTypeW.KERNEL32 ref: 00FBA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FBA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FBA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FBA4C5

Part of subcall function 00F57BCC: _memmove.LIBCMT ref: 00F57C06

Strings

set cd door , xrefs: 00FBA466
closed, xrefs: 00FBA3DF, 00FBA3E8
close, xrefs: 00FBA3D1
open, xrefs: 00FBA3F2
open , xrefs: 00FBA427
wait, xrefs: 00FBA482
type cdaudio alias cd wait, xrefs: 00FBA443
close cd wait, xrefs: 00FBA4B0

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: aae5b4df410e43f0da167ce25fe843dbf63f4482b47aae1a0000316fa72b4a25
Instruction ID: 3b7a088de9d37354ee49792a79b67ddb2b403504bca627b51e9b5c6bc8644159
Opcode Fuzzy Hash: aae5b4df410e43f0da167ce25fe843dbf63f4482b47aae1a0000316fa72b4a25
Instruction Fuzzy Hash: CA5158715083059FD704EF21CC9186AB7E8FF88719F04886DF88A572A1DB75ED09DB42

Function 00FAF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00F8E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00FAF8DF
LoadStringW.USER32(00000000,?,00F8E029,00000001), ref: 00FAF8E8

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

GetModuleHandleW.KERNEL32(00000000,01015310,?,00000FFF,?,?,00F8E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00FAF90A
LoadStringW.USER32(00000000,?,00F8E029,00000001), ref: 00FAF90D
__swprintf.LIBCMT ref: 00FAF95D
__swprintf.LIBCMT ref: 00FAF96E
_wprintf.LIBCMT ref: 00FAFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FAFA2E

Strings

Error: , xrefs: 00FAF9E5
%s (%d) : ==> %s: %s %s, xrefs: 00FAFA12
Line %d:, xrefs: 00FAF968
Line %d (File "%s"):, xrefs: 00FAF957
^ ERROR, xrefs: 00FAF9C3

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: ca0405a4818281eed785e9a4327d78a8f16a9b63a00e1673d70711b95a36d553
Instruction ID: 8ed60cccbe3f7ea37be910741444fbfe7a91e276c93d1080289e0b273dcc35c4
Opcode Fuzzy Hash: ca0405a4818281eed785e9a4327d78a8f16a9b63a00e1673d70711b95a36d553
Instruction Fuzzy Hash: 844141B280020DAACF05FBE0DD96DEE7778AF15701F500065FA05B60A2EA395F0DEB61

Function 00FDBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00FD9207,?,?), ref: 00FDBA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00FD9207,?,?,00000000,?), ref: 00FDBA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00FD9207,?,?,00000000,?), ref: 00FDBA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00FD9207,?,?,00000000,?), ref: 00FDBA85
GlobalLock.KERNEL32(00000000), ref: 00FDBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00FD9207,?,?,00000000,?), ref: 00FDBA9D
GlobalUnlock.KERNEL32(00000000), ref: 00FDBAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00FD9207,?,?,00000000,?), ref: 00FDBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FD9207,?,?,00000000,?), ref: 00FDBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FE2CAC,?), ref: 00FDBAD7
GlobalFree.KERNEL32(00000000), ref: 00FDBAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00FDBB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00FDBB36
DeleteObject.GDI32(00000000), ref: 00FDBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FDBB74

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6a2663d2c4a5bd36e7c28b509d7c2fd2c678a29581e2751ab05dfe762d1a6693
Instruction ID: 976c78726daa919bf0d669ab0ca5de2c1e627310c26e1b4f1f17445df5549307
Opcode Fuzzy Hash: 6a2663d2c4a5bd36e7c28b509d7c2fd2c678a29581e2751ab05dfe762d1a6693
Instruction Fuzzy Hash: CA414A75601208EFDB119F65DC88EAA7BBAFF89721F15406AF906D7260D7309E05EB20

Function 00FBD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00FBDA10
_wcscat.LIBCMT ref: 00FBDA28
_wcscat.LIBCMT ref: 00FBDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FBDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00FBDA63
GetFileAttributesW.KERNEL32(?), ref: 00FBDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FBDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00FBDAA7

Strings

*.*, xrefs: 00FBDAE6

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 707f0a57dcf630b6989ce1da6f9d55101fb2eeba4e2ced3ab64f3d2cb78ba611
Instruction ID: f85a868fe9f7454afdf2350f2a0ef437d697083cdbfe3da3e6df6693e1932bde
Opcode Fuzzy Hash: 707f0a57dcf630b6989ce1da6f9d55101fb2eeba4e2ced3ab64f3d2cb78ba611
Instruction Fuzzy Hash: B781A4729042459FCB24EF65C844AEAB7E8BF89354F18882EF889C7251E734D944EF53

Function 00FDC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FDC1FC
GetFocus.USER32 ref: 00FDC20C
GetDlgCtrlID.USER32(00000000), ref: 00FDC217
_memset.LIBCMT ref: 00FDC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FDC36D
GetMenuItemCount.USER32(?), ref: 00FDC38D
GetMenuItemID.USER32(?,00000000), ref: 00FDC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FDC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FDC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FDC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00FDC489

Strings

0, xrefs: 00FDC33A

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 65433ef661bc447a2e95c301c8d45382f067561e39a0b68d710e30a3a1a3454c
Instruction ID: afd10532eb72302c27e68b02434ca509800d9746784276a518a034ba952bca8d
Opcode Fuzzy Hash: 65433ef661bc447a2e95c301c8d45382f067561e39a0b68d710e30a3a1a3454c
Instruction Fuzzy Hash: CA819C716083029FD710CF24D894A6ABBEAFF89724F08492FF99597391C734D905EB92

Function 00FC731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FC738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00FC739B
CreateCompatibleDC.GDI32(?), ref: 00FC73A7
SelectObject.GDI32(00000000,?), ref: 00FC73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00FC7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00FC7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00FC7468
SelectObject.GDI32(00000006,?), ref: 00FC7470
DeleteObject.GDI32(?), ref: 00FC7479
DeleteDC.GDI32(00000006), ref: 00FC7480
ReleaseDC.USER32(00000000,?), ref: 00FC748B

Strings

(, xrefs: 00FC7410

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 49d1e89545bd52eb4a1fa3b89413cda307ec7278db1404a32c65d4e63b587edd
Instruction ID: f22ddbf82f43796734d81b75b72a86d3b37c6cc638e02c345835343dcf4f2132
Opcode Fuzzy Hash: 49d1e89545bd52eb4a1fa3b89413cda307ec7278db1404a32c65d4e63b587edd
Instruction Fuzzy Hash: B9514871904309EFCB14DFA8CC89EAEBBB9EF48310F14852EF95A97210C731A944AB50

Function 00F56A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00F70957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F56B0C,?,00008000), ref: 00F70973

Part of subcall function 00F54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F54743,?,?,00F537AE,?), ref: 00F54770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F56BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00F56CFA

Part of subcall function 00F5586D: _wcscpy.LIBCMT ref: 00F558A5

Part of subcall function 00F7363D: _iswctype.LIBCMT ref: 00F73645

Strings

Unterminated string, xrefs: 00F8E7E4
AU3!, xrefs: 00F56B61
EA06, xrefs: 00F8E452
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00F8E421
>>>AUTOIT SCRIPT<<<, xrefs: 00F8E496
Bad directive syntax error, xrefs: 00F8E79D
Error opening the file, xrefs: 00F8E43D, 00F8E4B8

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: eb1192438e1a74868d3abece05d742dcdef82b1a61d3fe0a2d77d8c53c4d0fec
Instruction ID: 326a56e0ababce8a0026b45ce8bf116e49064c80fea2f6446e1b29fc20d7b71b
Opcode Fuzzy Hash: eb1192438e1a74868d3abece05d742dcdef82b1a61d3fe0a2d77d8c53c4d0fec
Instruction Fuzzy Hash: BC02CD715083419FC720EF20C891AAFBBE5BF95315F04481EF99A972A1DB38D94DEB42

Function 00FB2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00FB2DDD
GetMenuItemCount.USER32(01015890), ref: 00FB2E66
DeleteMenu.USER32(01015890,00000005,00000000,000000F5,?,?), ref: 00FB2EF6
DeleteMenu.USER32(01015890,00000004,00000000), ref: 00FB2EFE
DeleteMenu.USER32(01015890,00000006,00000000), ref: 00FB2F06
DeleteMenu.USER32(01015890,00000003,00000000), ref: 00FB2F0E
GetMenuItemCount.USER32(01015890), ref: 00FB2F16
SetMenuItemInfoW.USER32(01015890,00000004,00000000,00000030), ref: 00FB2F4C
GetCursorPos.USER32(?), ref: 00FB2F56
SetForegroundWindow.USER32(00000000), ref: 00FB2F5F
TrackPopupMenuEx.USER32(01015890,00000000,?,00000000,00000000,00000000), ref: 00FB2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FB2F7E

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 44b2e30c16bca298a55efe613f778723e4db2227429eb9db9daf79fe6274ab60
Instruction ID: b7a062668adbba4c6ec2ccc109216e1ab4f47be2cfcc60472e1e5168a5e03348
Opcode Fuzzy Hash: 44b2e30c16bca298a55efe613f778723e4db2227429eb9db9daf79fe6274ab60
Instruction Fuzzy Hash: 33710431A01209BAEB619F26DC85FEABF65FF04324F140216F615AA1E0C7B59C24FF90

Function 00FA77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57BCC: _memmove.LIBCMT ref: 00F57C06

_memset.LIBCMT ref: 00FA786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FA78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FA78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FA78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FA7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00FA792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FA7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FA793A

Strings

\CLSID, xrefs: 00FA7822
SOFTWARE\Classes\, xrefs: 00FA780C
\IPC$, xrefs: 00FA7882

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: ff908033568ab9eadc9815f04cdc2f56addf6c625608818b8bbecb1110707f29
Instruction ID: f8f0da8b7b818a826e205a7bd67e44adff40c4af6a2c936a03544cd1bb7dc60b
Opcode Fuzzy Hash: ff908033568ab9eadc9815f04cdc2f56addf6c625608818b8bbecb1110707f29
Instruction Fuzzy Hash: 21410872C1462DABDB11EBA4EC95DEEB778BF04751F04402AE905A7161DA389E08EB90

Function 00FD0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCFDAD,?,?), ref: 00FD0E31

Strings

HKCC, xrefs: 00FD0EFF
HKCU, xrefs: 00FD0F21
HKEY_CLASSES_ROOT, xrefs: 00FD0EC4
HKCR, xrefs: 00FD0ED9
HKLM, xrefs: 00FD0EAF
HKEY_USERS, xrefs: 00FD0F32
HKU, xrefs: 00FD0F43
HKEY_LOCAL_MACHINE, xrefs: 00FD0E9A
HKEY_CURRENT_USER, xrefs: 00FD0F10
HKEY_CURRENT_CONFIG, xrefs: 00FD0EEE

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 4d0aaec05947c827d1c29ab664671d6ec6372550fdd4fd44b393bea14fe806f3
Instruction ID: 38b989be9d556442bf18ea35427005ea2b6339938527db76a61731f82dc8753b
Opcode Fuzzy Hash: 4d0aaec05947c827d1c29ab664671d6ec6372550fdd4fd44b393bea14fe806f3
Instruction Fuzzy Hash: BD41797190020A8BEF11EF10EC62BEE3765FF11714F694406FC991B292DF389919EB61

Function 00FAF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F8E2A0,00000010,?,Bad directive syntax error,00FDF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FAF7C2
LoadStringW.USER32(00000000,?,00F8E2A0,00000010), ref: 00FAF7C9

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

_wprintf.LIBCMT ref: 00FAF7FC
__swprintf.LIBCMT ref: 00FAF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FAF88D

Strings

Error: , xrefs: 00FAF85B
., xrefs: 00FAF873
%s (%d) : ==> %s.: %s %s, xrefs: 00FAF7F7
Line %d:, xrefs: 00FAF818
Line %d (File "%s"):, xrefs: 00FAF833

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 3405e0e67c94f168a62f78b7264a0b5251ccdad0e23e00d5d78d34a8f1780bfc
Instruction ID: f49e34eb2b97c13e10320f4cdf590ee4791fc9169f75e300b80c4304ee3731e5
Opcode Fuzzy Hash: 3405e0e67c94f168a62f78b7264a0b5251ccdad0e23e00d5d78d34a8f1780bfc
Instruction Fuzzy Hash: 1B216F72D0021DBBCF12EF90DC5AEED7739BF18301F04446AFA156A0A2DA39961CEB51

Function 00FB52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00F57BCC: _memmove.LIBCMT ref: 00F57C06

Part of subcall function 00F57924: _memmove.LIBCMT ref: 00F579AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FB5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FB5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FB5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FB5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FB537A

Strings

play PlayMe wait, xrefs: 00FB5364
play PlayMe, xrefs: 00FB5375
alias PlayMe, xrefs: 00FB5309
open , xrefs: 00FB52DF
status PlayMe mode, xrefs: 00FB532B
close PlayMe, xrefs: 00FB5341, 00FB536E

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a127ec524cdebbbfe7e2143d08aaabf656f7b4621c89a09b20b391347c3674ae
Instruction ID: f112be1ec7df81913d70bdf5dc779c32c6c99ca68f5cfed946e5bb36b9dc026e
Opcode Fuzzy Hash: a127ec524cdebbbfe7e2143d08aaabf656f7b4621c89a09b20b391347c3674ae
Instruction Fuzzy Hash: C711B221E5022979E720B662DC4AEFF7BBCFB95F50F04042AB905A60D1EAA44D08D9B0

Function 00FB46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FB46D2
gethostname.WSOCK32(?,00000100), ref: 00FB46EC
gethostbyname.WSOCK32(?), ref: 00FB46F9
_wcscpy.LIBCMT ref: 00FB4721
_memmove.LIBCMT ref: 00FB4734
inet_ntoa.WSOCK32(?), ref: 00FB473F
_strcat.LIBCMT ref: 00FB474D
_wcscpy.LIBCMT ref: 00FB4764
WSACleanup.WSOCK32 ref: 00FB4772
_wcscpy.LIBCMT ref: 00FB4780

Strings

0.0.0.0, xrefs: 00FB471B

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 8fb34111cfeeccfd2211ba95550772bf2b89e441aaea6ca25db20c1ce328d34a
Instruction ID: 12851fce36ac8f11a41ea4b7e27441dc8bdd78d8c18f48f50fb41b0a250a1b8e
Opcode Fuzzy Hash: 8fb34111cfeeccfd2211ba95550772bf2b89e441aaea6ca25db20c1ce328d34a
Instruction Fuzzy Hash: 8B11D832900118AFDB20AB319C46EEE77BCEF01721F144177F44A96052EF759985FA52

Function 00FB4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FB4F7A

Part of subcall function 00F7049F: timeGetTime.WINMM(?,7608B400,00F60E7B), ref: 00F704A3

Sleep.KERNEL32(0000000A), ref: 00FB4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00FB4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FB4FEC
SetActiveWindow.USER32 ref: 00FB500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FB5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FB5038
Sleep.KERNEL32(000000FA), ref: 00FB5043
IsWindow.USER32 ref: 00FB504F
EndDialog.USER32(00000000), ref: 00FB5060

Strings

BUTTON, xrefs: 00FB4FDE

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3dc708d553c9d5da31e43bfe2f56a4309a813b71b52fb09e1c8dac39233966db
Instruction ID: a6b3465f88dc9c86caba72a492e46224895edfcf7f952f0790295d2f957117de
Opcode Fuzzy Hash: 3dc708d553c9d5da31e43bfe2f56a4309a813b71b52fb09e1c8dac39233966db
Instruction Fuzzy Hash: 7621CC71506205BFE7205F31ED85FB53B6AEB46755F041025F142821A5CB7F9D04BF61

Function 00FBD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F59837: __itow.LIBCMT ref: 00F59862
Part of subcall function 00F59837: __swprintf.LIBCMT ref: 00F598AC

CoInitialize.OLE32(00000000), ref: 00FBD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FBD67D
SHGetDesktopFolder.SHELL32(?), ref: 00FBD691
CoCreateInstance.OLE32(00FE2D7C,00000000,00000001,01008C1C,?), ref: 00FBD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FBD74C
CoTaskMemFree.OLE32(?,?), ref: 00FBD7A4
_memset.LIBCMT ref: 00FBD7E1
SHBrowseForFolderW.SHELL32(?), ref: 00FBD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FBD840
CoTaskMemFree.OLE32(00000000), ref: 00FBD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00FBD87E
CoUninitialize.OLE32(00000001,00000000), ref: 00FBD880

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: d8c72ba98f4701c36414a42a10acc106eb34ee9e10c0c5357bac291ed516c596
Instruction ID: 5661f4a195932ef2dd97fd52436a041644d3a2e584d46d7c5114a8619b14f543
Opcode Fuzzy Hash: d8c72ba98f4701c36414a42a10acc106eb34ee9e10c0c5357bac291ed516c596
Instruction Fuzzy Hash: 83B12975A00109AFDB04DFA5CC84DAEBBB9FF49314B148069E90AEB261DB30ED45DF51

Function 00FAC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FAC283
GetWindowRect.USER32(00000000,?), ref: 00FAC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00FAC2F3
GetDlgItem.USER32(?,00000002), ref: 00FAC2FE
GetWindowRect.USER32(00000000,?), ref: 00FAC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00FAC364
GetDlgItem.USER32(?,000003E9), ref: 00FAC372
GetWindowRect.USER32(00000000,?), ref: 00FAC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00FAC3C6
GetDlgItem.USER32(?,000003EA), ref: 00FAC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FAC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00FAC3FE

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 465e7abe55a31e770637dc85662f1b43993af75bc71c4db221c86035d1583f41
Instruction ID: 9db46f34e25153a04600fe73d1fd41ddc55577ef8e18b7d8d71705146338a1be
Opcode Fuzzy Hash: 465e7abe55a31e770637dc85662f1b43993af75bc71c4db221c86035d1583f41
Instruction Fuzzy Hash: 69514FB1B00209ABDF18CFB9DD89EAEBBB6EB88310F14812DF516D7290D7709D049B50

Function 00F5201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F51B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F52036,?,00000000,?,?,?,?,00F516CB,00000000,?), ref: 00F51B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F520D3
KillTimer.USER32(-00000001,?,?,?,?,00F516CB,00000000,?,?,00F51AE2,?,?), ref: 00F5216E
DestroyAcceleratorTable.USER32(00000000), ref: 00F8BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F516CB,00000000,?,?,00F51AE2,?,?), ref: 00F8BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F516CB,00000000,?,?,00F51AE2,?,?), ref: 00F8BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F516CB,00000000,?,?,00F51AE2,?,?), ref: 00F8BD0A
DeleteObject.GDI32(00000000), ref: 00F8BD1C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 53b0a3311ddc1a456f539fae031020d07202e537dd866b74e5e1171a23a25215
Instruction ID: 7c393f079b59b8c786bc077b0c34c7ab1de4268509e0e45af6740dcdcc92672d
Opcode Fuzzy Hash: 53b0a3311ddc1a456f539fae031020d07202e537dd866b74e5e1171a23a25215
Instruction Fuzzy Hash: 46619432901A00DFC775AF14DD48B6677F2FF82322F104529EA825B5A4C779A859FF50

Function 00F521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00F525DB: GetWindowLongW.USER32(?,000000EB), ref: 00F525EC

GetSysColor.USER32(0000000F), ref: 00F521D3

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5e4052625cdc5a6f599c013b1bf6557c5058c4903a3ec531aeb991d7c2c56ad8
Instruction ID: 5803310dd95345ad015d438ea7f152fa6f36c70195eaa85537c72494c18eb5fe
Opcode Fuzzy Hash: 5e4052625cdc5a6f599c013b1bf6557c5058c4903a3ec531aeb991d7c2c56ad8
Instruction Fuzzy Hash: 62419F355011449FEB615F28EC88BB93B66EB07332F184366FE668A1E5C7318D46FB21

Function 00FBA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00FDF910), ref: 00FBA90B
GetDriveTypeW.KERNEL32(00000061,010089A0,00000061), ref: 00FBA9D5
_wcscpy.LIBCMT ref: 00FBA9FF

Strings

ramdisk, xrefs: 00FBA97F
network, xrefs: 00FBA969
unknown, xrefs: 00FBA996
fixed, xrefs: 00FBA953
all, xrefs: 00FBA911
cdrom, xrefs: 00FBA927
removable, xrefs: 00FBA93D

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 9165d83bc3f77dfbda8f86d19c5bb7cf0e3931f5be6bdaf167d5f25e9b8da337
Instruction ID: ee8573f786e1ca8cf58b086690a756689670d18d9814f57a8562af3c007caee2
Opcode Fuzzy Hash: 9165d83bc3f77dfbda8f86d19c5bb7cf0e3931f5be6bdaf167d5f25e9b8da337
Instruction Fuzzy Hash: 0F51CE319083019BC304EF15CC92AAFB7A9FF84710F44881EF996572A2DB78D909EE53

