Edit tour

Windows Analysis Report
qI6cHJbHJg.exe

Overview

General Information

Sample name:	qI6cHJbHJg.exe renamed because original name is a hash value
Original sample name:	0a602309b015e92744a9a3d7df48f1d50d76c9e074ee70410e7fcc13debd8ad0.exe
Analysis ID:	1588105
MD5:	5f3623ce788d663d39d5e5f0f13b78c4
SHA1:	dc6488457a2ead79d27d38327219177514abb7ea
SHA256:	0a602309b015e92744a9a3d7df48f1d50d76c9e074ee70410e7fcc13debd8ad0
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

qI6cHJbHJg.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\qI6cHJbHJg.exe" MD5: 5F3623CE788D663D39D5E5F0F13B78C4)

svchost.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\qI6cHJbHJg.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2002405456.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2002446421.0000000002530000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\qI6cHJbHJg.exe", CommandLine: "C:\Users\user\Desktop\qI6cHJbHJg.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\qI6cHJbHJg.exe", ParentImage: C:\Users\user\Desktop\qI6cHJbHJg.exe, ParentProcessId: 7352, ParentProcessName: qI6cHJbHJg.exe, ProcessCommandLine: "C:\Users\user\Desktop\qI6cHJbHJg.exe", ProcessId: 7436, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\qI6cHJbHJg.exe", CommandLine: "C:\Users\user\Desktop\qI6cHJbHJg.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\qI6cHJbHJg.exe", ParentImage: C:\Users\user\Desktop\qI6cHJbHJg.exe, ParentProcessId: 7352, ParentProcessName: qI6cHJbHJg.exe, ProcessCommandLine: "C:\Users\user\Desktop\qI6cHJbHJg.exe", ProcessId: 7436, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: qI6cHJbHJg.exe	Virustotal: Detection: 62%			Perma Link
Source: qI6cHJbHJg.exe	ReversingLabs: Detection: 73%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2002405456.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2002446421.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: qI6cHJbHJg.exe

Joe Sandbox ML: detected

Source: qI6cHJbHJg.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: qI6cHJbHJg.exe, 00000000.00000003.1396378152.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, qI6cHJbHJg.exe, 00000000.00000003.1397849354.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2002671820.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2002671820.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1666983475.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1668789866.0000000002C00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: qI6cHJbHJg.exe, 00000000.00000003.1396378152.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, qI6cHJbHJg.exe, 00000000.00000003.1397849354.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2002671820.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2002671820.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1666983475.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1668789866.0000000002C00000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0031445A
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031C6D1 FindFirstFileW,FindClose,	0_2_0031C6D1
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0031C75C
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0031EF95
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0031F0F2
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0031F3F3
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_003137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003137EF
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_00313B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00313B12
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0031BCBC

Source: global traffic

TCP traffic: 192.168.2.9:63966 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_003222EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_003222EE

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_00324164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00324164

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_00324164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00324164

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_00323F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00323F66

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_0031001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0031001C

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_0033CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0033CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2002405456.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2002446421.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: This is a third-party compiled AutoIt script.	0_2_002B3B3A
Source: qI6cHJbHJg.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: qI6cHJbHJg.exe, 00000000.00000000.1363034673.0000000000364000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b846bfcd-1
Source: qI6cHJbHJg.exe, 00000000.00000000.1363034673.0000000000364000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b762061a-8
Source: qI6cHJbHJg.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_39d15400-9
Source: qI6cHJbHJg.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_7e3bfacd-b

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C5E3 NtClose,	2_2_0042C5E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72B60 NtClose,LdrInitializeThunk,	2_2_02E72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_02E72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E735C0 NtCreateMutant,LdrInitializeThunk,	2_2_02E735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E74340 NtSetContextThread,	2_2_02E74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E74650 NtSuspendThread,	2_2_02E74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72AF0 NtWriteFile,	2_2_02E72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72AD0 NtReadFile,	2_2_02E72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72AB0 NtWaitForSingleObject,	2_2_02E72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72BE0 NtQueryValueKey,	2_2_02E72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72BF0 NtAllocateVirtualMemory,	2_2_02E72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72BA0 NtEnumerateValueKey,	2_2_02E72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72B80 NtQueryInformationFile,	2_2_02E72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72EE0 NtQueueApcThread,	2_2_02E72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72EA0 NtAdjustPrivilegesToken,	2_2_02E72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72E80 NtReadVirtualMemory,	2_2_02E72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72E30 NtWriteVirtualMemory,	2_2_02E72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72FE0 NtCreateFile,	2_2_02E72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72FA0 NtQuerySection,	2_2_02E72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72FB0 NtResumeThread,	2_2_02E72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72F90 NtProtectVirtualMemory,	2_2_02E72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72F60 NtCreateProcessEx,	2_2_02E72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72F30 NtCreateSection,	2_2_02E72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72CF0 NtOpenProcess,	2_2_02E72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72CC0 NtQueryVirtualMemory,	2_2_02E72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72CA0 NtQueryInformationToken,	2_2_02E72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72C60 NtCreateKey,	2_2_02E72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72C70 NtFreeVirtualMemory,	2_2_02E72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72C00 NtQueryInformationProcess,	2_2_02E72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72DD0 NtDelayExecution,	2_2_02E72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72DB0 NtEnumerateKey,	2_2_02E72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72D30 NtUnmapViewOfSection,	2_2_02E72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72D00 NtSetInformationFile,	2_2_02E72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72D10 NtMapViewOfSection,	2_2_02E72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E73090 NtSetValueKey,	2_2_02E73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E73010 NtOpenDirectoryObject,	2_2_02E73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E739B0 NtGetContextThread,	2_2_02E739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E73D70 NtOpenThread,	2_2_02E73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E73D10 NtOpenProcessToken,	2_2_02E73D10