Function 00F59837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00F59862
__swprintf.LIBCMT ref: 00F598AC
__i64tow.LIBCMT ref: 00F8F5E6

Strings

False, xrefs: 00F8F5AE
True, xrefs: 00F8F5A7
%.15g, xrefs: 00F598A6
0x%p, xrefs: 00F8F5C8

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 7b8cc22ee2b05a22b925124ad6360d12ee3d78dd97f7a06fe51b81125c64e0b1
Instruction ID: 1bc5f3bd8a7ca7df347d4350321f82417feb6ab5002b6f647bdfc429364aeb64
Opcode Fuzzy Hash: 7b8cc22ee2b05a22b925124ad6360d12ee3d78dd97f7a06fe51b81125c64e0b1
Instruction Fuzzy Hash: BB41F872904205EFDB28EF34DC41F7A73E8FF05311F24446EE949DA241EA759909AB11

Function 00FD7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD716A
CreateMenu.USER32 ref: 00FD7185
SetMenu.USER32(?,00000000), ref: 00FD7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FD7221
IsMenu.USER32(?), ref: 00FD7237
CreatePopupMenu.USER32 ref: 00FD7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FD726E
DrawMenuBar.USER32 ref: 00FD7276

Strings

0, xrefs: 00FD7160
F, xrefs: 00FD7262

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 840f7821d71d247e93293feede794b0472d9f96e6209241f06c7986592bffe43
Instruction ID: 75ad4ba2154d18d5144faf370249d8c067ae1660380b3e08415ea4026235d3e7
Opcode Fuzzy Hash: 840f7821d71d247e93293feede794b0472d9f96e6209241f06c7986592bffe43
Instruction Fuzzy Hash: ED415975A01209EFDB20EF64D844F9ABBB6FF49311F18012AF945AB351E731A914EF90

Function 00FD74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FD755E
CreateCompatibleDC.GDI32(00000000), ref: 00FD7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FD7578
SelectObject.GDI32(00000000,00000000), ref: 00FD7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FD758B
DeleteDC.GDI32(00000000), ref: 00FD7594
GetWindowLongW.USER32(?,000000EC), ref: 00FD759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00FD75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00FD75BE

Strings

static, xrefs: 00FD74F6

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 268a197601c3c7d866b2db26cf6e47d2b3659945634b64cc0af8a60a51d50d71
Instruction ID: 27bfeb25f932ab5801119f092b12e684dbf89f734990ec64c73adf91c21b06e2
Opcode Fuzzy Hash: 268a197601c3c7d866b2db26cf6e47d2b3659945634b64cc0af8a60a51d50d71
Instruction Fuzzy Hash: 87319032505218BBDF11AF74EC08FDB3B6AFF09321F194226FA16962A0D735D815EB61

Function 00F76E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F76E3E

Part of subcall function 00F78B28: __getptd_noexit.LIBCMT ref: 00F78B28

__gmtime64_s.LIBCMT ref: 00F76ED7
__gmtime64_s.LIBCMT ref: 00F76F0D
__gmtime64_s.LIBCMT ref: 00F76F2A
__allrem.LIBCMT ref: 00F76F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F76F9C
__allrem.LIBCMT ref: 00F76FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F76FD1
__allrem.LIBCMT ref: 00F76FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F77006
__invoke_watson.LIBCMT ref: 00F77077

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 3460f6a379e3b1258a8d20e6edf380271d17dfe9555a19f6b1084796201b4a66
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: CE71E776E00B17ABD714AE68DC41B9AB7A8AF04764F14C12BF518D6281F774E900A792

Function 00FB2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB2542
GetMenuItemInfoW.USER32(01015890,000000FF,00000000,00000030), ref: 00FB25A3
SetMenuItemInfoW.USER32(01015890,00000004,00000000,00000030), ref: 00FB25D9
Sleep.KERNEL32(000001F4), ref: 00FB25EB
GetMenuItemCount.USER32(?), ref: 00FB262F
GetMenuItemID.USER32(?,00000000), ref: 00FB264B
GetMenuItemID.USER32(?,-00000001), ref: 00FB2675
GetMenuItemID.USER32(?,?), ref: 00FB26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FB2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FB2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FB2735

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 9a6f903d1566b5cba05533ca4c20a94a58c37fef570536031b49f501cb3685a1
Instruction ID: 29eb772855e84e89699e9e28ab95123de5e15e560fb8e24977faeae88cad88dd
Opcode Fuzzy Hash: 9a6f903d1566b5cba05533ca4c20a94a58c37fef570536031b49f501cb3685a1
Instruction Fuzzy Hash: DA61DF71900249AFDB61CF65DC88EFE7BBAEB46314F280459F842A7250DB35AD05EF21

Function 00FD6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FD6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FD6FA8
GetWindowLongW.USER32(?,000000F0), ref: 00FD6FCC
_memset.LIBCMT ref: 00FD6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FD6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FD7067

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: f777eecf5a45439772022d5f74ce9602b3ae29f97be947b32ff4c96ea2f9791d
Instruction ID: c08c1365b09acdfaf939a6f5294ce6f313f179078c860b00f862d11a5bfc7dc6
Opcode Fuzzy Hash: f777eecf5a45439772022d5f74ce9602b3ae29f97be947b32ff4c96ea2f9791d
Instruction Fuzzy Hash: 7A618A71900208AFDB21DFA8CC81EEE77B9EB09710F14415AFA14EB3A1D775AD41EB90

Function 00FA6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FA6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00FA6C18
VariantInit.OLEAUT32(?), ref: 00FA6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FA6C4A
VariantCopy.OLEAUT32(?,?), ref: 00FA6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FA6CB1
VariantClear.OLEAUT32(?), ref: 00FA6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00FA6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FA6CDC
VariantClear.OLEAUT32(?), ref: 00FA6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FA6CF9

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 028afc4f353845d15d1f9f19dc3e5808c46baafbec177f36dfc0e9b378e4673f
Instruction ID: dc13cea97f00f46484d2bb19fe6746241ce929e214288dc22a55a168ada0b555
Opcode Fuzzy Hash: 028afc4f353845d15d1f9f19dc3e5808c46baafbec177f36dfc0e9b378e4673f
Instruction Fuzzy Hash: 96417071A0021DDFCF00DF64DC44DAEBBB9EF09351F048069E956E7261CB34A949EBA0

Function 00FC5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FC5793
inet_addr.WSOCK32(?,?,?), ref: 00FC57D8
gethostbyname.WSOCK32(?), ref: 00FC57E4
IcmpCreateFile.IPHLPAPI ref: 00FC57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FC5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FC5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00FC58ED
WSACleanup.WSOCK32 ref: 00FC58F3

Strings

Ping, xrefs: 00FC5816

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: be56948dc0adf8c5dc2dc060f1b94c08b841345ad4fa10168d30c4a78ebf04f5
Instruction ID: 6ea03a9fd1aec243f8aa386de7feac076b4e72dc7ebc961d1c2c7e3cf5edfdc2
Opcode Fuzzy Hash: be56948dc0adf8c5dc2dc060f1b94c08b841345ad4fa10168d30c4a78ebf04f5
Instruction Fuzzy Hash: BC517C71A047019FDB109F24CD46F6A7BE4AF48B20F04852EF956DB2E1DB74E944EB42

Function 00FBB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FBB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FBB546
GetLastError.KERNEL32 ref: 00FBB550
SetErrorMode.KERNEL32(00000000,READY), ref: 00FBB5BD

Strings

READONLY, xrefs: 00FBB588
INVALID, xrefs: 00FBB58F
READY, xrefs: 00FBB596
UNKNOWN, xrefs: 00FBB575
NOTREADY, xrefs: 00FBB57C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 13b2444dc32bde8bb1bc4a9b224f8f3b166a607a1c92f42bcfdbdfda517f78d6
Instruction ID: dad923b7522246c5e9f750e7fc798f83c96180b8ca7104d1d239bb136f476482
Opcode Fuzzy Hash: 13b2444dc32bde8bb1bc4a9b224f8f3b166a607a1c92f42bcfdbdfda517f78d6
Instruction Fuzzy Hash: 28318F75E00209DFDB20EB69CC45EED77B4FF05311F18402AEA019B295DBB49A05EB52

Function 00FA8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

Part of subcall function 00FAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FAAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00FA9014
GetDlgCtrlID.USER32 ref: 00FA901F
GetParent.USER32 ref: 00FA903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FA903E
GetDlgCtrlID.USER32(?), ref: 00FA9047
GetParent.USER32(?), ref: 00FA9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FA9066

Strings

ComboBox, xrefs: 00FA8F9C
ListBox, xrefs: 00FA8FD1

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: c823ea66785c46e413e18ed14733f61309ae39cb3e6f4f94be44e6defd501166
Instruction ID: 10c90903c380306f87bfb668e022b3a368d8621444ecd3eb1a32322985b88319
Opcode Fuzzy Hash: c823ea66785c46e413e18ed14733f61309ae39cb3e6f4f94be44e6defd501166
Instruction Fuzzy Hash: D221A7B4A00108BFDF05ABB4CC95EFEBB75EF49310F104126B952972E1DB799919EB20

Function 00FA907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

Part of subcall function 00FAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FAAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00FA90FD
GetDlgCtrlID.USER32 ref: 00FA9108
GetParent.USER32 ref: 00FA9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FA9127
GetDlgCtrlID.USER32(?), ref: 00FA9130
GetParent.USER32(?), ref: 00FA914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FA914F

Strings

ComboBox, xrefs: 00FA9087
ListBox, xrefs: 00FA90BC

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: f5677a627d7cff999a7050c131a6c007151f81bc258f3d29e6decbad7a9a9d0e
Instruction ID: 94465623c957472105d64e1eb2349d6e131cd0238f997ef6ecb23fc2f4e0704c
Opcode Fuzzy Hash: f5677a627d7cff999a7050c131a6c007151f81bc258f3d29e6decbad7a9a9d0e
Instruction Fuzzy Hash: 3221B6B5A00108BBDF01ABB4CC85EFEBB79EF49310F104026B951972A1DB79951DEB20

Function 00FA9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FA916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00FA9184
_wcscmp.LIBCMT ref: 00FA9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FA9211

Strings

largeicons, xrefs: 00FA91A5
smallicons, xrefs: 00FA91D9
details, xrefs: 00FA91BF
list, xrefs: 00FA91F3
SHELLDLL_DefView, xrefs: 00FA9190

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 35cf385756f53dcc709eeb13293e21f01c09dbdc8fb77b69ebd3279cad6353eb
Instruction ID: b8e9a0bae343bd38406e8767bbd785f4a588148e3a4f93a4d7435316cee04776
Opcode Fuzzy Hash: 35cf385756f53dcc709eeb13293e21f01c09dbdc8fb77b69ebd3279cad6353eb
Instruction Fuzzy Hash: A81136B764C307BAFA122624DC0AEA737DC9F02330F20003BF904E44D1FEA569527990

Function 00FC88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FC88D7
CoInitialize.OLE32(00000000), ref: 00FC8904
CoUninitialize.OLE32 ref: 00FC890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00FC8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00FC8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00FE2C0C), ref: 00FC8B6F
CoGetObject.OLE32(?,00000000,00FE2C0C,?), ref: 00FC8B92
SetErrorMode.KERNEL32(00000000), ref: 00FC8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FC8C25
VariantClear.OLEAUT32(?), ref: 00FC8C35

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 7409369f735fd3db6d0cc9179cdbdee0ef87a1396ef48c2bf15a2cf35279a76c
Instruction ID: 8f7021a7dc18bdab07b6d41e21fc1c49ce684cf7e33a04ad899aa85081bc6066
Opcode Fuzzy Hash: 7409369f735fd3db6d0cc9179cdbdee0ef87a1396ef48c2bf15a2cf35279a76c
Instruction Fuzzy Hash: F4C137B1608306AFC700DF24C985E2AB7E9BF89788F04491DF9869B251DB71ED06DB52

Function 00FB7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00FB7A6C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: a978b26aa1947f5d5a459c6ab616366390b69e03b17c063b50efa673abddd9ec
Instruction ID: 44281a0abe82d85870eb7039496b447b5a5ff89708be09d019c9988cc2db53ee
Opcode Fuzzy Hash: a978b26aa1947f5d5a459c6ab616366390b69e03b17c063b50efa673abddd9ec
Instruction Fuzzy Hash: 57B18071A083099FDB10EFA5C884BFEBBB5EF89321F144429E501E7291D734A945EF90

Function 00FB11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FB11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FB0268,?,00000001), ref: 00FB1204
GetWindowThreadProcessId.USER32(00000000), ref: 00FB120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FB0268,?,00000001), ref: 00FB121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FB0268,?,00000001), ref: 00FB1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FB0268,?,00000001), ref: 00FB1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FB0268,?,00000001), ref: 00FB129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FB0268,?,00000001), ref: 00FB12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FB0268,?,00000001), ref: 00FB12BC

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 69e350787cc729af3e53e51f1b45460f2cbab9b65f6f340e126a474c61cff103
Instruction ID: 1560b5a0b0e6a1045f6997d277eb94a5f4458ffa8039f399fa70de201148becf
Opcode Fuzzy Hash: 69e350787cc729af3e53e51f1b45460f2cbab9b65f6f340e126a474c61cff103
Instruction Fuzzy Hash: CF31E679A01208FFDB309F65DC54FAA37AAFB55321F904129FD01C6191D7BA9D40AF50

Function 00F5FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F5FAA6
OleUninitialize.OLE32(?,00000000), ref: 00F5FB45
UnregisterHotKey.USER32(?), ref: 00F5FC9C
DestroyWindow.USER32(?), ref: 00F945D6
FreeLibrary.KERNEL32(?), ref: 00F9463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F94668

Strings

close all, xrefs: 00F5FAA1

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: efbec5e1bf560cfb941d79b0d8ae93d4beda8b868473a49bb7b06a8bc6f7c241
Instruction ID: 958291b8ae171bb7cafc3451acd3fc40b6cc3a6044178bb23d4fd9c366dbe154
Opcode Fuzzy Hash: efbec5e1bf560cfb941d79b0d8ae93d4beda8b868473a49bb7b06a8bc6f7c241
Instruction Fuzzy Hash: 30A1AC71701212CFDB29EF14C994E69F364BF15711F1442ADEA0AAB262CB34ED1AEF50

Function 00FAA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00FAA439), ref: 00FAA377

Strings

INSTANCE, xrefs: 00FAA285
TEXT, xrefs: 00FAA2AE
CLASSNN, xrefs: 00FAA119
REGEXPCLASS, xrefs: 00FAA13C
NAME, xrefs: 00FAA1A9
CLASS, xrefs: 00FAA0F6

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 1cc697158a30a513d9617ab1699e3a9ab91eacf557e4f11a6e87ccc2f3017591
Instruction ID: bc3a668ccbf1cab8e869178d25169d06d05624310adbce37963b1722283831fc
Opcode Fuzzy Hash: 1cc697158a30a513d9617ab1699e3a9ab91eacf557e4f11a6e87ccc2f3017591
Instruction Fuzzy Hash: F291E971900606EADB09EFA0C842BEDFBB4BF05310F54C11AD899A3191DF35695DFBA1

Function 00F52E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F52EAE

Part of subcall function 00F51DB3: GetClientRect.USER32(?,?), ref: 00F51DDC
Part of subcall function 00F51DB3: GetWindowRect.USER32(?,?), ref: 00F51E1D
Part of subcall function 00F51DB3: ScreenToClient.USER32(?,?), ref: 00F51E45

GetDC.USER32 ref: 00F8CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F8CD45
SelectObject.GDI32(00000000,00000000), ref: 00F8CD53
SelectObject.GDI32(00000000,00000000), ref: 00F8CD68
ReleaseDC.USER32(?,00000000), ref: 00F8CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F8CDFB

Strings

U, xrefs: 00F8CCD0

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2581f490ec4078978eab4b778b14b0521419a7566e026fa0ee8d050a8422db89
Instruction ID: 86710494d9b4f0ccee280a1b880580ae49e6bf5106647dc66270c3bfc2239965
Opcode Fuzzy Hash: 2581f490ec4078978eab4b778b14b0521419a7566e026fa0ee8d050a8422db89
Instruction Fuzzy Hash: 7271D532800205DFCF21AF64CC85AEA7BB5FF49321F14426AEE555A296C7359C45FBA0

Function 00FC1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FC1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FC1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00FC1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FC1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FC1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00FC1B10
InternetCloseHandle.WININET(00000000), ref: 00FC1B57

Part of subcall function 00FC2483: GetLastError.KERNEL32(?,?,00FC1817,00000000,00000000,00000001), ref: 00FC2498
Part of subcall function 00FC2483: SetEvent.KERNEL32(?,?,00FC1817,00000000,00000000,00000001), ref: 00FC24AD

Strings

, xrefs: 00FC1B01

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 578adaff018465a7c2ab8500c7d2f78dd85bd40bc2cb8eacba8ef5ebc49e010a
Instruction ID: 988fcb2064cee65b940fb25be27dff2d52bdc9f44ff183ef8fac4bb9a7275e66
Opcode Fuzzy Hash: 578adaff018465a7c2ab8500c7d2f78dd85bd40bc2cb8eacba8ef5ebc49e010a
Instruction Fuzzy Hash: DF4192B190120ABFEB119F60CD86FFA7BADFF49350F04411AF9059A142E7749E54ABA0

Function 00FC8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00FDF910), ref: 00FC8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00FDF910), ref: 00FC8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FC8ED6
SysFreeString.OLEAUT32(?), ref: 00FC8F00

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: c2f4cb01b4a400d5dcc826e700c7bda9e91db885974fe0667625094ff7e04b97
Instruction ID: 1ff71d1e6e45cefd007f769c8bfb3336c0a4187205034699e663d715b937ebba
Opcode Fuzzy Hash: c2f4cb01b4a400d5dcc826e700c7bda9e91db885974fe0667625094ff7e04b97
Instruction Fuzzy Hash: D1F15B71A0010AEFCB04DFA4C989EAEB7B9FF45354F108458F906AB251DB71AE46EB50

Function 00FCF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FCF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FCF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FCF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FCF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FCF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FCFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00FCFA7C
CloseHandle.KERNEL32(?), ref: 00FCFAAB
CloseHandle.KERNEL32(?), ref: 00FCFB22

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 1956b565301a49d2e98b82803f5522777cabfd11aad9dfb0bfdca26d79c4ce24
Instruction ID: c2ba555f324d63a50c65fa0111759aec1521a8a6c7751b0e6ee7e2bd2f678ae0
Opcode Fuzzy Hash: 1956b565301a49d2e98b82803f5522777cabfd11aad9dfb0bfdca26d79c4ce24
Instruction Fuzzy Hash: 46E1C431604301DFCB14EF24C982F6ABBE1AF85354F18846DF8998B2A1CB34DC49EB52

Function 00FB4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FB3697,?), ref: 00FB468B

Part of subcall function 00FB466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FB3697,?), ref: 00FB46A4

Part of subcall function 00FB4A31: GetFileAttributesW.KERNEL32(?,00FB370B), ref: 00FB4A32

lstrcmpiW.KERNEL32(?,?), ref: 00FB4D40
_wcscmp.LIBCMT ref: 00FB4D5A
MoveFileW.KERNEL32(?,?), ref: 00FB4D75

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 88f62eb457fc64fbb7456106cacdb5cd0233b219377126d8128ff3b7663cbb6a
Instruction ID: 1177ecc3214a8c8e37bb5cd54260e168833ca661ad5d52f41346d96af9778874
Opcode Fuzzy Hash: 88f62eb457fc64fbb7456106cacdb5cd0233b219377126d8128ff3b7663cbb6a
Instruction Fuzzy Hash: D05152B24083459BC724EB60DD919DBB3ECAF84310F00492FB689D3152EE38B688DB56

Function 00FD8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FD86FF

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ede19318ab0dd14f6855f7dc0fbff5e7b7a05777c958ca533fa2c81031c406f7
Instruction ID: 78731df7791dbf808781c922b37ea9906ae508b3e951ab86082ccdbe0011e4b5
Opcode Fuzzy Hash: ede19318ab0dd14f6855f7dc0fbff5e7b7a05777c958ca533fa2c81031c406f7
Instruction Fuzzy Hash: 71519231900244BEEB209B28CC85FAD3B66AB053A0F684253F951E63A1CF75ED46FB51

Function 00F52B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F8C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F8C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F8C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F8C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F8C370
DestroyIcon.USER32(00000000), ref: 00F8C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F8C39C
DestroyIcon.USER32(?), ref: 00F8C3AB

Part of subcall function 00FDA4AF: DeleteObject.GDI32(00000000), ref: 00FDA4E8

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 7f278fc9ac0084cc2c7e5f11dab2273d5499f96d4e22090fd3048335ae0df7ad
Instruction ID: 177a4330f2680f7a2d5ff0368622a3c1cacdce088ae10e6564160e4f519fd126
Opcode Fuzzy Hash: 7f278fc9ac0084cc2c7e5f11dab2273d5499f96d4e22090fd3048335ae0df7ad
Instruction Fuzzy Hash: 21516C71A00209EFDB24EF64CC45FAA3BB5EB45321F104629FE42A7290D774ED55EBA0

Function 00FA966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FAA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FAA84C
Part of subcall function 00FAA82C: GetCurrentThreadId.KERNEL32 ref: 00FAA853
Part of subcall function 00FAA82C: AttachThreadInput.USER32(00000000,?,00FA9683,?,00000001), ref: 00FAA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FA96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00FA96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FA96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FA96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FA96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FA96FB

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e2d426d8514d6b2a94e1e1b5238660d42b400c370b2c0f7a0a3517ac722ed401
Instruction ID: 7598cdc1cc6e1ca3873b4b7a282a77577d743215c8473a064a3d493e88917597
Opcode Fuzzy Hash: e2d426d8514d6b2a94e1e1b5238660d42b400c370b2c0f7a0a3517ac722ed401
Instruction Fuzzy Hash: B011E1B1910218FEF6106F70DC89F6A3B2EEB4D750F100426F245AB1A1CAF25C14EAA4

Function 00FA8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00FA853C,00000B00,?,?), ref: 00FA892A
HeapAlloc.KERNEL32(00000000,?,00FA853C,00000B00,?,?), ref: 00FA8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FA853C,00000B00,?,?), ref: 00FA8946
GetCurrentProcess.KERNEL32(?,00000000,?,00FA853C,00000B00,?,?), ref: 00FA894E
DuplicateHandle.KERNEL32(00000000,?,00FA853C,00000B00,?,?), ref: 00FA8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00FA853C,00000B00,?,?), ref: 00FA8961
GetCurrentProcess.KERNEL32(00FA853C,00000000,?,00FA853C,00000B00,?,?), ref: 00FA8969
DuplicateHandle.KERNEL32(00000000,?,00FA853C,00000B00,?,?), ref: 00FA896C
CreateThread.KERNEL32(00000000,00000000,00FA8992,00000000,00000000,00000000), ref: 00FA8986

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3e3821fc83604b405da8f3516b028e19b8b088a8c3ee1001717c9316afcc07b2
Instruction ID: 618908596f15a99f94ff1248c39f0f1755cc6509d2e2312559d5906eaca1d149
Opcode Fuzzy Hash: 3e3821fc83604b405da8f3516b028e19b8b088a8c3ee1001717c9316afcc07b2
Instruction Fuzzy Hash: C501BBB5241348FFE710ABB5DC4DF6B3BADEB89711F408421FA05DB1A1CA709804DB21

Function 00FC9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00FC9BA4, 00FC9EC8
Not an Object type, xrefs: 00FC9B7B

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: c825aaf8862b1d4bfbe8f65d743138bb651ff547cd2ef6d21cc85d8634932e1c
Instruction ID: 165f8011e5d4b8a0f590d7613c71664979181c1ae6c3c3885acb03b1b521f257
Opcode Fuzzy Hash: c825aaf8862b1d4bfbe8f65d743138bb651ff547cd2ef6d21cc85d8634932e1c
Instruction Fuzzy Hash: B9C1A271E0420B9BDF10DF68C989FAEB7F5BB58314F14846DE905A7280E7B09D44DB60

Function 00FC9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC9167
VariantInit.OLEAUT32(?), ref: 00FC9238
VariantInit.OLEAUT32(?), ref: 00FC9339
VariantClear.OLEAUT32(?), ref: 00FC9343
VariantClear.OLEAUT32(?), ref: 00FC93A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00FC931C
Null Object assignment in FOR..IN loop, xrefs: 00FC91C8, 00FC92F6, 00FC93AE

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 8ee79cc21d1c2a54f9a6111124da3a6ee19fcf776c0c1a0630ff18117d0f7a10
Instruction ID: 7ff9784d96668bb327b2274599a9e112c95fc10a8b253e87a2cf89e990e198aa
Opcode Fuzzy Hash: 8ee79cc21d1c2a54f9a6111124da3a6ee19fcf776c0c1a0630ff18117d0f7a10
Instruction Fuzzy Hash: 96917E71E0421AEBDF24CFA5CD49FAEB7B8EF45720F10815EE515AB280D7B09905DBA0

Function 00FC975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00FA710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA7044,80070057,?,?,?,00FA7455), ref: 00FA7127
Part of subcall function 00FA710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA7044,80070057,?,?), ref: 00FA7142
Part of subcall function 00FA710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA7044,80070057,?,?), ref: 00FA7150
Part of subcall function 00FA710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA7044,80070057,?), ref: 00FA7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00FC9806
_memset.LIBCMT ref: 00FC9813
_memset.LIBCMT ref: 00FC9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00FC9982
CoTaskMemFree.OLE32(?), ref: 00FC998D

Strings

NULL Pointer assignment, xrefs: 00FC99DB

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: a072833e3905591a0b333e40f8e378098bfd5a70531648979322a9604b1d84b4
Instruction ID: 738df9665e7dfb0371fc8e90f35c912d6af66ef27df5aca47efd421ffb8ffcb4
Opcode Fuzzy Hash: a072833e3905591a0b333e40f8e378098bfd5a70531648979322a9604b1d84b4
Instruction Fuzzy Hash: 47916871D00229EBCB10DFA5DC85EDEBBB9AF08710F20401AF519A7291DB759A08DFA0

Function 00FD6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FD6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00FD6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FD6E52
_wcscat.LIBCMT ref: 00FD6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00FD6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FD6EF2

Strings

SysListView32, xrefs: 00FD6DF6

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 6552390459e3f1cf8de3d83d5d52c9a97c9cd80bd9306a20ea0b5ef86f6daf68
Instruction ID: fd18fd862ab29b8daf27e7e402dd677746317845f8435334b6ed739326c42e51
Opcode Fuzzy Hash: 6552390459e3f1cf8de3d83d5d52c9a97c9cd80bd9306a20ea0b5ef86f6daf68
Instruction Fuzzy Hash: F941C171A00308ABEB21DF64CC85FEE77AAEF08360F14442BF585E7291D6759D849B60

Function 00FCE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00FB3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00FB3C7A
Part of subcall function 00FB3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00FB3C88
Part of subcall function 00FB3C55: CloseHandle.KERNEL32(00000000), ref: 00FB3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FCE9A4
GetLastError.KERNEL32 ref: 00FCE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FCE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00FCEA63
GetLastError.KERNEL32(00000000), ref: 00FCEA6E
CloseHandle.KERNEL32(00000000), ref: 00FCEAA3

Strings

SeDebugPrivilege, xrefs: 00FCE9C2

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a6a64b793a469934ff3b66da25d8c873786dd875907c6516e2cc01c36aa3f159
Instruction ID: 3e16a44dc9737ad336c71a6788761c568e53ff4abf0341bb6e5c66dab6ce6c92
Opcode Fuzzy Hash: a6a64b793a469934ff3b66da25d8c873786dd875907c6516e2cc01c36aa3f159
Instruction Fuzzy Hash: 4141CD716002019FDB14EF24CD96F6EB7A5AF41314F18841DFA069F2C2CBB9A908EF91

Function 00FB2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FB3033

Strings

blank, xrefs: 00FB2FB5
warning, xrefs: 00FB301C
stop, xrefs: 00FB3004
question, xrefs: 00FB2FEC
info, xrefs: 00FB2FD4

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e291c93245d86d34ab422214472ec1cfdc6cd005bde4247febeacfa7300d5898
Instruction ID: 91a8a08188aad5e39450c16ce52fb079713e35f97195e47d2107560ebb957d81
Opcode Fuzzy Hash: e291c93245d86d34ab422214472ec1cfdc6cd005bde4247febeacfa7300d5898
Instruction Fuzzy Hash: 9F115B32B8C346BEE715AA16DC82DEB779C9F193B4F10402BF904A6181DB756F0079A5

Function 00FB42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FB4312
LoadStringW.USER32(00000000), ref: 00FB4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FB432F
LoadStringW.USER32(00000000), ref: 00FB4336
_wprintf.LIBCMT ref: 00FB435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FB437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FB4357

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: d2ccc4d145add426b7a9288cd7c808be3ca0ba765160387c0aea6de96d8effd0
Instruction ID: 690b1a5f7074bb7b010d02ae0c4ddd2c2d490a61cb8fc9db6a35d798205bf94a
Opcode Fuzzy Hash: d2ccc4d145add426b7a9288cd7c808be3ca0ba765160387c0aea6de96d8effd0
Instruction Fuzzy Hash: 3B01A2F380020CBFE71197A0DD89EE6736CEB08300F4040A2B74AE2011EA349E886B71

Function 00FDD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

GetSystemMetrics.USER32(0000000F), ref: 00FDD47C
GetSystemMetrics.USER32(0000000F), ref: 00FDD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00FDD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FDD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FDD716
ShowWindow.USER32(00000003,00000000), ref: 00FDD735
InvalidateRect.USER32(?,00000000,00000001), ref: 00FDD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00FDD77D

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: db0f3faa0a6dc7eaac59d7babeb6b41066610605bdd6540dabe668b86e437651
Instruction ID: c6562f9a8052946d45ec033fd48c7e64a49d803b838f30b4520f7fe571c4ccb4
Opcode Fuzzy Hash: db0f3faa0a6dc7eaac59d7babeb6b41066610605bdd6540dabe668b86e437651
Instruction Fuzzy Hash: F4B18B75A00219EFDF14CF68C985BAD7BB2BF04711F0880AAEC489F295D734A950EB90

Function 00F52A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F8C1C7,00000004,00000000,00000000,00000000), ref: 00F52ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F8C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00F52B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F8C1C7,00000004,00000000,00000000,00000000), ref: 00F8C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F8C1C7,00000004,00000000,00000000,00000000), ref: 00F8C286

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4593f5de1ac9f13819c3f41b42725fc1630a386dd41c9975592a55811d2ec254
Instruction ID: 6001b8ff8b2620b9aab5c905413a012a10bec0ed188ab148ca46aea77d2a2471
Opcode Fuzzy Hash: 4593f5de1ac9f13819c3f41b42725fc1630a386dd41c9975592a55811d2ec254
Instruction Fuzzy Hash: DE410231A046809AC7B56B38CCCCB6B7B92BB87321F14861DEA4786561C67D984DF760

Function 00FB70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FB70DD

Part of subcall function 00F70DB6: std::exception::exception.LIBCMT ref: 00F70DEC
Part of subcall function 00F70DB6: __CxxThrowException@8.LIBCMT ref: 00F70E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00FB7114
EnterCriticalSection.KERNEL32(?), ref: 00FB7130
_memmove.LIBCMT ref: 00FB717E
_memmove.LIBCMT ref: 00FB719B
LeaveCriticalSection.KERNEL32(?), ref: 00FB71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00FB71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FB71DE

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 0425b0170cd1b98612a59c124a636ad0b42879b5cf76e6e79c83ac8b8faf7130
Instruction ID: a679117661bface7ff0c99f6c2c32081397964acf3175d47ff9c8bb767afde1a
Opcode Fuzzy Hash: 0425b0170cd1b98612a59c124a636ad0b42879b5cf76e6e79c83ac8b8faf7130
Instruction Fuzzy Hash: 29316F31900205EBCF10EFA5DC85EAEB779EF45710F1481B6F909AB246DB349E14EBA1

Function 00FD61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FD61EB
GetDC.USER32(00000000), ref: 00FD61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FD61FE
ReleaseDC.USER32(00000000,00000000), ref: 00FD620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FD6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FD6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FD902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00FD6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FD62B1

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 986d0aef92637260ececf1ae1f7ab003d136429855a131313eea7d4ae1600f7a
Instruction ID: 908092085e623e9af4b2d2c491036897fa527d3f1491ebc540bf61369a2c2ea2
Opcode Fuzzy Hash: 986d0aef92637260ececf1ae1f7ab003d136429855a131313eea7d4ae1600f7a
Instruction Fuzzy Hash: 62317F72101214BFEF118F64CC8AFEA3BAAEF49765F084066FE09DA291C6759C41DB60

Function 00FABBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00FABBC4
_memcmp.LIBCMT ref: 00FABBE6
_memcmp.LIBCMT ref: 00FABBFE
_memcmp.LIBCMT ref: 00FABC11
_memcmp.LIBCMT ref: 00FABC2B
_memcmp.LIBCMT ref: 00FABC3E
_memcmp.LIBCMT ref: 00FABC56
_memcmp.LIBCMT ref: 00FABC71

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f3ea45b8f0afbaab5b7e4e0acf23b5ef82bbfd1b45750da90ae2ee292154cfe2
Instruction ID: 8985b1c2d3f857dea12d8940a91eea02fe21606a184be9eb4752f4b466609c4f
Opcode Fuzzy Hash: f3ea45b8f0afbaab5b7e4e0acf23b5ef82bbfd1b45750da90ae2ee292154cfe2
Instruction Fuzzy Hash: 2121DAF26012057BA314AA159D42FBB735DAE533A8F044011FD0856643FB18DE25B1B2

Function 00FBEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00F59837: __itow.LIBCMT ref: 00F59862
Part of subcall function 00F59837: __swprintf.LIBCMT ref: 00F598AC

Part of subcall function 00F6FC86: _wcscpy.LIBCMT ref: 00F6FCA9

_wcstok.LIBCMT ref: 00FBEC94
_wcscpy.LIBCMT ref: 00FBED23
_memset.LIBCMT ref: 00FBED56

Strings

X, xrefs: 00FBED93

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 2d7a1b7b3adc5cc9f371efaab3dab8eb88af3fb361f877b302a1007a5da51683
Instruction ID: 3f1c580325c97a3a5ef460a94419c8d25d2eee9a8c45eeeb428210dfa45b62e2
Opcode Fuzzy Hash: 2d7a1b7b3adc5cc9f371efaab3dab8eb88af3fb361f877b302a1007a5da51683
Instruction Fuzzy Hash: 05C19F71908701DFC714EF24D841AAAB7E0BF85311F14492DF9999B2A2DB74EC49EF82

Function 00FC6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FC6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FC6C21
WSAGetLastError.WSOCK32(00000000), ref: 00FC6C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00FC6CEA
inet_ntoa.WSOCK32(?), ref: 00FC6CA7

Part of subcall function 00FAA7E9: _strlen.LIBCMT ref: 00FAA7F3
Part of subcall function 00FAA7E9: _memmove.LIBCMT ref: 00FAA815

_strlen.LIBCMT ref: 00FC6D44
_memmove.LIBCMT ref: 00FC6DAD

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 6b63cc197b23751c1d14367ee6fdf3ba1d25aca237d5f38d4bb86f04302ac864
Instruction ID: 3975a13d7dd5c39f83c32a3d368ebacee13e8306002b72e69b5bcb8d54491af8
Opcode Fuzzy Hash: 6b63cc197b23751c1d14367ee6fdf3ba1d25aca237d5f38d4bb86f04302ac864
Instruction Fuzzy Hash: 4281F571608301ABC714EB24CC82F6BB7E8AF84714F14491DFA46DB2A2DB74DD09EB52

Function 00F51424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5425dc0d24af09986a6dec26b20adb8902f8aefb411d6d9e63baae856e227c
Instruction ID: aacbdd70172452c132012ab58622e023cf4ff6bbc2ab067b8f22da6f4af01011
Opcode Fuzzy Hash: 0e5425dc0d24af09986a6dec26b20adb8902f8aefb411d6d9e63baae856e227c
Instruction Fuzzy Hash: 91717D31900109EFCB14DF58CC49FBEBB75FF86321F248259FA15AA251C734AA15EBA0

Function 00FDB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(011744F0), ref: 00FDB3EB
IsWindowEnabled.USER32(011744F0), ref: 00FDB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00FDB4DB
SendMessageW.USER32(011744F0,000000B0,?,?), ref: 00FDB512
IsDlgButtonChecked.USER32(?,?), ref: 00FDB54F
GetWindowLongW.USER32(011744F0,000000EC), ref: 00FDB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FDB589

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 96f30165ae6710b0279b1288a23a37d2367a5ade32f3354dc3921b89091805f9
Instruction ID: 3139a2889e0382961a0ce35a717b2de84c26aeb544f840932cdfe12804a594a7
Opcode Fuzzy Hash: 96f30165ae6710b0279b1288a23a37d2367a5ade32f3354dc3921b89091805f9
Instruction Fuzzy Hash: 4B719234A05204EFDB21DF64C894FBA77B6FF4A320F19405AE946973A2C736A940FB50

Function 00FCF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FCF448
_memset.LIBCMT ref: 00FCF511
ShellExecuteExW.SHELL32(?), ref: 00FCF556

Part of subcall function 00F59837: __itow.LIBCMT ref: 00F59862
Part of subcall function 00F59837: __swprintf.LIBCMT ref: 00F598AC

Part of subcall function 00F6FC86: _wcscpy.LIBCMT ref: 00F6FCA9

GetProcessId.KERNEL32(00000000), ref: 00FCF5CD
CloseHandle.KERNEL32(00000000), ref: 00FCF5FC

Strings

@, xrefs: 00FCF525

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 2193928886c7ae492961cc0e9a80afa788e397106b6aa25de2b4916085d67aa5
Instruction ID: 3e49e8ea31e2272780cfb9db8f7e22526cf398f6aed366bef12d6a83c857d386
Opcode Fuzzy Hash: 2193928886c7ae492961cc0e9a80afa788e397106b6aa25de2b4916085d67aa5
Instruction Fuzzy Hash: 7461AE71A00619DFCB14DF64C981AAEFBB5FF49310F18806DE919AB351CB34AD49EB80

Function 00FB0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FB0F8C
GetKeyboardState.USER32(?), ref: 00FB0FA1
SetKeyboardState.USER32(?), ref: 00FB1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FB1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FB104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FB1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FB10B8

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9e6669713879b7b8ce04953b8f60c861b33753446f1fd10da8b71c804bd5325b
Instruction ID: 5d3ec54e96c1108fecc15f82f296b38c760c2fe99cebb37228f97dd239d9aad2
Opcode Fuzzy Hash: 9e6669713879b7b8ce04953b8f60c861b33753446f1fd10da8b71c804bd5325b
Instruction Fuzzy Hash: F15103A0A047D53DFB3252398C25BF7BEA96B06350F488589E1D5468C2C698DCC8FB51

Function 00FB0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FB0DA5
GetKeyboardState.USER32(?), ref: 00FB0DBA
SetKeyboardState.USER32(?), ref: 00FB0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FB0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FB0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FB0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FB0EC9

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c87f2c30f277cbc148f03312fc26c076f0e17dcab5782daa6796da5df652d249
Instruction ID: 6fb07ac141ebeca29ac206ccd45c63e0099c0837296bdf932b674d435e31ebc8
Opcode Fuzzy Hash: c87f2c30f277cbc148f03312fc26c076f0e17dcab5782daa6796da5df652d249
Instruction Fuzzy Hash: C651E5A0A447D53DFB3243768C55BFB7FA96B06310F088889E1D54A8C2DB95EC98FB50

Function 00FB55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FB560A
_wcsncpy.LIBCMT ref: 00FB563F
_wcsncpy.LIBCMT ref: 00FB5671
_wcsncpy.LIBCMT ref: 00FB56A4
_wcsncpy.LIBCMT ref: 00FB56E6
_wcsncpy.LIBCMT ref: 00FB5720
_wcsncpy.LIBCMT ref: 00FB574F

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 31afe45e4170d7f925a4a9170b49172059f61c70098571194214a51c02c28676
Instruction ID: 2195530b210e722198adbdb3b72182979023280248d80ccf2c4336347ee9fbc4
Opcode Fuzzy Hash: 31afe45e4170d7f925a4a9170b49172059f61c70098571194214a51c02c28676
Instruction Fuzzy Hash: EC41A465C1061876CB11EBB48C46ACFB3B89F04710F50C957E51DE3221EB38A355EBAB

Function 00FB3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FB3697,?), ref: 00FB468B

Part of subcall function 00FB466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FB3697,?), ref: 00FB46A4

lstrcmpiW.KERNEL32(?,?), ref: 00FB36B7
_wcscmp.LIBCMT ref: 00FB36D3
MoveFileW.KERNEL32(?,?), ref: 00FB36EB
_wcscat.LIBCMT ref: 00FB3733
SHFileOperationW.SHELL32(?), ref: 00FB379F

Strings

\*.*, xrefs: 00FB372D

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 2c1a9877391e856fe65fb1b3e1b73ace3032f51f29d4f32b3a258e5203494d8b
Instruction ID: 74b8017ad8357a311419b310401a3735b9d3f3f9fbf3d442c007fc7cbc930630
Opcode Fuzzy Hash: 2c1a9877391e856fe65fb1b3e1b73ace3032f51f29d4f32b3a258e5203494d8b
Instruction Fuzzy Hash: 8D418072548344AEC751EF65C841ADFB7ECAF89390F10092EF49AC3251EA38D689DB52