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_0031A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0031A1EF

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_00308310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00308310

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_003151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_003151BD

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002BE6A0	0_2_002BE6A0
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002DD975	0_2_002DD975
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002BFCE0	0_2_002BFCE0
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002D21C5	0_2_002D21C5
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002E62D2	0_2_002E62D2
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_003303DA	0_2_003303DA
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002E242E	0_2_002E242E
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002D25FA	0_2_002D25FA
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0030E616	0_2_0030E616
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002C66E1	0_2_002C66E1
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002E878F	0_2_002E878F
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002C8808	0_2_002C8808
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_00330857	0_2_00330857
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002E6844	0_2_002E6844
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_00318889	0_2_00318889
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002DCB21	0_2_002DCB21
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002E6DB6	0_2_002E6DB6
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002C6F9E	0_2_002C6F9E
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002C3030	0_2_002C3030
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002D3187	0_2_002D3187
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002DF1D9	0_2_002DF1D9
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002B1287	0_2_002B1287
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002D1484	0_2_002D1484
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002C5520	0_2_002C5520
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002D7696	0_2_002D7696
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002C5760	0_2_002C5760
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002D1978	0_2_002D1978
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002E9AB5	0_2_002E9AB5
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002DBDA6	0_2_002DBDA6
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002D1D90	0_2_002D1D90
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_00337DDB	0_2_00337DDB
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002BDF00	0_2_002BDF00
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002C3FE0	0_2_002C3FE0
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_01410348	0_2_01410348
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E043	2_2_0040E043
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410063	2_2_00410063
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1DC	2_2_0040E1DC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E187	2_2_0040E187
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E193	2_2_0040E193
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401240	2_2_00401240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EBE3	2_2_0042EBE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401540	2_2_00401540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D80	2_2_00402D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE43	2_2_0040FE43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE3A	2_2_0040FE3A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167B3	2_2_004167B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC02C0	2_2_02EC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4E3F0	2_2_02E4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F003E6	2_2_02F003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFA352	2_2_02EFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED2000	2_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF81CC	2_2_02EF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF41A2	2_2_02EF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F001AA	2_2_02F001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC8158	2_2_02EC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E30100	2_2_02E30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDA118	2_2_02EDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5C6E0	2_2_02E5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3C7C0	2_2_02E3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E64750	2_2_02E64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EEE4F6	2_2_02EEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF2446	2_2_02EF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE4420	2_2_02EE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F00591	2_2_02F00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40535	2_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3EA80	2_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF6BD7	2_2_02EF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFAB40	2_2_02EFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E8F0	2_2_02E6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E268B8	2_2_02E268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4A840	2_2_02E4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E42840	2_2_02E42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F0A9A6	2_2_02F0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E56962	2_2_02E56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFEEDB	2_2_02EFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E52E90	2_2_02E52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFCE93	2_2_02EFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40E59	2_2_02E40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFEE26	2_2_02EFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4CFE0	2_2_02E4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E32FC8	2_2_02E32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EBEFA0	2_2_02EBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB4F40	2_2_02EB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E82F28	2_2_02E82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E60F30	2_2_02E60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE2F30	2_2_02EE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E30CF2	2_2_02E30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0CB5	2_2_02EE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40C00	2_2_02E40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3ADE0	2_2_02E3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E58DBF	2_2_02E58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4AD00	2_2_02E4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDCD1F	2_2_02EDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE12ED	2_2_02EE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5B2C0	2_2_02E5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E452A0	2_2_02E452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E8739A	2_2_02E8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2D34C	2_2_02E2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF132D	2_2_02EF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF70E9	2_2_02EF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFF0E0	2_2_02EFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EEF0CC	2_2_02EEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E470C0	2_2_02E470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4B1B0	2_2_02E4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E7516C	2_2_02E7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2F172	2_2_02E2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F0B16B	2_2_02F0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF16CC	2_2_02EF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E85630	2_2_02E85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFF7B0	2_2_02EFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E31460	2_2_02E31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFF43F	2_2_02EFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F095C3	2_2_02F095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDD5B0	2_2_02EDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF7571	2_2_02EF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EEDAC6	2_2_02EEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDDAAC	2_2_02EDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E85AA0	2_2_02E85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE1AA3	2_2_02EE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB3A6C	2_2_02EB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFFA49	2_2_02EFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF7A46	2_2_02EF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB5BF0	2_2_02EB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E7DBF9	2_2_02E7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5FB80	2_2_02E5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFFB76	2_2_02EFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E438E0	2_2_02E438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAD800	2_2_02EAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E49950	2_2_02E49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5B950	2_2_02E5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED5910	2_2_02ED5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E49EB0	2_2_02E49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFFFB1	2_2_02EFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E41F92	2_2_02E41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFFF09	2_2_02EFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFFCF2	2_2_02EFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB9C32	2_2_02EB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5FDC0	2_2_02E5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF7D73	2_2_02EF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E43D40	2_2_02E43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF1D5A	2_2_02EF1D5A

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02E75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02E2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02EAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02E87E54 appears 110 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02EBF290 appears 105 times
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: String function: 002D0AE3 appears 70 times
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: String function: 002D8900 appears 42 times
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: String function: 002B7DE1 appears 35 times

Source: qI6cHJbHJg.exe, 00000000.00000003.1396800863.0000000003C73000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs qI6cHJbHJg.exe
Source: qI6cHJbHJg.exe, 00000000.00000003.1397416610.0000000003E1D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs qI6cHJbHJg.exe

Source: qI6cHJbHJg.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_0031A06A GetLastError,FormatMessageW,

0_2_0031A06A

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_003081CB AdjustTokenPrivileges,CloseHandle,		0_2_003081CB
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_003087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003087E1

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_0031B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0031B333

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_0032EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0032EE0D

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_003283BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_003283BB

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002B4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002B4E89

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

File created: C:\Users\user\AppData\Local\Temp\aut2354.tmp

Jump to behavior

Source: qI6cHJbHJg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qI6cHJbHJg.exe	Virustotal: Detection: 62%
Source: qI6cHJbHJg.exe	ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\qI6cHJbHJg.exe "C:\Users\user\Desktop\qI6cHJbHJg.exe"
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\qI6cHJbHJg.exe"
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\qI6cHJbHJg.exe"	Jump to behavior

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: qI6cHJbHJg.exe

Static file information: File size 1201664 > 1048576

Source: qI6cHJbHJg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qI6cHJbHJg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qI6cHJbHJg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qI6cHJbHJg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qI6cHJbHJg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qI6cHJbHJg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: qI6cHJbHJg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: qI6cHJbHJg.exe, 00000000.00000003.1396378152.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, qI6cHJbHJg.exe, 00000000.00000003.1397849354.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2002671820.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2002671820.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1666983475.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1668789866.0000000002C00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: qI6cHJbHJg.exe, 00000000.00000003.1396378152.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, qI6cHJbHJg.exe, 00000000.00000003.1397849354.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2002671820.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2002671820.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1666983475.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1668789866.0000000002C00000.00000004.00000020.00020000.00000000.sdmp

Source: qI6cHJbHJg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: qI6cHJbHJg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: qI6cHJbHJg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: qI6cHJbHJg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: qI6cHJbHJg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002B4B37 LoadLibraryA,GetProcAddress,

0_2_002B4B37

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002D8945 push ecx; ret	0_2_002D8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403000 push eax; ret	2_2_00403002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041F1E2 push FFFFFFD8h; retf	2_2_0041F206
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E9E4 push ebx; iretd	2_2_0041E9E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417281 push cs; ret	2_2_00417282
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401540 push esi; retf E746h	2_2_0040186F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041663A pushad ; retf	2_2_00416640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00424F93 push edi; ret	2_2_00424F9E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E309AD push ecx; mov dword ptr [esp], ecx	2_2_02E309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E01368 push eax; iretd	2_2_02E01369

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_002B48D7
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_00335376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00335376

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002D3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_002D3187

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

API/Special instruction interceptor: Address: 140FF6C

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_02E7096E rdtsc

2_2_02E7096E

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	API coverage: 4.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0031445A
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031C6D1 FindFirstFileW,FindClose,	0_2_0031C6D1
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0031C75C
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0031EF95
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0031F0F2
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0031F3F3
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_003137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003137EF
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_00313B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00313B12
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0031BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0031BCBC

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002B49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002B49A0

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

API call chain: ExitProcess graph end node

graph_0-101596

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_02E7096E rdtsc

2_2_02E7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417743 LdrLoadDll,

2_2_00417743

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_00323F09 BlockInput,

0_2_00323F09

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002B3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_002B3B3A