Function 00FD7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FD7351
IsMenu.USER32(?), ref: 00FD7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FD73B1
DrawMenuBar.USER32 ref: 00FD73C4

Strings

0, xrefs: 00FD729E

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: f3d903f2d87021683cf4075e73bc36246bbe4d3a5145056345f8f035531e5266
Instruction ID: b69ed3b2827f3aa805f3247adccd71cdc83f815129ea91cdbdba7bc441cc7e43
Opcode Fuzzy Hash: f3d903f2d87021683cf4075e73bc36246bbe4d3a5145056345f8f035531e5266
Instruction Fuzzy Hash: D8412775A04308AFDB20EF50D884E9ABBB6FB05320F18852AFD45AB350E731AD54EB50

Function 00FD0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00FD0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FD0FFE
FreeLibrary.KERNEL32(00000000), ref: 00FD10B5

Part of subcall function 00FD0FA5: RegCloseKey.ADVAPI32(?), ref: 00FD101B
Part of subcall function 00FD0FA5: FreeLibrary.KERNEL32(?), ref: 00FD106D
Part of subcall function 00FD0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00FD1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FD1058

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: a30b98ccb261c153a5b7a60cbae78fa1f0561772805fa4270b6c6b81402ceab7
Instruction ID: ec3c5089cd1ae1bebb0156eb46914774b84129f382ae662ae3ea9e0b0978e082
Opcode Fuzzy Hash: a30b98ccb261c153a5b7a60cbae78fa1f0561772805fa4270b6c6b81402ceab7
Instruction Fuzzy Hash: 58310F71D01109BFDB15DFA0DC89EFFB7BDEF08310F14416AE512E2251DA745E89AAA0

Function 00FD62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FD62EC
GetWindowLongW.USER32(011744F0,000000F0), ref: 00FD631F
GetWindowLongW.USER32(011744F0,000000F0), ref: 00FD6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FD6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FD63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00FD63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FD63DB

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a84780c0d44e67bc8f0c3359cad246772a8858a7576ec02b49cf95d83a4b07cc
Instruction ID: a6769d1d12fd873134093f0192d2ebd7dc6cc11fcb688f962ab4fcd943acd193
Opcode Fuzzy Hash: a84780c0d44e67bc8f0c3359cad246772a8858a7576ec02b49cf95d83a4b07cc
Instruction Fuzzy Hash: 6631F031A40254AFEB21CF68DC84F5437E2BB4A724F1901A6F941DF3B2CB76A844EB50

Function 00FADAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FADB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FADB54
SysAllocString.OLEAUT32(00000000), ref: 00FADB57
SysAllocString.OLEAUT32(?), ref: 00FADB75
SysFreeString.OLEAUT32(?), ref: 00FADB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00FADBA3
SysAllocString.OLEAUT32(?), ref: 00FADBB1

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 082e47638a6160219fcedb6c27eb29a5a1f982ac6bde0c946f60681fa6f38e1d
Instruction ID: 1158895d42581213407382947be96e30730d5b7d43ac08e63b178f2d839760b5
Opcode Fuzzy Hash: 082e47638a6160219fcedb6c27eb29a5a1f982ac6bde0c946f60681fa6f38e1d
Instruction Fuzzy Hash: 4D21A372601219AF9F10DFB8DC84CBB73ADFB4A3A0B018126F916DB250D7709C45A7B0

Function 00FC6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00FC7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FC61C6
WSAGetLastError.WSOCK32(00000000), ref: 00FC61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00FC620E
connect.WSOCK32(00000000,?,00000010), ref: 00FC6217
WSAGetLastError.WSOCK32 ref: 00FC6221
closesocket.WSOCK32(00000000), ref: 00FC624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00FC6263

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 08daf9bd279495e075163ba81ea830f1883d67488a76699d7507715286257e67
Instruction ID: 7e1fecae13e8097dc007ff6488056b2de7384d1812e76ca9683ee5a505633eba
Opcode Fuzzy Hash: 08daf9bd279495e075163ba81ea830f1883d67488a76699d7507715286257e67
Instruction Fuzzy Hash: 9F319231604209AFDF10AF64CD86FBD77A9EB45721F08402DFD06E7291CB74AD08BAA1

Function 00FAF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FAF671
__wcsnicmp.LIBCMT ref: 00FAF692
__wcsnicmp.LIBCMT ref: 00FAF6AC

Strings

#OnAutoItStartRegister, xrefs: 00FAF6A6
#notrayicon, xrefs: 00FAF669
#requireadmin, xrefs: 00FAF68C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 9951c14b912e7d1a3bf01fdb71722e1cb1b5ec8f560e767c0947880bc80786fd
Instruction ID: 0711b9881ef2d99fab3386f402b887d4577f86ac2a64e635f0214d3f84680ca9
Opcode Fuzzy Hash: 9951c14b912e7d1a3bf01fdb71722e1cb1b5ec8f560e767c0947880bc80786fd
Instruction Fuzzy Hash: 182137B261451166D320A674AC02FA773DCEF56360F10843AF945CE151EB54AD4AF396

Function 00FADBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FADC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FADC2F
SysAllocString.OLEAUT32(00000000), ref: 00FADC32
SysAllocString.OLEAUT32 ref: 00FADC53
SysFreeString.OLEAUT32 ref: 00FADC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00FADC76
SysAllocString.OLEAUT32(?), ref: 00FADC84

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: af5a00430b8e19dcc2d988c3a678b2ffd0eb50848971388c2e215197a9721b5d
Instruction ID: a3fe685d2240cb860249c96d78455c01014ead325d85ffb9c86604f6b83f7aec
Opcode Fuzzy Hash: af5a00430b8e19dcc2d988c3a678b2ffd0eb50848971388c2e215197a9721b5d
Instruction Fuzzy Hash: 6721BB76605104AF9B10DFB8DC88DAB77ECEB09370750C126F906CB260DA70EC45E764

Function 00FD75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F51D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F51D73
Part of subcall function 00F51D35: GetStockObject.GDI32(00000011), ref: 00F51D87
Part of subcall function 00F51D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F51D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FD7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FD763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FD764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FD7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FD7665

Strings

Msctls_Progress32, xrefs: 00FD7603

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 100b773626e5a3000291d02ff97cff786997f72103593dbd9e60d7bd44bc3cd2
Instruction ID: d1959ebc87ef0499fd8c9d35efb72d53b4396bb14231ca5a275d55ccb129b0a4
Opcode Fuzzy Hash: 100b773626e5a3000291d02ff97cff786997f72103593dbd9e60d7bd44bc3cd2
Instruction Fuzzy Hash: 8B1193B2110219BFEF119F64CC85EE77F6EEF087A8F014115BA44A6190DA72DC21EBA4

Function 00F79AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00F79AE6

Part of subcall function 00F73187: EncodePointer.KERNEL32(00000000), ref: 00F7318A
Part of subcall function 00F73187: __initp_misc_winsig.LIBCMT ref: 00F731A5
Part of subcall function 00F73187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F79EA0
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F79EB4
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F79EC7
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F79EDA
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F79EED
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F79F00
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F79F13
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F79F26
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F79F39
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F79F4C
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F79F5F
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F79F72
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F79F85
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F79F98
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F79FAB
Part of subcall function 00F73187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F79FBE

__mtinitlocks.LIBCMT ref: 00F79AEB
__mtterm.LIBCMT ref: 00F79AF4

Part of subcall function 00F79B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F79AF9,00F77CD0,0100A0B8,00000014), ref: 00F79C56
Part of subcall function 00F79B5C: _free.LIBCMT ref: 00F79C5D
Part of subcall function 00F79B5C: DeleteCriticalSection.KERNEL32(0100EC00,?,?,00F79AF9,00F77CD0,0100A0B8,00000014), ref: 00F79C7F

__calloc_crt.LIBCMT ref: 00F79B19
__initptd.LIBCMT ref: 00F79B3B
GetCurrentThreadId.KERNEL32 ref: 00F79B42

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: a707c1925c10d03b227f3d022ad1462d22506a9315b8b48d630e8156ce94dbf0
Instruction ID: 7c4d18d20af3517d4f1cfe888eddb96e6959d11502592237a8b141f0d099ef1b
Opcode Fuzzy Hash: a707c1925c10d03b227f3d022ad1462d22506a9315b8b48d630e8156ce94dbf0
Instruction Fuzzy Hash: 40F0623291E71169E6347778BC07A4A37919F42730F20CA1FF49CD51D2EED985416163

Function 00F7406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F73F85), ref: 00F74085
GetProcAddress.KERNEL32(00000000), ref: 00F7408C
EncodePointer.KERNEL32(00000000), ref: 00F74097
DecodePointer.KERNEL32(00F73F85), ref: 00F740B2

Strings

combase.dll, xrefs: 00F74080
RoUninitialize, xrefs: 00F74074

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 991e944621676d4a59b7aee7827121aa8487df9a0dbc22620b2b6051d549b92f
Instruction ID: ca249f3e8283048829534acbc8ae5f5f2cdb4bc0c03132ff727470a0aa596b25
Opcode Fuzzy Hash: 991e944621676d4a59b7aee7827121aa8487df9a0dbc22620b2b6051d549b92f
Instruction Fuzzy Hash: 00E09A70982204ABEA61AF71EC09F053AB5B704752F104036F546E5194DBBB9504EB15

Function 00FB64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FB660B
_memmove.LIBCMT ref: 00FB6546

Part of subcall function 00F59837: __itow.LIBCMT ref: 00F59862
Part of subcall function 00F59837: __swprintf.LIBCMT ref: 00F598AC

_memmove.LIBCMT ref: 00FB65B9
_memmove.LIBCMT ref: 00FB66A0
_memmove.LIBCMT ref: 00FB66B9
_memmove.LIBCMT ref: 00FB66D5

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 06c3e0da596de7e5ebd166ea91c544cb533233ce1895cc83c049d75c6dd0b7a7
Instruction ID: b2d6ea49d8f833e1e2fa6e2a7a35cbd01faa8d75bdd0cf17c8d0d9d7b8823557
Opcode Fuzzy Hash: 06c3e0da596de7e5ebd166ea91c544cb533233ce1895cc83c049d75c6dd0b7a7
Instruction Fuzzy Hash: 3361AB3190064A9BCF15EF61CC82EFE37A5AF05308F084519FD19AB192DB7CE809EB51

Function 00FD01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

Part of subcall function 00FD0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCFDAD,?,?), ref: 00FD0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FD02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FD02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00FD0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FD0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FD038C
RegCloseKey.ADVAPI32(00000000), ref: 00FD0399

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 217c03103b4685119670a30906a1232e014dfce5a859227bf75f72758138ce77
Instruction ID: 774ddc639f689498d0a5e202970adb1ea03c28bd492b4961fa581bb50f10590a
Opcode Fuzzy Hash: 217c03103b4685119670a30906a1232e014dfce5a859227bf75f72758138ce77
Instruction Fuzzy Hash: 61514771508304AFC714EB64DC85E6EBBEAFF85314F08491EF945872A2DB35E908EB52

Function 00FD5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FD57FB
GetMenuItemCount.USER32(00000000), ref: 00FD5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FD585A
GetMenuItemID.USER32(?,?), ref: 00FD58C9
GetSubMenu.USER32(?,?), ref: 00FD58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00FD5928

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 9e2bbd693441885e8700d1f10745a38262dea233e315ba319c0d1156b5878f89
Instruction ID: 4d0c9cb969bafb59847d8eee437494df8063e7ad20749396d1a01e7411fe19cf
Opcode Fuzzy Hash: 9e2bbd693441885e8700d1f10745a38262dea233e315ba319c0d1156b5878f89
Instruction Fuzzy Hash: C3516E31E00615EFCF11EF64C845AAEB7B6EF48720F18405AE906BB351CB74AE41AB91

Function 00FAEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FAEF06
VariantClear.OLEAUT32(00000013), ref: 00FAEF78
VariantClear.OLEAUT32(00000000), ref: 00FAEFD3
_memmove.LIBCMT ref: 00FAEFFD
VariantClear.OLEAUT32(?), ref: 00FAF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FAF078

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 4135a5f9c50ce6effdeb2a81f10193c75f50c9fdaa78457e479c3ad06572e642
Instruction ID: 4e82491cc825f300957f77a23641207ec4541c8c74d61dfc2129595962f021ed
Opcode Fuzzy Hash: 4135a5f9c50ce6effdeb2a81f10193c75f50c9fdaa78457e479c3ad06572e642
Instruction Fuzzy Hash: AE516AB5A00209EFCB14CF58C880AAAB7B9FF4D314B15856AE959DB305E334E915CBA0

Function 00FB220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FB22A3
IsMenu.USER32(00000000), ref: 00FB22C3
CreatePopupMenu.USER32 ref: 00FB22F7
GetMenuItemCount.USER32(000000FF), ref: 00FB2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00FB2386

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: a0224fa381c3ef50227370b9499d195507a16561f06489992f8c94ff2799142e
Instruction ID: 7b8a0e09e61311edb34afcf8598d13b19c51df9bb70f81ca3e0739866d250c60
Opcode Fuzzy Hash: a0224fa381c3ef50227370b9499d195507a16561f06489992f8c94ff2799142e
Instruction Fuzzy Hash: 0151BE30A01209DBDF61CF6AD888BEEBBF5AF45324F18412AE815972A0D3788944EF51

Function 00F51765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00F5179A
GetWindowRect.USER32(?,?), ref: 00F517FE
ScreenToClient.USER32(?,?), ref: 00F5181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F5182C
EndPaint.USER32(?,?), ref: 00F51876

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 244b98ddfdefc67a1461b61c165ed3ec9f977d45c4d48ab48067097415ec7bee
Instruction ID: 08999453b852a569268a63ab560897aaae3c0d47c9d28f0bcca40a5b06d324bd
Opcode Fuzzy Hash: 244b98ddfdefc67a1461b61c165ed3ec9f977d45c4d48ab48067097415ec7bee
Instruction Fuzzy Hash: 56419331504300AFD720DF24CC84FB67BE9FB4A725F144669FAA58B1A1C735A849EB61

Function 00FDB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(010157B0,00000000,011744F0,?,?,010157B0,?,00FDB5A8,?,?), ref: 00FDB712
EnableWindow.USER32(00000000,00000000), ref: 00FDB736
ShowWindow.USER32(010157B0,00000000,011744F0,?,?,010157B0,?,00FDB5A8,?,?), ref: 00FDB796
ShowWindow.USER32(00000000,00000004,?,00FDB5A8,?,?), ref: 00FDB7A8
EnableWindow.USER32(00000000,00000001), ref: 00FDB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00FDB7EF

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 535e734e3b7d15cdb863dac21b756fb51798d27477ebe29810cd07ba2e120dda
Instruction ID: 75073a729e2459b6788af0e3c9faee7c9f5ee2bea5ed0a78fbf02ecb530f7bf4
Opcode Fuzzy Hash: 535e734e3b7d15cdb863dac21b756fb51798d27477ebe29810cd07ba2e120dda
Instruction Fuzzy Hash: 01416D34A01244EFDB22DF24C499B947BE2FB45320F1D41BAE9598F7A2C731A856EB50

Function 00FC709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00FC4E41,?,?,00000000,00000001), ref: 00FC70AC

Part of subcall function 00FC39A0: GetWindowRect.USER32(?,?), ref: 00FC39B3

GetDesktopWindow.USER32 ref: 00FC70D6
GetWindowRect.USER32(00000000), ref: 00FC70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00FC710F

Part of subcall function 00FB5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FB52BC

GetCursorPos.USER32(?), ref: 00FC713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FC7199

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 613212c08eae889afea805cfeb9669265dd5c5bb7f269d841fefd8494b5b55bd
Instruction ID: ad0ddbff7ae4f65216e6271e30ea9675172aff72aca51ccfe394c9cbdc93783f
Opcode Fuzzy Hash: 613212c08eae889afea805cfeb9669265dd5c5bb7f269d841fefd8494b5b55bd
Instruction Fuzzy Hash: 3131C17250930AABD720EF24DC49F9BB7AAFB88314F04091AF58597191C734EA09DB92

Function 00FA8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FA80C0
Part of subcall function 00FA80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FA80CA
Part of subcall function 00FA80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FA80D9
Part of subcall function 00FA80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FA80E0
Part of subcall function 00FA80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FA80F6

GetLengthSid.ADVAPI32(?,00000000,00FA842F), ref: 00FA88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FA88D6
HeapAlloc.KERNEL32(00000000), ref: 00FA88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FA88F6
GetProcessHeap.KERNEL32(00000000,00000000,00FA842F), ref: 00FA890A
HeapFree.KERNEL32(00000000), ref: 00FA8911

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 80bcc0004e6f2f78543fa4770adaa8feb0a6f98a3e9a0a027248c436ad25788d
Instruction ID: 1fc2ddfddc9a6d76253242ab86a440a97fc3aca12b2797915e832255fa00d22c
Opcode Fuzzy Hash: 80bcc0004e6f2f78543fa4770adaa8feb0a6f98a3e9a0a027248c436ad25788d
Instruction Fuzzy Hash: 2F11A2B1902209FFDB109FA4DC09FBF7779EB46761F148029E84697111CB769E05EB60

Function 00FA85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FA85E2
OpenProcessToken.ADVAPI32(00000000), ref: 00FA85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FA85F8
CloseHandle.KERNEL32(00000004), ref: 00FA8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FA8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FA8646

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: dd5d204802478f3df64a3c68b73cc856df8bb6f6eccdbbbe197a16fb5f764114
Instruction ID: c86c8336761ee6e1f3a81a56e0320303c5c43ce6a0184019d0263e9e96cdba85
Opcode Fuzzy Hash: dd5d204802478f3df64a3c68b73cc856df8bb6f6eccdbbbe197a16fb5f764114
Instruction Fuzzy Hash: 3C114AB290120DABDF028FA4DD49FDA7BA9EF09354F084065FE05A2160C6718D65AB60

Function 00FAB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FAB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FAB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FAB7CD
ReleaseDC.USER32(00000000,00000000), ref: 00FAB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FAB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00FAB7FE

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: cd432947662e31402638d2df2ddcf9fff4f5063ab980c53fbc94d91626ee3a00
Instruction ID: 0078651a2b003c54b35d4d81558610f84ba8333ae6cfe48481df238591ac207e
Opcode Fuzzy Hash: cd432947662e31402638d2df2ddcf9fff4f5063ab980c53fbc94d91626ee3a00
Instruction Fuzzy Hash: 680184B5E01309BBEB109BB69C49E5EBFB9EB49321F008076FA04E7291D6709D00DF90

Function 00F70162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F70193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F7019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F701A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F701B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F701B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F701C1

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: a5889ce5d93cc965d3ea1fe76ba8bfe68bf7fccf82f309f6a93ee82f44e407b8
Instruction ID: c42c9a8cab78201a908ea8c6444d874727ab3b05fe3c0089d8626347b7b678bb
Opcode Fuzzy Hash: a5889ce5d93cc965d3ea1fe76ba8bfe68bf7fccf82f309f6a93ee82f44e407b8
Instruction Fuzzy Hash: BC016CB09027597DE3008F6A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5

Function 00FB53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FB53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FB540F
GetWindowThreadProcessId.USER32(?,?), ref: 00FB541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FB542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FB5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FB543E

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 29a0069daf1e46bd44ee0e4d6db63c45d43cb533c50cd9b21e85cd3b9b5497be
Instruction ID: eef5e82dfed3f5e10fc26e1c773f80e11aacc425a2636cbcf710dfe8d1a17be1
Opcode Fuzzy Hash: 29a0069daf1e46bd44ee0e4d6db63c45d43cb533c50cd9b21e85cd3b9b5497be
Instruction Fuzzy Hash: F6F0903224215CBBE3215BB2DC0DEEF7B7DEFC6B11F00016AFA06D1050DBA15A05A6B5

Function 00FB7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00FB7243
EnterCriticalSection.KERNEL32(?,?,00F60EE4,?,?), ref: 00FB7254
TerminateThread.KERNEL32(00000000,000001F6,?,00F60EE4,?,?), ref: 00FB7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00F60EE4,?,?), ref: 00FB726E

Part of subcall function 00FB6C35: CloseHandle.KERNEL32(00000000,?,00FB727B,?,00F60EE4,?,?), ref: 00FB6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00FB7281
LeaveCriticalSection.KERNEL32(?,?,00F60EE4,?,?), ref: 00FB7288

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ca4ece7717943227fda67afa8e87acd8eae2fa0e510f505f760c0a18aed26613
Instruction ID: 969aaeb34d417f984e920b8a9abf86b2b6331eec6db3a6d07f90aed002ec0565
Opcode Fuzzy Hash: ca4ece7717943227fda67afa8e87acd8eae2fa0e510f505f760c0a18aed26613
Instruction Fuzzy Hash: 73F05E36542616EBD7112B74ED4CEDA772AEF45713B100532F543910A0CB7A5905EF50