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002E5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_002E5A7C

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002B4B37 LoadLibraryA,GetProcAddress,

0_2_002B4B37

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_014101D8 mov eax, dword ptr fs:[00000030h]	0_2_014101D8
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_01410238 mov eax, dword ptr fs:[00000030h]	0_2_01410238
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_0140EBC8 mov eax, dword ptr fs:[00000030h]	0_2_0140EBC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E402E1 mov eax, dword ptr fs:[00000030h]	2_2_02E402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E402E1 mov eax, dword ptr fs:[00000030h]	2_2_02E402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E402E1 mov eax, dword ptr fs:[00000030h]	2_2_02E402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02E3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02E3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02E3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02E3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02E3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F062D6 mov eax, dword ptr fs:[00000030h]	2_2_02F062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E402A0 mov eax, dword ptr fs:[00000030h]	2_2_02E402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E402A0 mov eax, dword ptr fs:[00000030h]	2_2_02E402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02EC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_02EC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02EC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02EC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02EC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02EC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E284 mov eax, dword ptr fs:[00000030h]	2_2_02E6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E284 mov eax, dword ptr fs:[00000030h]	2_2_02E6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB0283 mov eax, dword ptr fs:[00000030h]	2_2_02EB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB0283 mov eax, dword ptr fs:[00000030h]	2_2_02EB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB0283 mov eax, dword ptr fs:[00000030h]	2_2_02EB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E34260 mov eax, dword ptr fs:[00000030h]	2_2_02E34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E34260 mov eax, dword ptr fs:[00000030h]	2_2_02E34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E34260 mov eax, dword ptr fs:[00000030h]	2_2_02E34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2826B mov eax, dword ptr fs:[00000030h]	2_2_02E2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274 mov eax, dword ptr fs:[00000030h]	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274 mov eax, dword ptr fs:[00000030h]	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274 mov eax, dword ptr fs:[00000030h]	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274 mov eax, dword ptr fs:[00000030h]	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274 mov eax, dword ptr fs:[00000030h]	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274 mov eax, dword ptr fs:[00000030h]	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274 mov eax, dword ptr fs:[00000030h]	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274 mov eax, dword ptr fs:[00000030h]	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274 mov eax, dword ptr fs:[00000030h]	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274 mov eax, dword ptr fs:[00000030h]	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274 mov eax, dword ptr fs:[00000030h]	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE0274 mov eax, dword ptr fs:[00000030h]	2_2_02EE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB8243 mov eax, dword ptr fs:[00000030h]	2_2_02EB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB8243 mov ecx, dword ptr fs:[00000030h]	2_2_02EB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F0625D mov eax, dword ptr fs:[00000030h]	2_2_02F0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2A250 mov eax, dword ptr fs:[00000030h]	2_2_02E2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E36259 mov eax, dword ptr fs:[00000030h]	2_2_02E36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EEA250 mov eax, dword ptr fs:[00000030h]	2_2_02EEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EEA250 mov eax, dword ptr fs:[00000030h]	2_2_02EEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2823B mov eax, dword ptr fs:[00000030h]	2_2_02E2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E403E9 mov eax, dword ptr fs:[00000030h]	2_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E403E9 mov eax, dword ptr fs:[00000030h]	2_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E403E9 mov eax, dword ptr fs:[00000030h]	2_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E403E9 mov eax, dword ptr fs:[00000030h]	2_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E403E9 mov eax, dword ptr fs:[00000030h]	2_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E403E9 mov eax, dword ptr fs:[00000030h]	2_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E403E9 mov eax, dword ptr fs:[00000030h]	2_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E403E9 mov eax, dword ptr fs:[00000030h]	2_2_02E403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_02E4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_02E4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_02E4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E663FF mov eax, dword ptr fs:[00000030h]	2_2_02E663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EEC3CD mov eax, dword ptr fs:[00000030h]	2_2_02EEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02E3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02E3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02E3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02E3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02E3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02E3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E383C0 mov eax, dword ptr fs:[00000030h]	2_2_02E383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E383C0 mov eax, dword ptr fs:[00000030h]	2_2_02E383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E383C0 mov eax, dword ptr fs:[00000030h]	2_2_02E383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E383C0 mov eax, dword ptr fs:[00000030h]	2_2_02E383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB63C0 