Function 00FA8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FA899D
UnloadUserProfile.USERENV(?,?), ref: 00FA89A9
CloseHandle.KERNEL32(?), ref: 00FA89B2
CloseHandle.KERNEL32(?), ref: 00FA89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00FA89C3
HeapFree.KERNEL32(00000000), ref: 00FA89CA

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 665af79d9f8031eb8a0be0750c4f8c096f833d47bf085e15dbdf062fbc09a3cd
Instruction ID: 0236527aff4bbb28160d57bbdf65a4adf49beb357abd0882a148931a9a8961d1
Opcode Fuzzy Hash: 665af79d9f8031eb8a0be0750c4f8c096f833d47bf085e15dbdf062fbc09a3cd
Instruction Fuzzy Hash: DEE0C236105009FBDB022FF5EC0CD4ABB6AFB89322B108232F21A81170CB329428EB50

Function 00FC85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FC8613
CharUpperBuffW.USER32(?,?), ref: 00FC8722
VariantClear.OLEAUT32(?), ref: 00FC889A

Part of subcall function 00FB7562: VariantInit.OLEAUT32(00000000), ref: 00FB75A2
Part of subcall function 00FB7562: VariantCopy.OLEAUT32(00000000,?), ref: 00FB75AB
Part of subcall function 00FB7562: VariantClear.OLEAUT32(00000000), ref: 00FB75B7

Strings

AUTOIT.ERROR, xrefs: 00FC8728
Incorrect Parameter format, xrefs: 00FC864B, 00FC880D

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 17a31d3262a887ad68c5c826cc271750ec5c6c32fc436402c295648234232861
Instruction ID: 8e7cf26e390f6573f86649064ed0d5015f0ee615b56b8dde085cbe1d64447ece
Opcode Fuzzy Hash: 17a31d3262a887ad68c5c826cc271750ec5c6c32fc436402c295648234232861
Instruction Fuzzy Hash: E6917D71A08302DFC714DF24C985E5AB7E4AF89754F04892EF98A8B361DB34ED0ADB51

Function 00FB2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6FC86: _wcscpy.LIBCMT ref: 00F6FCA9

_memset.LIBCMT ref: 00FB2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FB2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FB2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FB2C97

Strings

0, xrefs: 00FB2B73

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 85784b8f234163f2092934cd9730b6d76c4a3864968b6439790826a019beb42c
Instruction ID: 332066236d4c8914bbd2b5f4520763c783a48c82eefd108c90e34ead38ff0006
Opcode Fuzzy Hash: 85784b8f234163f2092934cd9730b6d76c4a3864968b6439790826a019beb42c
Instruction Fuzzy Hash: E751C3B19083019AD7A49F29DC45AAF7BE8EF89330F04492DF895D7190DB74CD44AF92

Function 00FAD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FAD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FAD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FAD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FAD69D

Strings

DllGetClassObject, xrefs: 00FAD610

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ce4cae87b12dd239b4b10c003357896c35dbb0cf1e34cd261ee5d4c5e8464fc7
Instruction ID: 8054745f0ecc7c2f36aa11c632a2492eac760528ed014888ebca3eccab4a4862
Opcode Fuzzy Hash: ce4cae87b12dd239b4b10c003357896c35dbb0cf1e34cd261ee5d4c5e8464fc7
Instruction Fuzzy Hash: 79419FF2600204EFDB05CF64C884B9A7BB9EF45314F1581AAEC0A9F645D7B5DE44EBA0

Function 00FB2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FB27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00FB2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01015890,00000000), ref: 00FB286B

Strings

0, xrefs: 00FB27B5

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 9577de8f6ea2b1d44a8bf39ec35971232eaa1a7ec7a0dccffd22c2457028ae35
Instruction ID: 1f5650b82806b3a21d72e502d39a5cad1eadbdee887a34955ab8a27704636631
Opcode Fuzzy Hash: 9577de8f6ea2b1d44a8bf39ec35971232eaa1a7ec7a0dccffd22c2457028ae35
Instruction Fuzzy Hash: 5741BD716043019FD760DF26DC44B9ABBE8EF85320F044A2EF9A697291D734E905DB52

Function 00FCD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00FCD7C5

Part of subcall function 00F5784B: _memmove.LIBCMT ref: 00F57899

Strings

winapi, xrefs: 00FCD836
stdcall, xrefs: 00FCD847
none, xrefs: 00FCD8A0
cdecl, xrefs: 00FCD81C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: bec518073bfb00ec57f099252c84c8ed17ad72ed81b0f36b964b6edc72b42657
Instruction ID: bedecc6fecef14fc282a0857f284002f7c26c45fedb357b9d34eff80ab014350
Opcode Fuzzy Hash: bec518073bfb00ec57f099252c84c8ed17ad72ed81b0f36b964b6edc72b42657
Instruction Fuzzy Hash: B731CF7190060AABDF00EF54CD52EAEB3B5FF04720F10862EE869976D1DB35AD09DB80

Function 00FA8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

Part of subcall function 00FAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FAAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FA8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FA8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FA8F57

Part of subcall function 00F57BCC: _memmove.LIBCMT ref: 00F57C06

Strings

ComboBox, xrefs: 00FA8E9E
ListBox, xrefs: 00FA8ED3

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 7e68d5e1125c28bbe7543ad771158ae19e106e4d3ff3a096ddb91baecc3b2daf
Instruction ID: 3c4065ea2479eb60e669b07aff418cfd386ece974780eafb84b8a45c51f0dc2e
Opcode Fuzzy Hash: 7e68d5e1125c28bbe7543ad771158ae19e106e4d3ff3a096ddb91baecc3b2daf
Instruction Fuzzy Hash: 2D21E1B5A00109BEDB14ABB09C85DFEB779DF06360F04812AF825971E0DF7D590EB610

Function 00FC182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FC184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FC1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FC18A2
InternetCloseHandle.WININET(00000000), ref: 00FC18E9

Part of subcall function 00FC2483: GetLastError.KERNEL32(?,?,00FC1817,00000000,00000000,00000001), ref: 00FC2498
Part of subcall function 00FC2483: SetEvent.KERNEL32(?,?,00FC1817,00000000,00000000,00000001), ref: 00FC24AD

Strings

, xrefs: 00FC1893

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ef4f1b54d6294b9e8b9ba888359adf048d25f74a1e9eaead4a530a398409284d
Instruction ID: 026d25a95dcd54f1867ed11e5d9f964a8325030231eef70268a4237238d06ce3
Opcode Fuzzy Hash: ef4f1b54d6294b9e8b9ba888359adf048d25f74a1e9eaead4a530a398409284d
Instruction Fuzzy Hash: 6621AFB150420EBFEB11AB608D86FBB77ADFB49754F10412EF50592181DB348D1877A1

Function 00FD63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F51D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F51D73
Part of subcall function 00F51D35: GetStockObject.GDI32(00000011), ref: 00F51D87
Part of subcall function 00F51D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F51D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FD6461
LoadLibraryW.KERNEL32(?), ref: 00FD6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FD647D
DestroyWindow.USER32(?), ref: 00FD6485

Strings

SysAnimate32, xrefs: 00FD643C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: f96b9dc2e582c852ebda6f8a0f1cab13b280a44d70c5cd95d861b16afde78ad9
Instruction ID: 5ef96ce8fadc3f9b673316c12807fc46656b04f49cc9f0641579e630d5a9124a
Opcode Fuzzy Hash: f96b9dc2e582c852ebda6f8a0f1cab13b280a44d70c5cd95d861b16afde78ad9
Instruction Fuzzy Hash: CE215B71600205AFEF108F64DC80EBB77AEEB5A378F18862AFA50D6290D775DC51B760

Function 00FB6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FB6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FB6DEF
GetStdHandle.KERNEL32(0000000C), ref: 00FB6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00FB6E3B

Strings

nul, xrefs: 00FB6E36

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ca914a82b89b6897a9bb8970dfbe027a0f46b1a95bfd7f960e09748c30ffcea6
Instruction ID: 565ce6099b8cca2cd8c5323054b0166d9c3bd7a07b4a1a38f6b6d9d01e75fb4b
Opcode Fuzzy Hash: ca914a82b89b6897a9bb8970dfbe027a0f46b1a95bfd7f960e09748c30ffcea6
Instruction Fuzzy Hash: A021AE75A00209ABDB209F2ADC04ADA7BA4EF48720F204A2AFCA1D72D0D7749915AF54

Function 00FB6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FB6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FB6EBB
GetStdHandle.KERNEL32(000000F6), ref: 00FB6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00FB6F06

Strings

nul, xrefs: 00FB6F01

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 5d55910844d66d06185667decc2d54f5901028718c13bf6dfbe8498dbca8ca98
Instruction ID: 4b07f157a3b23c9c5184507e33a97cd39346075765c25b3759840f56aef656bf
Opcode Fuzzy Hash: 5d55910844d66d06185667decc2d54f5901028718c13bf6dfbe8498dbca8ca98
Instruction Fuzzy Hash: B621A1799003059BDB209F6ADC04AEA77A8EF45730F200A2AFDA1D72D0D774E850EF54

Function 00FBAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FBAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FBACA8
__swprintf.LIBCMT ref: 00FBACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00FDF910), ref: 00FBACFF

Strings

%lu, xrefs: 00FBACBB

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 2b149e37e8a37d0e6119b80ad0a78581209278bcb59445c5fd0ab803ce5bbfa6
Instruction ID: 43f3c6b814c38279b283cb004668aa9a757e5c4b0d6646c3740a3746bc5ba204
Opcode Fuzzy Hash: 2b149e37e8a37d0e6119b80ad0a78581209278bcb59445c5fd0ab803ce5bbfa6
Instruction Fuzzy Hash: 3721AF70A00209EFCB10EF65CD45DEE7BB8FF49715B0440AAF909EB251DA75EA05EB21

Function 00FB1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FB1B19

Strings

EXISTS, xrefs: 00FB1B41
KEYS, xrefs: 00FB1B30
REMOVE, xrefs: 00FB1B1F
APPEND, xrefs: 00FB1B52

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: f5e9f16d755bd6a087daf885335d960621cb499eb3055f94e954822fa3c49600
Instruction ID: 6f23817d1a4d39845590a3f7990f2fc44ee73d8c9e05a2d26634441363d29bc8
Opcode Fuzzy Hash: f5e9f16d755bd6a087daf885335d960621cb499eb3055f94e954822fa3c49600
Instruction Fuzzy Hash: DD117930D002088B9F00EFA4DC628EEB7B4BF65704F50C49AD854A7696EB36590AEF40

Function 00FCEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FCEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FCEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00FCED6A
CloseHandle.KERNEL32(?), ref: 00FCEDEB

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 4b56513a586887b791222f971f913f8b4a4a565485ef9ba1b0a2cb047b953181
Instruction ID: 3f9a60e4eae7ede5281484833d0ea0786c0994edbe2b373ef9959fb5c52f5254
Opcode Fuzzy Hash: 4b56513a586887b791222f971f913f8b4a4a565485ef9ba1b0a2cb047b953181
Instruction Fuzzy Hash: 508191716047019FD724EF28CC46F2AB7E5AF84721F04881DFA9ADB292D7B4AC05DB51

Function 00F7541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F7547B
_memcpy_s.LIBCMT ref: 00F754ED
__read_nolock.LIBCMT ref: 00F7554B
__filbuf.LIBCMT ref: 00F7556E
_memset.LIBCMT ref: 00F755B2

Part of subcall function 00F78B28: __getptd_noexit.LIBCMT ref: 00F78B28

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 9cea0cc287795c68ce116a62808c7fbaaacb690c6a91230e76976580a65f0215
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 9951B971E00B059BCB24DF69DC4066E77A2AF40B35F28C72BF82D962D0D7B49D50AB42

Function 00FD0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

Part of subcall function 00FD0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCFDAD,?,?), ref: 00FD0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FD00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FD013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FD0183
RegCloseKey.ADVAPI32(?,?), ref: 00FD01AF
RegCloseKey.ADVAPI32(00000000), ref: 00FD01BC

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 4f7b0fde7be1d61b892abfd729a923020f7ad8ef938be35bb15b59a9af8cac38
Instruction ID: ceb1fc45043e07e8d7a28e7a34d67ee7a2efd6cd8f72423614fe217c1b8e38d2
Opcode Fuzzy Hash: 4f7b0fde7be1d61b892abfd729a923020f7ad8ef938be35bb15b59a9af8cac38
Instruction Fuzzy Hash: E8515C71608204AFD704EF64CC85F6AB7E9FF84314F48492EF956872A1DB35E908EB52

Function 00FCD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F59837: __itow.LIBCMT ref: 00F59862
Part of subcall function 00F59837: __swprintf.LIBCMT ref: 00F598AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00FCD927
GetProcAddress.KERNEL32(00000000,?), ref: 00FCD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00FCD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00FCDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00FCDA21

Part of subcall function 00F55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FB7896,?,?,00000000), ref: 00F55A2C
Part of subcall function 00F55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FB7896,?,?,00000000,?,?), ref: 00F55A50

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 0219d6a6f47eb1f35523b5da0a5f92d5b21b3549406fa746556fbdf40c6052da
Instruction ID: 17da6b3da031571373d66f40644b6f695cb2a24fe19bd043d130d45710184c5f
Opcode Fuzzy Hash: 0219d6a6f47eb1f35523b5da0a5f92d5b21b3549406fa746556fbdf40c6052da
Instruction Fuzzy Hash: 90514A75A0420ADFCB00EFA8C885EADB7F5EF48320B148069E916AB312D735ED49DF50

Function 00FBE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FBE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00FBE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FBE687

Part of subcall function 00F59837: __itow.LIBCMT ref: 00F59862
Part of subcall function 00F59837: __swprintf.LIBCMT ref: 00F598AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FBE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FBE6B4

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 05bf01aaf121a3ff5d115887aeb8bd6b6b5e357eca7cd65ce5f4b57cef6c490c
Instruction ID: f86f66be16823a03260d7c577adf8c5da2a4da5d898c490bcc0ab32d240e1d68
Opcode Fuzzy Hash: 05bf01aaf121a3ff5d115887aeb8bd6b6b5e357eca7cd65ce5f4b57cef6c490c
Instruction Fuzzy Hash: DB513A35A00605DFCB04EF65CD81AADBBF5EF09315B1880A9E909AB361CB35ED14EF50

Function 00FDA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021eb403e8bc7704634a9077e3ad3bcf55fb862aaa7eb22109069bb7ca1f2a04
Instruction ID: 037e7cedea3817b6a9d3e81496dd9cf8a43a067abc959399133b9781b1f7d6e7
Opcode Fuzzy Hash: 021eb403e8bc7704634a9077e3ad3bcf55fb862aaa7eb22109069bb7ca1f2a04
Instruction Fuzzy Hash: 9541B036D05104AFD720DF38CC48FA9BBA6AB09320F184267E856A73E1C730AD45FA59

Function 00F52344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F52357
ScreenToClient.USER32(010157B0,?), ref: 00F52374
GetAsyncKeyState.USER32(00000001), ref: 00F52399
GetAsyncKeyState.USER32(00000002), ref: 00F523A7

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8ecfcbea8a7caa2008533d840f1df088515a1767caaadfe4d484af0691dbf08d
Instruction ID: 7a4395ad2cbf0f8eb395ad2dd492b075976aadd03500ae1769445794618c54c4
Opcode Fuzzy Hash: 8ecfcbea8a7caa2008533d840f1df088515a1767caaadfe4d484af0691dbf08d
Instruction Fuzzy Hash: 13416035A04109FBCF159F68CC44AEDBB75BB06371F20435AF929D2290CB349958EFA1

Function 00FA63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00FA6433
TranslateMessage.USER32(?), ref: 00FA645C
DispatchMessageW.USER32(?), ref: 00FA6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA6475

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: b1c78dc1f24f5ae3335cd520494a7fa2bc11830a3b7ce38c61e87ff199f94161
Instruction ID: cbbc49e581551cae378af147d398d7cec38b52e1884d80e4e300ad8b2f1e9e33
Opcode Fuzzy Hash: b1c78dc1f24f5ae3335cd520494a7fa2bc11830a3b7ce38c61e87ff199f94161
Instruction Fuzzy Hash: E831C5B2D00646AFDB24CEB4DC44FB67BE8AB0B320F184165E865C6190E72E9449F760

Function 00FA8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FA8A30
PostMessageW.USER32(?,00000201,00000001), ref: 00FA8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00FA8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00FA8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00FA8AF8

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 27773460788e2b3f6c5c25992229b8a19ea8e176d1b78b581e538b7b7fd2b383
Instruction ID: e0bd2ac90b28be8fe1bdbe5a3a15ecb2c937848c85cbc2eb887a31d45461eb81
Opcode Fuzzy Hash: 27773460788e2b3f6c5c25992229b8a19ea8e176d1b78b581e538b7b7fd2b383
Instruction Fuzzy Hash: 2331E0B1900219FBDF14CFA8DD4CA9E3BB5EB05325F10822AF925E71D1C7B49915EB90

Function 00FAB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FAB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FAB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FAB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FAB27F
_wcsstr.LIBCMT ref: 00FAB289

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 68de74bf9c683857b7a69376f925298e62757a0e3124804a21c4e5558e94e810
Instruction ID: 4aad7ad303daaa18ed77597b915a6cbaf71ba98e0c939b0ccfbda9a5a41c4fb6
Opcode Fuzzy Hash: 68de74bf9c683857b7a69376f925298e62757a0e3124804a21c4e5558e94e810
Instruction Fuzzy Hash: 7D21F872605205BAEB165B75DC05F7F7B99DF46720F00813BF809DA192EF65DC40B261

Function 00FDB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

GetWindowLongW.USER32(?,000000F0), ref: 00FDB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00FDB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FDB1CF
GetSystemMetrics.USER32(00000004), ref: 00FDB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00FC0E90,00000000), ref: 00FDB216

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 9e4fa0e924996638da384bcef7c9a57d7fef8051d1430c5f105ecec14bdcd05b
Instruction ID: 2d12608821963e476f5156ab5cf1dc947e2f075dbf6d472a30e60bd34f57c1d5
Opcode Fuzzy Hash: 9e4fa0e924996638da384bcef7c9a57d7fef8051d1430c5f105ecec14bdcd05b
Instruction Fuzzy Hash: CE216272910255EFCB119F38DC54B6A37A6FB06371F1A4726BD22D72E0D7309911AB90

Function 00FA9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FA9320

Part of subcall function 00F57BCC: _memmove.LIBCMT ref: 00F57C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FA9352
__itow.LIBCMT ref: 00FA936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FA9392
__itow.LIBCMT ref: 00FA93A3

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: b08f329703c2f4ff1b69cd0474fd96b787ba5d911e218c7e80ee3ce48d84a4bf
Instruction ID: 05401b920077dc63aba2081dfc8334d3629c0e7a47d5589a667a04ec3a54ab0c
Opcode Fuzzy Hash: b08f329703c2f4ff1b69cd0474fd96b787ba5d911e218c7e80ee3ce48d84a4bf
Instruction Fuzzy Hash: D821C471B053087BDF10AA609C89EAE3BBDAB49720F048035FE45971C0D6B0C945A792

Function 00FC5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FC5A6E
GetForegroundWindow.USER32 ref: 00FC5A85
GetDC.USER32(00000000), ref: 00FC5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00FC5ACD
ReleaseDC.USER32(00000000,00000003), ref: 00FC5B08

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: be2321c54371d159bdd5941ec4860fa6b24ee94ae41c6eaa288b288a8a3b75aa
Instruction ID: 1256f34aa903b1e3afb9f97bc818ad087998df62bf3e643882e8df5fcbaee169
Opcode Fuzzy Hash: be2321c54371d159bdd5941ec4860fa6b24ee94ae41c6eaa288b288a8a3b75aa
Instruction Fuzzy Hash: 8421C235A00104AFD704EF65CD85E9AB7E5EF48350F108079F80AC7352CA74ED05EB50

Function 00F512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F5134D
SelectObject.GDI32(?,00000000), ref: 00F5135C
BeginPath.GDI32(?), ref: 00F51373
SelectObject.GDI32(?,00000000), ref: 00F5139C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 22a1301d7ce1df97cf9b5f9d74861ea28bd665279c78b02f2f0c3dfbdce7ff4c
Instruction ID: a3e04f2607cec6bc0f4c9f07da46186981c8625788ac5ffa86b0366a2e7fd643
Opcode Fuzzy Hash: 22a1301d7ce1df97cf9b5f9d74861ea28bd665279c78b02f2f0c3dfbdce7ff4c
Instruction Fuzzy Hash: D5219B31C01308EFDB209F25DC08B5D7BE5FB45322F144216FD51AA1A4D77AA899EF50