mov eax, dword ptr fs:[00000030h]	2_2_02EB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE3DB mov eax, dword ptr fs:[00000030h]	2_2_02EDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE3DB mov eax, dword ptr fs:[00000030h]	2_2_02EDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE3DB mov ecx, dword ptr fs:[00000030h]	2_2_02EDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE3DB mov eax, dword ptr fs:[00000030h]	2_2_02EDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED43D4 mov eax, dword ptr fs:[00000030h]	2_2_02ED43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED43D4 mov eax, dword ptr fs:[00000030h]	2_2_02ED43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2E388 mov eax, dword ptr fs:[00000030h]	2_2_02E2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2E388 mov eax, dword ptr fs:[00000030h]	2_2_02E2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2E388 mov eax, dword ptr fs:[00000030h]	2_2_02E2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5438F mov eax, dword ptr fs:[00000030h]	2_2_02E5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5438F mov eax, dword ptr fs:[00000030h]	2_2_02E5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E28397 mov eax, dword ptr fs:[00000030h]	2_2_02E28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E28397 mov eax, dword ptr fs:[00000030h]	2_2_02E28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E28397 mov eax, dword ptr fs:[00000030h]	2_2_02E28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED437C mov eax, dword ptr fs:[00000030h]	2_2_02ED437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB2349 mov eax, dword ptr fs:[00000030h]	2_2_02EB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB035C mov eax, dword ptr fs:[00000030h]	2_2_02EB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB035C mov eax, dword ptr fs:[00000030h]	2_2_02EB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB035C mov eax, dword ptr fs:[00000030h]	2_2_02EB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB035C mov ecx, dword ptr fs:[00000030h]	2_2_02EB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB035C mov eax, dword ptr fs:[00000030h]	2_2_02EB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB035C mov eax, dword ptr fs:[00000030h]	2_2_02EB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFA352 mov eax, dword ptr fs:[00000030h]	2_2_02EFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED8350 mov ecx, dword ptr fs:[00000030h]	2_2_02ED8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F0634F mov eax, dword ptr fs:[00000030h]	2_2_02F0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F08324 mov eax, dword ptr fs:[00000030h]	2_2_02F08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F08324 mov ecx, dword ptr fs:[00000030h]	2_2_02F08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F08324 mov eax, dword ptr fs:[00000030h]	2_2_02F08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F08324 mov eax, dword ptr fs:[00000030h]	2_2_02F08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6A30B mov eax, dword ptr fs:[00000030h]	2_2_02E6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6A30B mov eax, dword ptr fs:[00000030h]	2_2_02E6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6A30B mov eax, dword ptr fs:[00000030h]	2_2_02E6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2C310 mov ecx, dword ptr fs:[00000030h]	2_2_02E2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E50310 mov ecx, dword ptr fs:[00000030h]	2_2_02E50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_02E2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E380E9 mov eax, dword ptr fs:[00000030h]	2_2_02E380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB60E0 mov eax, dword ptr fs:[00000030h]	2_2_02EB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_02E2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E720F0 mov ecx, dword ptr fs:[00000030h]	2_2_02E720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB20DE mov eax, dword ptr fs:[00000030h]	2_2_02EB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E280A0 mov eax, dword ptr fs:[00000030h]	2_2_02E280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC80A8 mov eax, dword ptr fs:[00000030h]	2_2_02EC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF60B8 mov eax, dword ptr fs:[00000030h]	2_2_02EF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_02EF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3208A mov eax, dword ptr fs:[00000030h]	2_2_02E3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5C073 mov eax, dword ptr fs:[00000030h]	2_2_02E5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E32050 mov eax, dword ptr fs:[00000030h]	2_2_02E32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB6050 mov eax, dword ptr fs:[00000030h]	2_2_02EB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2A020 mov eax, dword ptr fs:[00000030h]	2_2_02E2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2C020 mov eax, dword ptr fs:[00000030h]	2_2_02E2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC6030 mov eax, dword ptr fs:[00000030h]	2_2_02EC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB4000 mov ecx, dword ptr fs:[00000030h]	2_2_02EB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED2000 mov eax, dword ptr fs:[00000030h]	2_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED2000 mov eax, dword ptr fs:[00000030h]	2_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED2000 mov eax, dword ptr fs:[00000030h]	2_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED2000 mov eax, dword ptr fs:[00000030h]	2_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED2000 mov eax, dword ptr fs:[00000030h]	2_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED2000 mov eax, dword ptr fs:[00000030h]	2_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED2000 mov eax, dword ptr fs:[00000030h]	2_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED2000 mov eax, dword ptr fs:[00000030h]	2_2_02ED2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4E016 mov eax, dword ptr fs:[00000030h]	2_2_02E4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4E016 mov eax, dword ptr fs:[00000030h]	2_2_02E4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4E016 mov eax, dword ptr fs:[00000030h]	2_2_02E4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4E016 mov eax, dword ptr fs:[00000030h]	2_2_02E4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F061E5 mov eax, dword ptr fs:[00000030h]	2_2_02F061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E601F8 mov eax, dword ptr fs:[00000030h]	