Function 00FABC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00FABCB3
_memcmp.LIBCMT ref: 00FABCD1
_memcmp.LIBCMT ref: 00FABCE4
_memcmp.LIBCMT ref: 00FABCFC
_memcmp.LIBCMT ref: 00FABD14

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 350e556d68d5933865a4cbddc08d1063c5bac7f8b17a3c5b50965446bf168863
Instruction ID: 20b19dea095112eff013dfdeb86a310130c163018b0788028110c1b38ffcf73a
Opcode Fuzzy Hash: 350e556d68d5933865a4cbddc08d1063c5bac7f8b17a3c5b50965446bf168863
Instruction Fuzzy Hash: C10196F26001457BD304AB169D42FBB735CEE53368F148011FD0597243FB54EE24B2A2

Function 00FB4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FB4ABA
__beginthreadex.LIBCMT ref: 00FB4AD8
MessageBoxW.USER32(?,?,?,?), ref: 00FB4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FB4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FB4B0A

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 935eb7e08ae1cbd90f605b96f35e401e87b16510834f827075efb8ed857ce210
Instruction ID: 80d5d656a9e81401d22a9905542a3c45699b13e673007f6549fab4674667384b
Opcode Fuzzy Hash: 935eb7e08ae1cbd90f605b96f35e401e87b16510834f827075efb8ed857ce210
Instruction Fuzzy Hash: 98114876905208BFC7109FB99C04EDB7FADEB86320F148266F914D3241D679D9049BA0

Function 00FA8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA821E
GetLastError.KERNEL32(?,00FA7CE2,?,?,?), ref: 00FA8228
GetProcessHeap.KERNEL32(00000008,?,?,00FA7CE2,?,?,?), ref: 00FA8237
HeapAlloc.KERNEL32(00000000,?,00FA7CE2,?,?,?), ref: 00FA823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA8255

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 2a230d287a228ef5d93d5d78fb6d3fcc2615f00e9e03442cb38e163046d97e16
Instruction ID: 93f28807c07b3db03ad79ebfb4ef0ecae7f4fa723124c6bb6f7e5e2b8f7a43d1
Opcode Fuzzy Hash: 2a230d287a228ef5d93d5d78fb6d3fcc2615f00e9e03442cb38e163046d97e16
Instruction Fuzzy Hash: 5B0162B1601208FFDB104FB5DC48D677BADEF867A4750043AF809C2120DA718D05EA60

Function 00FA710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA7044,80070057,?,?,?,00FA7455), ref: 00FA7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA7044,80070057,?,?), ref: 00FA7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA7044,80070057,?,?), ref: 00FA7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA7044,80070057,?), ref: 00FA7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA7044,80070057,?,?), ref: 00FA716C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 5bfb8e66c6a61221bf8389fb8e9f66782a8b647325b7ea262b9e84c755eb8c32
Instruction ID: a379cfc35873d52da0447b08ad55ab355f7924ea5e1c27b69f801689d44f7aaf
Opcode Fuzzy Hash: 5bfb8e66c6a61221bf8389fb8e9f66782a8b647325b7ea262b9e84c755eb8c32
Instruction Fuzzy Hash: CE017CB2A02308ABDB116F64DC44FAA7BFEEB457A1F144065FD09D2220D731DD40BBA0

Function 00FB5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FB5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FB526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FB5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FB5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FB52BC

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5fe11885b355109b159cc73e3ffbdcbb095f85559eff386ed91738d9be0cb935
Instruction ID: fab4ad75b51e0227ca39338c1d48cba20aecdc29061f261b7f7d1889ebe9d665
Opcode Fuzzy Hash: 5fe11885b355109b159cc73e3ffbdcbb095f85559eff386ed91738d9be0cb935
Instruction Fuzzy Hash: 79011735D02A1DDBCF00EFE9E949AEDBB78BB09B11F400156E942B2241CB789554ABA1

Function 00FA810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FA8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FA812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA8157

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5b30d3a581d85987a6abd8983616c02c00349d22e2a908e8f015798beddec368
Instruction ID: 82e8be0ee41bc4b623e9ba59d0e2266f715946b72f6b08033abe5c3895c36b32
Opcode Fuzzy Hash: 5b30d3a581d85987a6abd8983616c02c00349d22e2a908e8f015798beddec368
Instruction Fuzzy Hash: C2F04471601308AFD7110F75DC88E673BADFF467A4B040036F546C6150DAA19946EA60

Function 00FAC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FAC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FAC20E
MessageBeep.USER32(00000000), ref: 00FAC226
KillTimer.USER32(?,0000040A), ref: 00FAC242
EndDialog.USER32(?,00000001), ref: 00FAC25C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c9144cf947d0f424e4b3747f725d309eb7c8773a89262ef316d2a80ceae00569
Instruction ID: 7a5442056eb7dfca617a15e7f54e19354c00f4463b4638a87fef84662c2c833b
Opcode Fuzzy Hash: c9144cf947d0f424e4b3747f725d309eb7c8773a89262ef316d2a80ceae00569
Instruction Fuzzy Hash: D101A771804308A7EB205B60ED4EF9677B9FB01706F00026AA593914E0D7E4A948BB90

Function 00F513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F513BF
StrokeAndFillPath.GDI32(?,?,00F8B888,00000000,?), ref: 00F513DB
SelectObject.GDI32(?,00000000), ref: 00F513EE
DeleteObject.GDI32 ref: 00F51401
StrokePath.GDI32(?), ref: 00F5141C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 165ad95ddaeaa8ad94e72167f6f01c9c919346708a9f9d4e26d73a06a95382a1
Instruction ID: 53858d80e880f56ba505650483d284c0a428458c1143435369c795752553aa2b
Opcode Fuzzy Hash: 165ad95ddaeaa8ad94e72167f6f01c9c919346708a9f9d4e26d73a06a95382a1
Instruction Fuzzy Hash: C9F0E130405308DBDB215F2AEC4CB583FA5BB42326F18C225ED6A5D4F5C73A5599EF50

Function 00FBC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FBC432
CoCreateInstance.OLE32(00FE2D6C,00000000,00000001,00FE2BDC,?), ref: 00FBC44A

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

CoUninitialize.OLE32 ref: 00FBC6B7

Strings

.lnk, xrefs: 00FBC3C6, 00FBC3EE, 00FBC3F8

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: bf1e5f54ae1e9b62a0b3b7c8cae435acbf2a8e6e6b27d556d0e542e46177522f
Instruction ID: f33166db5288e499887154998dfc41be3a30982d730bf92413d1c14b42816cde
Opcode Fuzzy Hash: bf1e5f54ae1e9b62a0b3b7c8cae435acbf2a8e6e6b27d556d0e542e46177522f
Instruction Fuzzy Hash: 96A15BB1108205AFD304EF64CC81EABB7E8FF85355F00491CF6559B1A2EBB5EA09DB52

Function 00F62CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00F70DB6: std::exception::exception.LIBCMT ref: 00F70DEC
Part of subcall function 00F70DB6: __CxxThrowException@8.LIBCMT ref: 00F70E01

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

Part of subcall function 00F57A51: _memmove.LIBCMT ref: 00F57AAB

__swprintf.LIBCMT ref: 00F62ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00F62D66

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: a2fec30f06965463b914a6c960bea07728c3e8b6a819e4f876a73aa9905cff7d
Instruction ID: 0d60484f4adf13a2b6c8702dfe988f966d95ee77d02f04551c2d82bbdeb5c93c
Opcode Fuzzy Hash: a2fec30f06965463b914a6c960bea07728c3e8b6a819e4f876a73aa9905cff7d
Instruction Fuzzy Hash: 64919D715087019FDB14EF24DC85C6EB7B8EF95710F00491DF9859B2A1EA38ED48EB52

Function 00FBB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F54743,?,?,00F537AE,?), ref: 00F54770

CoInitialize.OLE32(00000000), ref: 00FBB9BB
CoCreateInstance.OLE32(00FE2D6C,00000000,00000001,00FE2BDC,?), ref: 00FBB9D4
CoUninitialize.OLE32 ref: 00FBB9F1

Part of subcall function 00F59837: __itow.LIBCMT ref: 00F59862
Part of subcall function 00F59837: __swprintf.LIBCMT ref: 00F598AC

Strings

.lnk, xrefs: 00FBB99D, 00FBB9AB

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 056c3ddd04dbc268e28b64d6ae5ae5fd8d58185b085771a2d8101ab3334a2d43
Instruction ID: 7f10b6648b612db4b58d70f1975fed3482f9af7d5a524ba529655c3fe3d4701f
Opcode Fuzzy Hash: 056c3ddd04dbc268e28b64d6ae5ae5fd8d58185b085771a2d8101ab3334a2d43
Instruction Fuzzy Hash: F3A16474A043019FCB04DF15C880D5ABBE5FF89325F048988F9999B3A2CB75EC49DB91

Function 00F7501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F750AD

Part of subcall function 00F800F0: __87except.LIBCMT ref: 00F8012B

Strings

pow, xrefs: 00F75085, 00F750A2

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 918bcc4cc3dddb499a6a2c6f6046937458a33ee1835120ed79c0bde6da619b11
Instruction ID: c6efc2219b11596f27b8a726cb807ad8f35052764b84f56c5de193cc5403742f
Opcode Fuzzy Hash: 918bcc4cc3dddb499a6a2c6f6046937458a33ee1835120ed79c0bde6da619b11
Instruction Fuzzy Hash: 2B517E21D0CA0286DB517728CC453AE3B949B41B30FB0CD5AE4D986299DFB88DDCB783

Function 00F66192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F66248
_memmove.LIBCMT ref: 00F662E4
_memset.LIBCMT ref: 00F66308

Strings

ERCP, xrefs: 00F661B3

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 49178af49c726a0d39aef3bfc6074d1225ca52ad3267bd4390043e04448c334e
Instruction ID: bb14d465a1fc5721e4863e09b4ff03d8f5bf64e5c96543e4855107fa4e64826a
Opcode Fuzzy Hash: 49178af49c726a0d39aef3bfc6074d1225ca52ad3267bd4390043e04448c334e
Instruction Fuzzy Hash: A851B071D00705DBDB24DF65C991BAABBF4EF44314F20856EE94ACB291EB34EA44EB40

Function 00FA97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FA9296,?,?,00000034,00000800,?,00000034), ref: 00FB14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FA983F

Part of subcall function 00FB1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FA92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00FB14B1

Part of subcall function 00FB13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00FB1409
Part of subcall function 00FB13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FA925A,00000034,?,?,00001004,00000000,00000000), ref: 00FB1419
Part of subcall function 00FB13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FA925A,00000034,?,?,00001004,00000000,00000000), ref: 00FB142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FA98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FA98F9

Strings

@, xrefs: 00FA9911

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d98ce645050bc814341c965f7f259f75b5470e3314a17048416ef2ac3ac8e41b
Instruction ID: 3365649112067f98059a35cecbcb63c07fdd516e23ca95ed52f33656cf1016e8
Opcode Fuzzy Hash: d98ce645050bc814341c965f7f259f75b5470e3314a17048416ef2ac3ac8e41b
Instruction Fuzzy Hash: FA415E7690121CBFCB10DFA4CC91ADEBBB8EB0A300F0040A9F945B7181DA746E49DFA0

Function 00FD7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FDF910,00000000,?,?,?,?), ref: 00FD79DF
GetWindowLongW.USER32 ref: 00FD79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD7A0C

Strings

SysTreeView32, xrefs: 00FD79B1

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 1cef7dcd6870f1c42e430e248b5385bb8aea7ba3996b90a84c6a0cd7a2d82257
Instruction ID: d7c7b4d58b6cc09f63efaf552b64359aa52d8fcff028acb21bd34bcedad14eaa
Opcode Fuzzy Hash: 1cef7dcd6870f1c42e430e248b5385bb8aea7ba3996b90a84c6a0cd7a2d82257
Instruction Fuzzy Hash: 0E31F032604206ABDB119F38CC41BEA77AAFB05334F284726F875972E0E735E950AB50

Function 00FD73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FD7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FD7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FD7499

Strings

SysMonthCal32, xrefs: 00FD742C

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4c01b9730b68fba1a38140510c5a9c8d82b9060449dac49bcf9e2e92772c6041
Instruction ID: e8c32afe9dc4d2c4c79a952798cc15110fe6985f3f7dcfe62ec84700ce89c401
Opcode Fuzzy Hash: 4c01b9730b68fba1a38140510c5a9c8d82b9060449dac49bcf9e2e92772c6041
Instruction Fuzzy Hash: 4221B132500218ABDF12DE64CC42FEA3B6AEB49724F150215FE556B1D0DA75AC54ABA0

Function 00FD7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FD7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FD7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FD7C5F

Strings

msctls_updown32, xrefs: 00FD7BC4

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 246f95436678025cddbd762045c94e200f689712402749925741f8b56c94079d
Instruction ID: a351d91f0a34c34f941a96395ed59e45f304c2054a86ae997dfc8bb731917399
Opcode Fuzzy Hash: 246f95436678025cddbd762045c94e200f689712402749925741f8b56c94079d
Instruction Fuzzy Hash: 422141B5604208AFDB11EF24DCC1D6737EDEB4A364B14005AF9059F361DB75EC119B60

Function 00FD6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FD6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FD6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FD6D70

Strings

Listbox, xrefs: 00FD6D08

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: df32abcb7192f69f797fbea651fffcb048ad4b002ad79ceeb7dc514d6aa1d179
Instruction ID: 5fc6a01181b14792abe43d0d53142e23365fa810edb7b00896358f2610538416
Opcode Fuzzy Hash: df32abcb7192f69f797fbea651fffcb048ad4b002ad79ceeb7dc514d6aa1d179
Instruction Fuzzy Hash: 8C210432A11118BFDF118F54DC41FBB3BBBEF89760F058129F9459B290CA719C51ABA0

Function 00FD770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FD7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FD7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FD7794

Strings

msctls_trackbar32, xrefs: 00FD7749

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 47c59bd3a7c0daa93f0c8d3dfd6868efb6f444f828f9e0c7a658e8ecfb10266a
Instruction ID: 09bc8fd07376802dd73c23e7ad01114ab2bf711374edff4677c7e70c61508d4a
Opcode Fuzzy Hash: 47c59bd3a7c0daa93f0c8d3dfd6868efb6f444f828f9e0c7a658e8ecfb10266a
Instruction Fuzzy Hash: C3112732600308BEEF206F61CC01FDB776AEF88B64F054519FA459A190D672E811EB10

Function 00F54C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F54B83,?), ref: 00F54C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F54C56

Strings

kernel32.dll, xrefs: 00F54C3F
Wow64RevertWow64FsRedirection, xrefs: 00F54C50

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 6f1132aa5cda18769db0f77feffb8eaac0b5f80678658abd272216de915a84da
Instruction ID: a5d2daccafc3d05fdea336d686689aa6f25d7c429f6a26300ae26ee1b89fd90d
Opcode Fuzzy Hash: 6f1132aa5cda18769db0f77feffb8eaac0b5f80678658abd272216de915a84da
Instruction Fuzzy Hash: A9D0C230901313CFD7204F31C80CA4673D5AF0035AB14883F99A2C6164E770D4C4DA10

Function 00F54C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F54BD0,?,00F54DEF,?,010152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F54C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F54C23

Strings

kernel32.dll, xrefs: 00F54C0C
Wow64DisableWow64FsRedirection, xrefs: 00F54C1D

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: c15c2cf116a0ada7a6745ecd60c83efd9d93198baa8b10c375d4123f9faf5f82
Instruction ID: ba405769a253ff5ca99a8cf1bec757907993ada9245e501a0b7345828a21dcd4
Opcode Fuzzy Hash: c15c2cf116a0ada7a6745ecd60c83efd9d93198baa8b10c375d4123f9faf5f82
Instruction Fuzzy Hash: 6FD0EC31911713CFD7205B71D908A06B6E6AF49256B15883B98D6D6250E6B0D4849A51

Function 00FD0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00FD1039), ref: 00FD0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FD0E07

Strings

advapi32.dll, xrefs: 00FD0DF0
RegDeleteKeyExW, xrefs: 00FD0E01

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a009b1e8a6e23040504b8e18e7f67fd5a963e2c69ab76a64d57e94b4b9d4393f
Instruction ID: d39c7024b4062ff049fc029503598670fff10e7c32aea07ee795950f8f4fb23e
Opcode Fuzzy Hash: a009b1e8a6e23040504b8e18e7f67fd5a963e2c69ab76a64d57e94b4b9d4393f
Instruction Fuzzy Hash: 6FD0C231800317CFD3204F72C80874673D6AF00256F048C3F94C6C6250DBB1D490D701

Function 00FC90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00FC8CF4,?,00FDF910), ref: 00FC90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FC9100

Strings

kernel32.dll, xrefs: 00FC90E9
GetModuleHandleExW, xrefs: 00FC90FA

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 62208c30ae94f9bbee84f5ec3d75aeea6595f82aaf3aa71c6b66af220832c91d
Instruction ID: 9d0c08d1efacfc9643bab2d819f3e6eace4300abb92aad7967e2c65561b5f0ac
Opcode Fuzzy Hash: 62208c30ae94f9bbee84f5ec3d75aeea6595f82aaf3aa71c6b66af220832c91d
Instruction Fuzzy Hash: FBD01735914713CFDB209F31D91EA0676E6AF053A5B1AC83F9496D6690E7B0C884EA90

Function 00F91714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F91718
__swprintf.LIBCMT ref: 00F91749

Strings

%.3d, xrefs: 00F91723
WIN_XPe, xrefs: 00F91788

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: a784cc75b48d18a1eb5d7311f1e7fab2c6e61bfa97a8f0c9baa0288213ec1a3e
Instruction ID: 8c8755241ee7afaf950bcd3c4e4091122ae42a493160260314caeedc8ab07548
Opcode Fuzzy Hash: a784cc75b48d18a1eb5d7311f1e7fab2c6e61bfa97a8f0c9baa0288213ec1a3e
Instruction Fuzzy Hash: 96D0127380510BFADF059AD09C88EF9777CB708701F500476F90792040E2258798F622

Function 00FA717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0a3bb1d976e2c80852e6e4e60896cc3b1adfdc6c9ef951d6b51c7229a28a29
Instruction ID: 9a25b00fc3091108325ad3fb124750f56c19309226669edd72eab159caeaf9d0
Opcode Fuzzy Hash: cc0a3bb1d976e2c80852e6e4e60896cc3b1adfdc6c9ef951d6b51c7229a28a29
Instruction Fuzzy Hash: 32C16AB5A04316EFCB14DFA4C884EAEBBB5FF49310B158599E805EB251D730ED81EB90

Function 00FCE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FCE0BE
CharLowerBuffW.USER32(?,?), ref: 00FCE101

Part of subcall function 00FCD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00FCD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00FCE301
_memmove.LIBCMT ref: 00FCE314

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 80f3f769f3c29cef27d650d6878df8784c8eaadf98c9a08ce5537d0c6b9175c0
Instruction ID: f51ca6efff39454c78ddf11df03641c0d71684309b9ef4143e33bb79c2347e66
Opcode Fuzzy Hash: 80f3f769f3c29cef27d650d6878df8784c8eaadf98c9a08ce5537d0c6b9175c0
Instruction Fuzzy Hash: FEC16971A08302CFC714DF28C981A6ABBE4FF89714F04896EF8999B351D735E905DB82

Function 00FC8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FC80C3
CoUninitialize.OLE32 ref: 00FC80CE

Part of subcall function 00FAD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FAD5D4

VariantInit.OLEAUT32(?), ref: 00FC80D9
VariantClear.OLEAUT32(?), ref: 00FC83AA

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 6c7e216bdd21909e71fa82a6e5163d67431fa3634b83017479261b1cb5d51a26
Instruction ID: e1b19f08e8344d02d6cc387de1879d2dcfe8d0dd605fc12d6adef34720711893
Opcode Fuzzy Hash: 6c7e216bdd21909e71fa82a6e5163d67431fa3634b83017479261b1cb5d51a26
Instruction Fuzzy Hash: 12A136356087029FCB04DF54C986B6AB7E4BF89364F18440DFA969B3A1CB74ED05EB42

Function 00FA7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FE2C7C,?), ref: 00FA76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FE2C7C,?), ref: 00FA7702
CLSIDFromProgID.OLE32(?,?,00000000,00FDFB80,000000FF,?,00000000,00000800,00000000,?,00FE2C7C,?), ref: 00FA7727
_memcmp.LIBCMT ref: 00FA7748

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 2bd4b021a201bb4beab110098301ec2b2233817a64e0b5b6e668e01f4ee6b538
Instruction ID: f9143043108b7ce7d867cbade43c3d9df3638bc0a97b86dbba514ed28f843f7e
Opcode Fuzzy Hash: 2bd4b021a201bb4beab110098301ec2b2233817a64e0b5b6e668e01f4ee6b538
Instruction Fuzzy Hash: 6D811D75A00209EFCB04DFA4C984EEEB7B9FF89315F204559E506AB250DB71AE06DB60