2_2_02E601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF61C3 mov eax, dword ptr fs:[00000030h]	2_2_02EF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF61C3 mov eax, dword ptr fs:[00000030h]	2_2_02EF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02EAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02EAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_02EAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02EAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02EAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E70185 mov eax, dword ptr fs:[00000030h]	2_2_02E70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EEC188 mov eax, dword ptr fs:[00000030h]	2_2_02EEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EEC188 mov eax, dword ptr fs:[00000030h]	2_2_02EEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED4180 mov eax, dword ptr fs:[00000030h]	2_2_02ED4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED4180 mov eax, dword ptr fs:[00000030h]	2_2_02ED4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB019F mov eax, dword ptr fs:[00000030h]	2_2_02EB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB019F mov eax, dword ptr fs:[00000030h]	2_2_02EB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB019F mov eax, dword ptr fs:[00000030h]	2_2_02EB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB019F mov eax, dword ptr fs:[00000030h]	2_2_02EB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2A197 mov eax, dword ptr fs:[00000030h]	2_2_02E2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2A197 mov eax, dword ptr fs:[00000030h]	2_2_02E2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2A197 mov eax, dword ptr fs:[00000030h]	2_2_02E2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F04164 mov eax, dword ptr fs:[00000030h]	2_2_02F04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F04164 mov eax, dword ptr fs:[00000030h]	2_2_02F04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC4144 mov eax, dword ptr fs:[00000030h]	2_2_02EC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC4144 mov eax, dword ptr fs:[00000030h]	2_2_02EC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC4144 mov ecx, dword ptr fs:[00000030h]	2_2_02EC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC4144 mov eax, dword ptr fs:[00000030h]	2_2_02EC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC4144 mov eax, dword ptr fs:[00000030h]	2_2_02EC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2C156 mov eax, dword ptr fs:[00000030h]	2_2_02E2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC8158 mov eax, dword ptr fs:[00000030h]	2_2_02EC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E36154 mov eax, dword ptr fs:[00000030h]	2_2_02E36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E36154 mov eax, dword ptr fs:[00000030h]	2_2_02E36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E60124 mov eax, dword ptr fs:[00000030h]	2_2_02E60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE10E mov eax, dword ptr fs:[00000030h]	2_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE10E mov ecx, dword ptr fs:[00000030h]	2_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE10E mov eax, dword ptr fs:[00000030h]	2_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE10E mov eax, dword ptr fs:[00000030h]	2_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE10E mov ecx, dword ptr fs:[00000030h]	2_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE10E mov eax, dword ptr fs:[00000030h]	2_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE10E mov eax, dword ptr fs:[00000030h]	2_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE10E mov ecx, dword ptr fs:[00000030h]	2_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE10E mov eax, dword ptr fs:[00000030h]	2_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDE10E mov ecx, dword ptr fs:[00000030h]	2_2_02EDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDA118 mov ecx, dword ptr fs:[00000030h]	2_2_02EDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDA118 mov eax, dword ptr fs:[00000030h]	2_2_02EDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDA118 mov eax, dword ptr fs:[00000030h]	2_2_02EDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDA118 mov eax, dword ptr fs:[00000030h]	2_2_02EDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF0115 mov eax, dword ptr fs:[00000030h]	2_2_02EF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02EAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02EAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02EAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02EAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB06F1 mov eax, dword ptr fs:[00000030h]	2_2_02EB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB06F1 mov eax, dword ptr fs:[00000030h]	2_2_02EB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_02E6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_02E6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_02E6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E666B0 mov eax, dword ptr fs:[00000030h]	2_2_02E666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E34690 mov eax, dword ptr fs:[00000030h]	2_2_02E34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E34690 mov eax, dword ptr fs:[00000030h]	2_2_02E34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF866E mov eax, dword ptr fs:[00000030h]	2_2_02EF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF866E mov eax, dword ptr fs:[00000030h]	2_2_02EF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6A660 mov eax, dword ptr fs:[00000030h]	2_2_02E6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6A660 mov eax, dword ptr fs:[00000030h]	2_2_02E6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E62674 mov eax, dword ptr fs:[00000030h]	2_2_02E62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4C640 mov eax, dword ptr fs:[00000030h]	2_2_02E4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4E627 mov eax, dword ptr fs:[00000030h]	2_2_02E4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E66620 mov eax, dword ptr fs:[00000030h]	2_2_02E66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E68620 mov eax, dword ptr fs:[00000030h]	2_2_02E68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3262C mov eax, dword ptr fs:[00000030h]	2_2_02E3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAE609 mov eax, dword ptr fs:[00000030h]	2_2_02EAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4260B mov eax, dword ptr fs:[00000030h]	2_2_02E4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4260B mov eax, dword ptr fs:[00000030h]	2_2_02E4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4260B mov eax, dword ptr fs:[00000030h]	2_2_02E4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4260B mov eax, dword ptr fs:[00000030h]	2_2_02E4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4260B mov eax, dword ptr fs:[00000030h]	2_2_02E4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4260B mov eax, dword ptr fs:[00000030h]	2_2_02E4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E4260B mov eax, dword ptr fs:[00000030h]	2_2_02E4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72619 mov eax, dword ptr fs:[00000030h]	2_2_02E72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E527ED mov eax, dword ptr fs:[00000030h]	2_2_02E527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E527ED mov eax, dword ptr fs:[00000030h]	2_2_02E527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E527ED mov eax, dword ptr fs:[00000030h]	2_2_02E527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EBE7E1 mov eax, dword ptr fs:[00000030h]	2_2_02EBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E347FB mov eax, dword ptr fs:[00000030h]	2_2_02E347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E347FB mov eax, dword ptr fs:[00000030h]	2_2_02E347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_02E3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB07C3 mov eax, dword ptr fs:[00000030h]	2_2_02EB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E307AF mov eax, dword ptr fs:[00000030h]	2_2_02E307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE47A0 mov eax, dword ptr fs:[00000030h]	2_2_02EE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED678E mov eax, dword ptr fs:[00000030h]	2_2_02ED678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E38770 mov eax, dword ptr fs:[00000030h]	2_2_02E38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770 mov eax, dword ptr fs:[00000030h]	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770 mov eax, dword ptr fs:[00000030h]	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770 mov eax, dword ptr fs:[00000030h]	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770 mov eax, dword ptr fs:[00000030h]	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770 mov eax, dword ptr fs:[00000030h]	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770 mov eax, dword ptr fs:[00000030h]	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770 mov eax, dword ptr fs:[00000030h]	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770 mov eax, dword ptr fs:[00000030h]	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770 mov eax, dword ptr fs:[00000030h]	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770 mov eax, dword ptr fs:[00000030h]	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770 mov eax, dword ptr fs:[00000030h]	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40770 mov eax, dword ptr fs:[00000030h]	2_2_02E40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6674D mov esi, dword ptr fs:[00000030h]	2_2_02E6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6674D mov eax, dword ptr fs:[00000030h]	2_2_02E6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6674D mov eax, dword ptr fs:[00000030h]	2_2_02E6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E30750 mov eax, dword ptr fs:[00000030h]	2_2_02E30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EBE75D mov eax, dword ptr fs:[00000030h]	2_2_02EBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72750 mov eax, dword ptr fs:[00000030h]	2_2_02E72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E72750 mov eax, dword ptr fs:[00000030h]	2_2_02E72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB4755 mov eax, dword ptr fs:[00000030h]	2_2_02EB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6C720 mov eax, dword ptr fs:[00000030h]	2_2_02E6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6C720 mov eax, dword ptr fs:[00000030h]	2_2_02E6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6273C mov eax, dword ptr fs:[00000030h]	2_2_02E6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6273C mov ecx, dword ptr fs:[00000030h]	2_2_02E6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6273C mov eax, dword ptr fs:[00000030h]	2_2_02E6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAC730 mov eax, dword ptr fs:[00000030h]	2_2_02EAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6C700 mov eax, dword ptr fs:[00000030h]	2_2_02E6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E30710 mov eax, dword ptr fs:[00000030h]	2_2_02E30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E60710 mov eax, dword ptr fs:[00000030h]	2_2_02E60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E304E5 mov ecx, dword ptr fs:[00000030h]	2_2_02E304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E364AB mov eax, dword ptr fs:[00000030h]	2_2_02E364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E644B0 mov ecx, dword ptr fs:[00000030h]	2_2_02E644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EBA4B0 mov eax, dword ptr fs:[00000030h]	2_2_02EBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EEA49A mov eax, dword ptr fs:[00000030h]	2_2_02EEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EBC460 mov ecx, dword ptr fs:[00000030h]	2_2_02EBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5A470 mov eax, dword ptr fs:[00000030h]	2_2_02E5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5A470 mov eax, dword ptr fs:[00000030h]	2_2_02E5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5A470 mov eax, dword ptr fs:[00000030h]	2_2_02E5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E443 mov eax, dword ptr fs:[00000030h]	2_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E443 mov eax, dword ptr fs:[00000030h]	2_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E443 mov eax, dword ptr fs:[00000030h]	2_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E443 mov eax, dword ptr fs:[00000030h]	2_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E443 mov eax, dword ptr fs:[00000030h]	2_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E443 mov eax, dword ptr fs:[00000030h]	2_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E443 mov eax, dword ptr fs:[00000030h]	2_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E443 mov eax, dword ptr fs:[00000030h]	2_2_02E6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EEA456 mov eax, dword ptr fs:[00000030h]	2_2_02EEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2645D mov eax, dword ptr fs:[00000030h]	2_2_02E2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5245A mov eax, dword ptr fs:[00000030h]	2_2_02E5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2E420 mov eax, dword ptr fs:[00000030h]	2_2_02E2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2E420 mov eax, dword ptr fs:[00000030h]	2_2_02E2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2E420 mov eax, dword ptr fs:[00000030h]	2_2_02E2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2C427 mov eax, dword ptr fs:[00000030h]	2_2_02E2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB6420 mov eax, dword ptr fs:[00000030h]	2_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB6420 mov eax, dword ptr fs:[00000030h]	2_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB6420 mov eax, dword ptr fs:[00000030h]	2_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB6420 mov eax, dword ptr fs:[00000030h]	2_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB6420 mov eax, dword ptr fs:[00000030h]	2_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB6420 mov eax, dword ptr fs:[00000030h]	2_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB6420 mov eax, dword ptr fs:[00000030h]	2_2_02EB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6A430 mov eax, dword ptr fs:[00000030h]	2_2_02E6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E68402 mov eax, dword ptr fs:[00000030h]	2_2_02E68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E68402 mov eax, dword ptr fs:[00000030h]	2_2_02E68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E68402 mov eax, dword ptr fs:[00000030h]	2_2_02E68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02E5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E325E0 mov eax, dword ptr fs:[00000030h]	2_2_02E325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6C5ED mov eax, dword ptr fs:[00000030h]	2_2_02E6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6C5ED mov eax, dword ptr fs:[00000030h]	2_2_02E6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E5CF mov eax, dword ptr fs:[00000030h]	2_2_02E6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E5CF mov eax, dword ptr fs:[00000030h]	2_2_02E6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E365D0 mov eax, dword ptr fs:[00000030h]	2_2_02E365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_02E6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_02E6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB05A7 mov eax, dword ptr fs:[00000030h]	2_2_02EB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB05A7 mov eax, dword ptr fs:[00000030h]	2_2_02EB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB05A7 mov eax, dword ptr fs:[00000030h]	2_2_02EB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E545B1 mov eax, dword ptr fs:[00000030h]	2_2_02E545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E545B1 mov eax, dword ptr fs:[00000030h]	2_2_02E545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E32582 mov eax, dword ptr fs:[00000030h]	2_2_02E32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E32582 mov ecx, dword ptr fs:[00000030h]	2_2_02E32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E64588 mov eax, dword ptr fs:[00000030h]	2_2_02E64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6E59C mov eax, dword ptr fs:[00000030h]	2_2_02E6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6656A mov eax, dword ptr fs:[00000030h]	2_2_02E6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6656A mov eax, dword ptr fs:[00000030h]	2_2_02E6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6656A mov eax, dword ptr fs:[00000030h]	2_2_02E6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E38550 mov eax, dword ptr fs:[00000030h]	2_2_02E38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E38550 mov eax, dword ptr fs:[00000030h]	2_2_02E38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40535 mov eax, dword ptr fs:[00000030h]	2_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40535 mov eax, dword ptr fs:[00000030h]	2_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40535 mov eax, dword ptr fs:[00000030h]	2_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40535 mov eax, dword ptr fs:[00000030h]	2_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40535 mov eax, dword ptr fs:[00000030h]	2_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40535 mov eax, dword ptr fs:[00000030h]	2_2_02E40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E53E mov eax, dword ptr fs:[00000030h]	2_2_02E5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E53E mov eax, dword ptr fs:[00000030h]	2_2_02E5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E53E mov eax, dword ptr fs:[00000030h]	2_2_02E5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E53E mov eax, dword ptr fs:[00000030h]	2_2_02E5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E53E mov eax, dword ptr fs:[00000030h]	2_2_02E5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC6500 mov eax, dword ptr fs:[00000030h]	2_2_02EC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F04500 mov eax, dword ptr fs:[00000030h]	2_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F04500 mov eax, dword ptr fs:[00000030h]	2_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F04500 mov eax, dword ptr fs:[00000030h]	2_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F04500 mov eax, dword ptr fs:[00000030h]	2_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F04500 mov eax, dword ptr fs:[00000030h]	2_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F04500 mov eax, dword ptr fs:[00000030h]	2_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F04500 mov eax, dword ptr fs:[00000030h]	2_2_02F04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6AAEE mov eax, dword ptr fs:[00000030h]	2_2_02E6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6AAEE mov eax, dword ptr fs:[00000030h]	2_2_02E6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E86ACC mov eax, dword ptr fs:[00000030h]	2_2_02E86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E86ACC mov eax, dword ptr fs:[00000030h]	2_2_02E86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E86ACC mov eax, dword ptr fs:[00000030h]	2_2_02E86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E30AD0 mov eax, dword ptr fs:[00000030h]	2_2_02E30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E64AD0 mov eax, dword ptr fs:[00000030h]	2_2_02E64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E64AD0 mov eax, dword ptr fs:[00000030h]	2_2_02E64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E38AA0 mov eax, dword ptr fs:[00000030h]	2_2_02E38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E38