Function 00FA687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FA688E
SysAllocString.OLEAUT32(00000000), ref: 00FA6937
VariantCopy.OLEAUT32 ref: 00FA6966
VariantClear.OLEAUT32(?), ref: 00FA698D

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 101d7d5bfaabc643514cd254ea106e308daad618f8ccddcdd1c8ab16db6cbd9a
Instruction ID: 96fa69db584fd835446fb88364f25f49ee137cf567e43d1e0789b1aa375994ee
Opcode Fuzzy Hash: 101d7d5bfaabc643514cd254ea106e308daad618f8ccddcdd1c8ab16db6cbd9a
Instruction Fuzzy Hash: E651F4B5714301DADB24EF65C891B2AB3E9AF5A310F28C81FE586DB291DF7CD844A701

Function 00FD97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0117DD08,?), ref: 00FD9863
ScreenToClient.USER32(00000002,00000002), ref: 00FD9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00FD9903

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: d2ee429ced94c91a7ec3a252cef0fdcd27b2aea88c429314ca129af5e2258443
Instruction ID: bfbff62974c5825c1fbc9e670044785a6a43c882e98435b986f439dfe838188e
Opcode Fuzzy Hash: d2ee429ced94c91a7ec3a252cef0fdcd27b2aea88c429314ca129af5e2258443
Instruction Fuzzy Hash: C0513034A04209EFCF10CF68C894AAE7BB6FF45760F58825AF8659B390D771AD41EB50

Function 00FA9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00FA9AD2
__itow.LIBCMT ref: 00FA9B03

Part of subcall function 00FA9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00FA9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00FA9B6C
__itow.LIBCMT ref: 00FA9BC3

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 662b58332555b8c6f0d43315f8f56a57b195b1e696e589e62b9290a2b52c7dd1
Instruction ID: ecc9b56c19d613af802df040a23ac5171c15286abfc2018bd2b86f9291c29be1
Opcode Fuzzy Hash: 662b58332555b8c6f0d43315f8f56a57b195b1e696e589e62b9290a2b52c7dd1
Instruction Fuzzy Hash: E841C4B0A04308ABDF11EF54DC45BEE7BB9EF85761F000029FD05A7291DBB49A48EB61

Function 00FC69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00FC69D1
WSAGetLastError.WSOCK32(00000000), ref: 00FC69E1

Part of subcall function 00F59837: __itow.LIBCMT ref: 00F59862
Part of subcall function 00F59837: __swprintf.LIBCMT ref: 00F598AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FC6A45
WSAGetLastError.WSOCK32(00000000), ref: 00FC6A51

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 2653ac2a63da7371c1f7ae3cbe483bd2e3ae0e98993e67e65a16c0699dbe571f
Instruction ID: 75bda2acbf4c290d98fbc1405c078f429ac911550ee61f4040fa3f2a07c7885c
Opcode Fuzzy Hash: 2653ac2a63da7371c1f7ae3cbe483bd2e3ae0e98993e67e65a16c0699dbe571f
Instruction Fuzzy Hash: A141AE75744200AFEB64AF24CC87F2A77E49F04B15F44841CFE19AF2D2DAB89D05AB91

Function 00FC641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00FDF910), ref: 00FC64A7
_strlen.LIBCMT ref: 00FC64D9

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 0785db9e532d7a500a20aace5357f0d58a5276c7be624c0e0ffc967a2b9fa152
Instruction ID: 8f91af1ee6b8baf1f1187aa5d181b9031e6538c1a39f65de660d8c385a26589a
Opcode Fuzzy Hash: 0785db9e532d7a500a20aace5357f0d58a5276c7be624c0e0ffc967a2b9fa152
Instruction Fuzzy Hash: 66412971904105AFCB14EBA4DD96FAEB7A9AF04310F248119FD1AD7292DB38ED04EB51

Function 00FBB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FBB89E
GetLastError.KERNEL32(?,00000000), ref: 00FBB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FBB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FBB915

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: cf4065388abc430c7ac250c14d820fc0dd1f4e1137fee0a6ac645b386fc96d9a
Instruction ID: e67374ab5a492e312c1229a11f2a831c1cef3337900bc16efefeb6f8689818d5
Opcode Fuzzy Hash: cf4065388abc430c7ac250c14d820fc0dd1f4e1137fee0a6ac645b386fc96d9a
Instruction Fuzzy Hash: E2413A35A00910DFCB14EF15C884A5DBBE1AF89321F598098ED4A9B362CB74FD05EF91

Function 00FD8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FD88DE

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3225726629eb64f75d390ac179d582380b26433bc93afc054143d07094c40148
Instruction ID: 50f96a13855a7aaa114b61f4f2f484cd5dd763b1d9346878742e5c5f58c0c306
Opcode Fuzzy Hash: 3225726629eb64f75d390ac179d582380b26433bc93afc054143d07094c40148
Instruction Fuzzy Hash: 6831E531A00108AFEB219B28CC55FBC3767EB067A0F9C4113FA91E63A1CA35D942B753

Function 00FDAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FDAB60
GetWindowRect.USER32(?,?), ref: 00FDABD6
PtInRect.USER32(?,?,00FDC014), ref: 00FDABE6
MessageBeep.USER32(00000000), ref: 00FDAC57

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6c95b654c4bed6a7d940ed4fe68be8c7fb036f8d45cb3528cbeeefcab4a74602
Instruction ID: 8de859732b8ad1868516a1f7126ce6bdb90b64e902bebccc7821b4bc431c16f6
Opcode Fuzzy Hash: 6c95b654c4bed6a7d940ed4fe68be8c7fb036f8d45cb3528cbeeefcab4a74602
Instruction Fuzzy Hash: 7D41A230A10108DFCB21CF58C884B5977F6FB89320F1C80A6E8559F354C735E842EB56

Function 00FB0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00FB0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00FB0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00FB0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00FB0BFB

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3989ffec129ada1e9e221687f8a516359946cbaaf321ba70eda5857708accad8
Instruction ID: 49ced486a04fe1f0e33c68dabe7b768214c04461948a1a757755d9c2d05dd541
Opcode Fuzzy Hash: 3989ffec129ada1e9e221687f8a516359946cbaaf321ba70eda5857708accad8
Instruction Fuzzy Hash: C9310970D402186EFB348A67CC05BFBBBA5AB85334F08C35AE591D11E1CB758944BB55

Function 00FB0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 00FB0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FB0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FB0CE1
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 00FB0D33

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7e97fb4e9808462dde7aa29a62d9dc2dd1d44bf5528eb2d056fa03d6b332640a
Instruction ID: 54796a64a114f677b8d92407ecd4a50ed0decac6ffbbd2c362e6a5867c8530f7
Opcode Fuzzy Hash: 7e97fb4e9808462dde7aa29a62d9dc2dd1d44bf5528eb2d056fa03d6b332640a
Instruction Fuzzy Hash: A33126B0E402186EFF308A668C14BFFBF66AB49330F08431BE485621D1DF399949BB55

Function 00F861C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F861FB
__isleadbyte_l.LIBCMT ref: 00F86229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F86257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F8628D

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a20d444be2d18e99261860b35da6ae42514be4273cda876cfdfa94dfcc8c6ef9
Instruction ID: 57bfaf8e77819d31c053d1b8d4c66743c1d4b55f8be2b74e8f24a7992ab5ca1f
Opcode Fuzzy Hash: a20d444be2d18e99261860b35da6ae42514be4273cda876cfdfa94dfcc8c6ef9
Instruction Fuzzy Hash: 2B31D031A00246AFDF21AF74CC49BEA7BAAFF41320F154069F824D71A1D730E950EB90

Function 00FD4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FD4F02

Part of subcall function 00FB3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FB365B
Part of subcall function 00FB3641: GetCurrentThreadId.KERNEL32 ref: 00FB3662
Part of subcall function 00FB3641: AttachThreadInput.USER32(00000000,?,00FB5005), ref: 00FB3669

GetCaretPos.USER32(?), ref: 00FD4F13
ClientToScreen.USER32(00000000,?), ref: 00FD4F4E
GetForegroundWindow.USER32 ref: 00FD4F54

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7369f11390b3d6b30935f1ee8dfac2c2af3ebf43a122c5a6c2ae28e93c7a8e66
Instruction ID: e6962122623c6eef5b1bcdfbbf676887b2227cc1fb868221e4964ed9ce2a35bc
Opcode Fuzzy Hash: 7369f11390b3d6b30935f1ee8dfac2c2af3ebf43a122c5a6c2ae28e93c7a8e66
Instruction Fuzzy Hash: 6B311A71D00108AFCB04EFB5CC86DEFB7F9EF88300B14406AE915E7241DA75AE099BA0

Function 00FB3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FB3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00FB3C88
Process32NextW.KERNEL32(00000000,?), ref: 00FB3CA8
CloseHandle.KERNEL32(00000000), ref: 00FB3D52

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: aa591b33a7bf10cab9b2efb7c8eb5d4d33f20dd016bd2ff593f0a0dc31eabe64
Instruction ID: ecdfcb03bf26f50e3b90604aa2f55e92469f15ab6f3b0cb8ad74d843246808c3
Opcode Fuzzy Hash: aa591b33a7bf10cab9b2efb7c8eb5d4d33f20dd016bd2ff593f0a0dc31eabe64
Instruction Fuzzy Hash: 5631B3711083059FC300EF61DC81EAFBBE8AF89354F50092DF982861A1EB759A4DDB52

Function 00FDC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

GetCursorPos.USER32(?), ref: 00FDC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F8B9AB,?,?,?,?,?), ref: 00FDC4E7
GetCursorPos.USER32(?), ref: 00FDC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F8B9AB,?,?,?), ref: 00FDC56E

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: aa1de5aa4eed09a65888d6ca4f849d09a51df453b553de1f35113ecb219f07e7
Instruction ID: bbc534bbc75fee864cb68a85a779d584f1ce8e4912714c7ec675e153c67bfcce
Opcode Fuzzy Hash: aa1de5aa4eed09a65888d6ca4f849d09a51df453b553de1f35113ecb219f07e7
Instruction Fuzzy Hash: D131C335600018AFCB26CF98D858FAA7BB6EB4A320F484156F9058B361C735AD50EBE4

Function 00FA8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FA8121
Part of subcall function 00FA810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FA812B
Part of subcall function 00FA810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA813A
Part of subcall function 00FA810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA8141
Part of subcall function 00FA810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FA86A3
_memcmp.LIBCMT ref: 00FA86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA86FC
HeapFree.KERNEL32(00000000), ref: 00FA8703

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 9ac55c6f17cbf2bfd482388ffb41e722345113a7cd39c5c738478a5912834c43
Instruction ID: 561efafc3521e6ff8b9229da4562c5c02057f7817b237586889a20889ce664d2
Opcode Fuzzy Hash: 9ac55c6f17cbf2bfd482388ffb41e722345113a7cd39c5c738478a5912834c43
Instruction Fuzzy Hash: D321B0B1E01108EFEB00DFA4CA48BEEB7B8FF46354F148059E405A7241DB70AE06EB60

Function 00F7098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00F709AE

Part of subcall function 00F55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FB7896,?,?,00000000), ref: 00F55A2C
Part of subcall function 00F55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FB7896,?,?,00000000,?,?), ref: 00F55A50

_fprintf.LIBCMT ref: 00F709E5
OutputDebugStringW.KERNEL32(?), ref: 00FA5DBB

Part of subcall function 00F74AAA: _flsall.LIBCMT ref: 00F74AC3

__setmode.LIBCMT ref: 00F70A1A

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: ca522b845fbdea0042b3683e5ce89a7451021fa5d3de7e65d41dc06b1a30d24c
Instruction ID: d3a2e6fb92a5403130a269deeb815132191c169663ea6b547e54a64d734a3ed4
Opcode Fuzzy Hash: ca522b845fbdea0042b3683e5ce89a7451021fa5d3de7e65d41dc06b1a30d24c
Instruction Fuzzy Hash: 9B113D72904104AFDB04B7B49C469FD7768AF82321F248157F60957182EF7C6846B7A2

Function 00FC1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FC17A3

Part of subcall function 00FC182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FC184C
Part of subcall function 00FC182D: InternetCloseHandle.WININET(00000000), ref: 00FC18E9

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 37da44d4cd0761eb4d656e65adb588ec8ad5da040e209e904ac51626c9466a3f
Instruction ID: ca0fd2ccec800d9bffd5be0962e2a4ca499dc166afb6f4e6f5e102a36b57b19b
Opcode Fuzzy Hash: 37da44d4cd0761eb4d656e65adb588ec8ad5da040e209e904ac51626c9466a3f
Instruction Fuzzy Hash: 3C21F932604606BFEB129F60CD02FBBBBAAFF49710F14402EF90596592D771D825B790

Function 00FB3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FDFAC0), ref: 00FB3A64
GetLastError.KERNEL32 ref: 00FB3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FB3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FDFAC0), ref: 00FB3ADF

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a782d5f73d22279ee7d8f63ee42929328341b241e49defc4095aaaebb766df72
Instruction ID: 44aa7fde415d97fae390a0fb3f5fda32821feabfe0ada5f2b68f9efa648c4980
Opcode Fuzzy Hash: a782d5f73d22279ee7d8f63ee42929328341b241e49defc4095aaaebb766df72
Instruction Fuzzy Hash: C721D6785482058F8300EF29D8818AA77E8AF55364F244A1EF4DAC72A1D735DE09EF42

Function 00FADCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FAF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00FADCD3,?,?,?,00FAEAC6,00000000,000000EF,00000119,?,?), ref: 00FAF0CB
Part of subcall function 00FAF0BC: lstrcpyW.KERNEL32(00000000,?,?,00FADCD3,?,?,?,00FAEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FAF0F1
Part of subcall function 00FAF0BC: lstrcmpiW.KERNEL32(00000000,?,00FADCD3,?,?,?,00FAEAC6,00000000,000000EF,00000119,?,?), ref: 00FAF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00FAEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FADCEC
lstrcpyW.KERNEL32(00000000,?,?,00FAEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FADD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FAEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FADD46

Strings

cdecl, xrefs: 00FADD3D

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e3006117a28dbc30839d78f9d51c299e09cb544e8802a31e8e550ebcd3a1b1ed
Instruction ID: 9267ec0e71c9da3881173b39d887821e66d54a00e5505da262f1cdf3481b243e
Opcode Fuzzy Hash: e3006117a28dbc30839d78f9d51c299e09cb544e8802a31e8e550ebcd3a1b1ed
Instruction Fuzzy Hash: 0D11D07A200305EBCB25AF74CC45D7A77A9FF46320B40802AF807CB2A0EB719C41E791

Function 00F850E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F85101

Part of subcall function 00F7571C: __FF_MSGBANNER.LIBCMT ref: 00F75733
Part of subcall function 00F7571C: __NMSG_WRITE.LIBCMT ref: 00F7573A
Part of subcall function 00F7571C: RtlAllocateHeap.NTDLL(01160000,00000000,00000001,00000000,?,?,?,00F70DD3,?), ref: 00F7575F

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 101061d8b08a64d8e43e50fbe61b080c0166b82832e408ed56468f91509352fc
Instruction ID: 71055f20e50b16729e4975674099b4f27112304e6ac7242a1f849bd05c3f65fd
Opcode Fuzzy Hash: 101061d8b08a64d8e43e50fbe61b080c0166b82832e408ed56468f91509352fc
Instruction Fuzzy Hash: 8111CE72901E15ABCF313F74AC0DBDE3798AB40BB1B10852BF9099A160DE388841B791

Function 00F544A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F544CF

Part of subcall function 00F5407C: _memset.LIBCMT ref: 00F540FC
Part of subcall function 00F5407C: _wcscpy.LIBCMT ref: 00F54150
Part of subcall function 00F5407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F54160

KillTimer.USER32(?,00000001,?,?), ref: 00F54524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F54533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F8D4B9

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: d5e8eed36beae905f50f81eff2a6e7e4abed07ca0d053da963bfe1430dc15ecd
Instruction ID: 3b3a99e9540aa19aebb4b593f118fa01b2a3701772a6ac1657e57fba0b516f16
Opcode Fuzzy Hash: d5e8eed36beae905f50f81eff2a6e7e4abed07ca0d053da963bfe1430dc15ecd
Instruction Fuzzy Hash: 06210771904784AFE732DB24CC45BE6BBEC9F02319F04009EE78E56181D3742988EB41

Function 00FC6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FB7896,?,?,00000000), ref: 00F55A2C
Part of subcall function 00F55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FB7896,?,?,00000000,?,?), ref: 00F55A50

gethostbyname.WSOCK32(?,?,?), ref: 00FC6399
WSAGetLastError.WSOCK32(00000000), ref: 00FC63A4
_memmove.LIBCMT ref: 00FC63D1
inet_ntoa.WSOCK32(?), ref: 00FC63DC

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: f029359b37250620d8365bc94cc001c1b6aa2444757c1d28269edd33b8316fa4
Instruction ID: 87202c9df16d058eba68e08caea3aeeb7d0fd4dc84fc9a26b01759c10069358f
Opcode Fuzzy Hash: f029359b37250620d8365bc94cc001c1b6aa2444757c1d28269edd33b8316fa4
Instruction Fuzzy Hash: 0A115172900109AFCB04FBA4DD96DAE77B9AF04311B144069FA06E7261DB389E08FB61

Function 00FA8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FA8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA8BA4

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ae402d7a517a9fcd77d4d8fb9bfa6c9ecad0f3ed5a3d26c7b0a28dc37e202b62
Instruction ID: e94d700e7675606f733fd8fede880f9e89d629e0124cbbe1d7b9e1bd089d3816
Opcode Fuzzy Hash: ae402d7a517a9fcd77d4d8fb9bfa6c9ecad0f3ed5a3d26c7b0a28dc37e202b62
Instruction Fuzzy Hash: 19110AB9901218BFDB11DBA5CC85F9DBB74FB49750F204095E900B7290DA716E11EBA4

Function 00F51290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

DefDlgProcW.USER32(?,00000020,?), ref: 00F512D8
GetClientRect.USER32(?,?), ref: 00F8B5FB
GetCursorPos.USER32(?), ref: 00F8B605
ScreenToClient.USER32(?,?), ref: 00F8B610

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: d8125aa125e52c5106c34c2683152e8ed29a79f666d1c49bfa3ed073240c30a2
Instruction ID: 801b65b2e5c38a24a916b17b010201464a4f96af507e123234869103f24c9d47
Opcode Fuzzy Hash: d8125aa125e52c5106c34c2683152e8ed29a79f666d1c49bfa3ed073240c30a2
Instruction Fuzzy Hash: 26111935901019BBCB10EFA4D885AAE77B9FB05302F400456EA41E7240C734BA59ABA5

Function 00FB1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FAFCED,?,00FB0D40,?,00008000), ref: 00FB115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00FAFCED,?,00FB0D40,?,00008000), ref: 00FB1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FAFCED,?,00FB0D40,?,00008000), ref: 00FB118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00FAFCED,?,00FB0D40,?,00008000), ref: 00FB11C1

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 21cb50e5b9be617f39854ef3a777112329bdf4e025266b96214a811458aee7c4
Instruction ID: 381aa7055217df36ec406be141ebcd58816e7655ce35110ea2990446300aac65
Opcode Fuzzy Hash: 21cb50e5b9be617f39854ef3a777112329bdf4e025266b96214a811458aee7c4
Instruction Fuzzy Hash: 4D118E32C0151CE7CF009FAAD858BEEBB7CFF09711F904056EA45B6240CB309554EBA1

Function 00FAD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00FAD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FAD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FAD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FAD897

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 88466e8644e560b553c676a78b8414f8b7fa4b57a7ac925d07a03478ad9dc855
Instruction ID: bac7f9594732b4fcfa8e5bdd2e0f19f129e0e397e7831fd63da410ba32cbe370
Opcode Fuzzy Hash: 88466e8644e560b553c676a78b8414f8b7fa4b57a7ac925d07a03478ad9dc855
Instruction Fuzzy Hash: 571161B5606304DBE320CF60DC08F97BBBCEB01B00F10856AA517D6890D7B8E549BBA1

Function 00F86FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00F86FDB

Part of subcall function 00F876C2: __fltout2.LIBCMT ref: 00F876EB

__cftog_l.LIBCMT ref: 00F87001
__cftoe_l.LIBCMT ref: 00F87033

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 6eba845941de31e6292df7c0be767af81e75b95794e121aa3ba0753caaed89f9
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 24014B7244824ABBCF167E84CC41DEE3F62BB18361B688415FA1858031D336D9B1BB81

Function 00FDB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FDB2E4
ScreenToClient.USER32(?,?), ref: 00FDB2FC
ScreenToClient.USER32(?,?), ref: 00FDB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FDB33B

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1577b0145e69376ecc7865a9b7b755793082979184221a1a62350f85300e6c39
Instruction ID: 42f23c41171be6c345a2cc9f3aa6aedd7d5b01c2888e0aaedaa3423cfd213054
Opcode Fuzzy Hash: 1577b0145e69376ecc7865a9b7b755793082979184221a1a62350f85300e6c39
Instruction Fuzzy Hash: 911143B9D0020DEFDB41CFA9C8849EEBBB9FB08310F108166E915E3620D735AA559F50

Function 00FDB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FDB644
_memset.LIBCMT ref: 00FDB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01016F20,01016F64), ref: 00FDB682
CloseHandle.KERNEL32 ref: 00FDB694

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 1445510c6bd906937e458ae7981c20db965651614cd260445a8cf626b42ac0d8
Instruction ID: e1dbb3e87b05234792fba2b928d657b316bf5b0e8b50bd12a1eb4ddc39ed9abe
Opcode Fuzzy Hash: 1445510c6bd906937e458ae7981c20db965651614cd260445a8cf626b42ac0d8
Instruction Fuzzy Hash: 27F089B25413047BE2202775AC05F7B3A9DEB04355F404029FA49D5185D7BF8C00D7A9

Function 00FB6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00FB6BE6

Part of subcall function 00FB76C4: _memset.LIBCMT ref: 00FB76F9

_memmove.LIBCMT ref: 00FB6C09
_memset.LIBCMT ref: 00FB6C16
LeaveCriticalSection.KERNEL32(?), ref: 00FB6C26

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 03486466dc57107a266069981652489f12d78220ea2450777713d14d45bd3b58
Instruction ID: 792df2b44a1b90ef04fd3355389643c94eefc92e23ed10926643e5d8a4684e8b
Opcode Fuzzy Hash: 03486466dc57107a266069981652489f12d78220ea2450777713d14d45bd3b58
Instruction Fuzzy Hash: D0F0543A100104ABCF016F55DC85E8ABF2AEF45361F04C061FE095E227CB35E911EBB5

Function 00F52218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F52231
SetTextColor.GDI32(?,000000FF), ref: 00F5223B
SetBkMode.GDI32(?,00000001), ref: 00F52250
GetStockObject.GDI32(00000005), ref: 00F52258
GetWindowDC.USER32(?,00000000), ref: 00F8BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F8BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00F8BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00F8BEC2
GetPixel.GDI32(00000000,?,?), ref: 00F8BEE2
ReleaseDC.USER32(?,00000000), ref: 00F8BEED

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 6c226df7a2a87baac9c7e7598fde5cf9d6335bf5fd6644711931a3ac4963b4ea
Instruction ID: 5329bc067ec41cc38440d31d9020f258c79458d4bf9415c44673da01f1870184
Opcode Fuzzy Hash: 6c226df7a2a87baac9c7e7598fde5cf9d6335bf5fd6644711931a3ac4963b4ea
Instruction Fuzzy Hash: FEE03032504248AADF215FB4FC0DBD83B11EB05332F048367FA6A880E187714584EB11

Function 00FA8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FA871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FA82E6), ref: 00FA8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FA82E6), ref: 00FA872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FA82E6), ref: 00FA8736

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 82a6d69d2edd7ac60e121d98edbe613d054373611a2a8024f9ec6374a078aacc
Instruction ID: de8e919140f11801ba76fb573ba3b1f14a1eb743bb03f23df1e05099ef8c0a8b
Opcode Fuzzy Hash: 82a6d69d2edd7ac60e121d98edbe613d054373611a2a8024f9ec6374a078aacc
Instruction Fuzzy Hash: 25E08676A122159BD7206FB05D0CF563BADEF517E2F158829B246CB040DA74884AE750

Function 00FAB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00FAB4BE

Strings

AutoIt3GUI, xrefs: 00FAB436
Container, xrefs: 00FAB43B

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: f31a9a358986626fd34e1c8f3b1524a0a6223f72da30c2d332d39acee5dc406f
Instruction ID: c73a1b6fadbb025fd4b9499210d9f40fc84da5b42e98c578dad36c992e3d1f6e
Opcode Fuzzy Hash: f31a9a358986626fd34e1c8f3b1524a0a6223f72da30c2d332d39acee5dc406f
Instruction Fuzzy Hash: 52915AB1600701AFDB14DF64C884B6ABBE9FF49710F24856EF94ACB292DB71E841DB50

Function 00FBAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6FC86: _wcscpy.LIBCMT ref: 00F6FCA9

Part of subcall function 00F59837: __itow.LIBCMT ref: 00F59862
Part of subcall function 00F59837: __swprintf.LIBCMT ref: 00F598AC

__wcsnicmp.LIBCMT ref: 00FBB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00FBB0F6

Strings

LPT, xrefs: 00FBB027

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 71579cceddc8a57edc6b27ad889b12b085afd7550a26c5aadc1baae3d14d01ff
Instruction ID: b70fc8e07f2917a94b424e351c16edaa188111fe3461542b453338b9e8ec8359
Opcode Fuzzy Hash: 71579cceddc8a57edc6b27ad889b12b085afd7550a26c5aadc1baae3d14d01ff
Instruction Fuzzy Hash: AC616F76E00215EFCB18EF99CC91EEEB7B4AB08310F144069F916AB251D7B4AE44EF51

Function 00F62957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F62968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F62981

Strings

@, xrefs: 00F62975

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 4a3fb66839920edf9ebf17dcfc9bada43178b4f2371f0ab2e8f37f1ee6cb9da3
Instruction ID: 4a33feb6bcdae319ee30ca2a42637f57816d01db4ca2952fc69b8d58e8958fd3
Opcode Fuzzy Hash: 4a3fb66839920edf9ebf17dcfc9bada43178b4f2371f0ab2e8f37f1ee6cb9da3
Instruction Fuzzy Hash: FD5165724087489BD320AF10DC86BAFBBE8FF85341F81885DF6D8410A1DBB4952DDB66

Function 00FB9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F54F0B: __fread_nolock.LIBCMT ref: 00F54F29

_wcscmp.LIBCMT ref: 00FB9824
_wcscmp.LIBCMT ref: 00FB9837

Strings

FILE, xrefs: 00FB9770

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 75904fc3020c2eef899e1458c58ad515559c44ae6e3a8b86947116348480ff2c
Instruction ID: 580328fb19a4117399dab1a247adece100a9ac6c7819cd275e4ec06743fba4e1
Opcode Fuzzy Hash: 75904fc3020c2eef899e1458c58ad515559c44ae6e3a8b86947116348480ff2c
Instruction Fuzzy Hash: 59410B31A04209BADF209FA5CC45FEFBBFDEF85714F00406AFA04E7181D6B5A944AB61

Function 00FC258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FC25D4

Strings

|, xrefs: 00FC25A5

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: dafe6ab3933f96b176d32f31eeb11abb2adab7b83752952ec443208fd1cc7811
Instruction ID: 9b1e52ae2b7465a19dcd61deaf048e5864d2fee3d04ec4e3af1ce209c2ec63df
Opcode Fuzzy Hash: dafe6ab3933f96b176d32f31eeb11abb2adab7b83752952ec443208fd1cc7811
Instruction Fuzzy Hash: 05311971800219ABCF41EFA5EC85EEEBFB9FF08350F100059FD15A6162DA355A5AEB60

Function 00FD7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00FD7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FD7B76

Strings

', xrefs: 00FD7ACA

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b5a3dbcb9a9979c95fcee318cfd8d61cfa3bfdff6d2a89f4a76f0515db442b5f
Instruction ID: a7038e01fc855605679cdc0dcf3bb61e97996d9c60e2960194943f762165a270
Opcode Fuzzy Hash: b5a3dbcb9a9979c95fcee318cfd8d61cfa3bfdff6d2a89f4a76f0515db442b5f
Instruction Fuzzy Hash: 94413674A0430A9FDB10DF68C881BEABBB6FB49300F14016AE904EF395E734A941DF90

Function 00FD6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00FD6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FD6B53

Strings

static, xrefs: 00FD6AB3

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: f697c02949d187ef0a0d6421ccfb055264cdc59770daaa4f34c50703e753eb4e
Instruction ID: b3356f318955cfa5c6522ab4c3d0cce9d37af9a8b32442cbd4fe40eed988f971
Opcode Fuzzy Hash: f697c02949d187ef0a0d6421ccfb055264cdc59770daaa4f34c50703e753eb4e
Instruction Fuzzy Hash: EE318F71500204AEDB109F64CC41BFB77BAFF88764F14861AF9A5D7290DB35AC45E760

Function 00FB28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FB294C

Strings

0, xrefs: 00FB290A

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 900e1f61446e0d91a6979cbceacda3d5dcb0752ec5dc3686b29b7b20086ead61
Instruction ID: e9ec72d9c94ece0f6c63305b9fb7e74214471176f8d61d7ff224459a132eb3b1
Opcode Fuzzy Hash: 900e1f61446e0d91a6979cbceacda3d5dcb0752ec5dc3686b29b7b20086ead61
Instruction Fuzzy Hash: 9431D531A003059BEB64CF5ADC45BEEBBB8EF46360F144019E989A61A0D7749944FF51

Function 00FC39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00FC3A66

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

Strings

, $, xrefs: 00FC3AA6
AUTOITCALLVARIABLE%d, xrefs: 00FC3A58

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: d4bd6c31c401e951cdb9012c5f659963e373e34ba4cf7e97c4b8ad60aab967a1
Instruction ID: 4d865011cf27a1754a0b8a1ec7a52980dce83b97aeb5208878728f370f399b79
Opcode Fuzzy Hash: d4bd6c31c401e951cdb9012c5f659963e373e34ba4cf7e97c4b8ad60aab967a1
Instruction Fuzzy Hash: 5021C335A00219AFCF14FF64DC82EAE77B5BF44740F008459F945AB182DB38EA55EB61

Function 00FD66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FD6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD676C

Strings

Combobox, xrefs: 00FD672E

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 364ede31f3a0fac942d1d50084c9ac4c2e5cc1d5fdf23873bac342cdd285f7bc
Instruction ID: c32c440f38ec14daa2db0fdb435cf61d9efee9d8411c435437373def8aeb1bce
Opcode Fuzzy Hash: 364ede31f3a0fac942d1d50084c9ac4c2e5cc1d5fdf23873bac342cdd285f7bc
Instruction Fuzzy Hash: 69119371700208AFEF118F54DC81EAB376BEB48368F14412AF954DB391DA35DC51A7A0

Function 00FD6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F51D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F51D73
Part of subcall function 00F51D35: GetStockObject.GDI32(00000011), ref: 00F51D87
Part of subcall function 00F51D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F51D91

GetWindowRect.USER32(00000000,?), ref: 00FD6C71
GetSysColor.USER32(00000012), ref: 00FD6C8B

Strings

static, xrefs: 00FD6C4E

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 2e6cabd1e6bd4a8c71192b20905977d56f6f751d7085081bd892075797c719f7
Instruction ID: ae2b034cf326a92c2edaa224a35c9210718c2dab09c7a8c7d81f131f9d36e970
Opcode Fuzzy Hash: 2e6cabd1e6bd4a8c71192b20905977d56f6f751d7085081bd892075797c719f7
Instruction Fuzzy Hash: 8B211772A20209AFDB04DFB8DC45EEA7BA9FB08315F04462AF995D2250D635E854AB60

Function 00FD6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00FD69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FD69B1

Strings

edit, xrefs: 00FD6986

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 535ca67a2378993bde12a75faac572f903124d81e844f72a6cc92c21eeb20a71
Instruction ID: fcb3e0b815157de7928f34e7a2e4bce36c4bc79ffb83cc0ccbb4ff6627aa8c05
Opcode Fuzzy Hash: 535ca67a2378993bde12a75faac572f903124d81e844f72a6cc92c21eeb20a71
Instruction Fuzzy Hash: 00119A71900208ABEB109E749C60EAB37AAEB053B4F584726F9A1D62E0C736DC54B761

Function 00FB29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00FB2A41

Strings

0, xrefs: 00FB2A18

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 39856f7607c2ee62740f00265c1ef5667551e0d7d870c9eb04581982d86b0d93
Instruction ID: 7d437e064c5a933e16cb9a4a70fcbcdad8c822dad1b7f580509c82ed7fb8a85e
Opcode Fuzzy Hash: 39856f7607c2ee62740f00265c1ef5667551e0d7d870c9eb04581982d86b0d93
Instruction Fuzzy Hash: 5411B932D01114ABDB71EB59DC44BEA77BCAB86324F144021E855F7250D778AD06EB91

Function 00FC21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FC222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FC2255

Strings

<local>, xrefs: 00FC221D

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 419fd75a9226e4fb49fb6b122486a1f5216e5189ca16916b96dbe8641ae42f8e
Instruction ID: 23ff5a05d59bc413a84d5f04224614ccb3f1f7d9367faa2c023672e851acf65c
Opcode Fuzzy Hash: 419fd75a9226e4fb49fb6b122486a1f5216e5189ca16916b96dbe8641ae42f8e
Instruction Fuzzy Hash: 8311A071941226BAEB658F518D86FFBFBA8FF16761F10822EF91586000D3705994E6F0

Function 00FA8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

Part of subcall function 00FAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FAAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FA8E73

Strings

ComboBox, xrefs: 00FA8E12
ListBox, xrefs: 00FA8E3D

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0cb4de3b43087e8fa0ed52953930db59699ba5b24e658bd3c6b621caf717e9bd
Instruction ID: e12d87f64fffd6f8ab9d95f890d08449acc6dbf31dea56a5daa98eb49393e19c
Opcode Fuzzy Hash: 0cb4de3b43087e8fa0ed52953930db59699ba5b24e658bd3c6b621caf717e9bd
Instruction Fuzzy Hash: 9701F5B1A41218EB9B15EBE0CC919FE7769EF02360F000619FC615B2E1DE39580CE650

Function 00FB8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FB8DAC
__fread_nolock.LIBCMT ref: 00FB8DC1

Strings

EA06, xrefs: 00FB8DF3

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 704106a15f77d2a84a7209a3f32433301104cca441cfb1eace3eca348166deb3
Instruction ID: a7b69bb929fdf28b94331dfaf09465c1d8162a935978aa74ceae69e7336f8ac3
Opcode Fuzzy Hash: 704106a15f77d2a84a7209a3f32433301104cca441cfb1eace3eca348166deb3
Instruction Fuzzy Hash: 2101F972C042187EDB18CAA9CC16EEE7BFCDB15711F00419FF596D6181E9B9A6049B60

Function 00FA8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

Part of subcall function 00FAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FAAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FA8D6B

Strings

ComboBox, xrefs: 00FA8D0A
ListBox, xrefs: 00FA8D35

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 08e71e72c13440b361db9c77bfd872a3e1414fb3b0e1fd70e17301b14e5915e8
Instruction ID: e2c360bc6d1646ab2ec4fb81fe86c3c47dce28208191de8387c3dc065ffb22ee
Opcode Fuzzy Hash: 08e71e72c13440b361db9c77bfd872a3e1414fb3b0e1fd70e17301b14e5915e8
Instruction Fuzzy Hash: 8A01DFB1A41108ABDB15EBA0CD52EFE77B8DF16350F100029B9426B2E1DE699E0CE271

Function 00FA8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57DE1: _memmove.LIBCMT ref: 00F57E22

Part of subcall function 00FAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FAAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FA8DEE

Strings

ComboBox, xrefs: 00FA8D8F
ListBox, xrefs: 00FA8DBA

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3ddb98f3842cdd046a19678d006b6e2ef4d5faf836add79680a631d3f17f0a9b
Instruction ID: b3f8f4309edc7eb82ff8def912a8065669e2a22295e87c863f6c61fbd9144b0b
Opcode Fuzzy Hash: 3ddb98f3842cdd046a19678d006b6e2ef4d5faf836add79680a631d3f17f0a9b
Instruction Fuzzy Hash: 1601F2F1A41108A7DB11EBA4CD52EFE77A88F12350F104019BC42A72D2DE299E0DF271

Function 00FB4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FB4F46
_wcscmp.LIBCMT ref: 00FB4F58

Strings

#32770, xrefs: 00FB4F52

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 1a9221cbd6d09dda53f11cd44a393c80387e8963ac4dfa15b32d95003c72883f
Instruction ID: 8c7e2ee22d6045393442c6691857451e729272dc55a06440ab4e5044b9a8d959
Opcode Fuzzy Hash: 1a9221cbd6d09dda53f11cd44a393c80387e8963ac4dfa15b32d95003c72883f
Instruction Fuzzy Hash: 3AE0D13290032D27D72096959C45FE7F7ACEB45B71F010057FD44D7041D5759A45C7D1

Function 00F8B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F8B314: _memset.LIBCMT ref: 00F8B321

Part of subcall function 00F70940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F8B2F0,?,?,?,00F5100A), ref: 00F70945

IsDebuggerPresent.KERNEL32(?,?,?,00F5100A), ref: 00F8B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F5100A), ref: 00F8B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F8B2FE

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 9dae67525b1e9d85de79e0d15ee7644bc0ea8ff459e119876c5b1a3f4b1f6f15
Instruction ID: f91d934a9338502ae8de010fd286d6450cd69e1ad93b3f9259630831506c300b
Opcode Fuzzy Hash: 9dae67525b1e9d85de79e0d15ee7644bc0ea8ff459e119876c5b1a3f4b1f6f15
Instruction Fuzzy Hash: 58E06D706003058BD760AF28D8047827BE4AF00314F00892DF986C7291EBB8D408EBA1

Function 00FA7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FA7C82

Part of subcall function 00F73358: _doexit.LIBCMT ref: 00F73362

Strings

Error allocating memory., xrefs: 00FA7C7B
AutoIt, xrefs: 00FA7C76

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 966c5278377fc9b5b0fb08157640eeacb6dcecec4d4f95c252aabe1417c26174
Instruction ID: b6f98daedb02048e2cd29e9daee90eb1c850b2ff1fc0e7dd8ee08f7cc64597c5
Opcode Fuzzy Hash: 966c5278377fc9b5b0fb08157640eeacb6dcecec4d4f95c252aabe1417c26174
Instruction Fuzzy Hash: C1D0C23238435832D11132BA6C06FCA36484F01B62F104016FB08994D349D9958071A6

Function 00F91935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00F91775

Part of subcall function 00FCBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00F9195E,?), ref: 00FCBFFE
Part of subcall function 00FCBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FCC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00F9196D

Strings

WIN_XPe, xrefs: 00F91788

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: d537af5642982c35a77a539744716b47eea0a15abdad167851fb3f2df6c6bdb4
Instruction ID: 7aeba0c67285f6233f5cd9a31db6033a4d90190eb2f6c919a0385b9f24f382cf
Opcode Fuzzy Hash: d537af5642982c35a77a539744716b47eea0a15abdad167851fb3f2df6c6bdb4
Instruction Fuzzy Hash: 55F0C97180110ADFEF15DBA1C995BECBBF8BB08305F5400AAE512A2190D7754F88EF61

Function 00FD5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD59AE
PostMessageW.USER32(00000000), ref: 00FD59B5

Part of subcall function 00FB5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FB52BC

Strings

Shell_TrayWnd, xrefs: 00FD59A7

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c0ca145815b2c7c76ce2599bb0afec8ca382c8072ae8f2e74e7b52258e897991
Instruction ID: 628ad3659940782847a7ee1b35dcd6377c5f2ec58fb5484436effbc197e2be8c
Opcode Fuzzy Hash: c0ca145815b2c7c76ce2599bb0afec8ca382c8072ae8f2e74e7b52258e897991
Instruction Fuzzy Hash: 13D0C9317823157AEA64BB71AC0FFD67615BB04B51F08082AB346AA1D0C9E5A804DA58

Function 00FD5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FD5981

Part of subcall function 00FB5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FB52BC

Strings

Shell_TrayWnd, xrefs: 00FD5967

Memory Dump Source

Source File: 00000000.00000002.1344071474.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.1344053924.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000000FDF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344123173.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344188669.000000000100E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1344209438.0000000001017000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_ZV2G9QQzlR.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fe52f77a88a7851e515b0573da58d5ee48607de77fe0297c8cac4179db493d7e
Instruction ID: d8b7afb42b6dc78ce138b4eaeb721f4cef4ae768e4e480d17e3919b8375a4a17
Opcode Fuzzy Hash: fe52f77a88a7851e515b0573da58d5ee48607de77fe0297c8cac4179db493d7e
Instruction Fuzzy Hash: E6D0C935785315B6EA64BB71AC1FFD67A15BB00B51F08082AB34AAA1D0C9E59804DA54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZV2G9QQzlR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Dunlop

C:\Users\user\AppData\Local\Temp\aut967A.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
ZV2G9QQzlR.exe

Function 00F53B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00F549A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00F54E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00FB9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00F53015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00F53041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00F5708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00F53A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00F53633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00F53766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 01206390 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00F539D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01206160 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Function 00F5407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00F5686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre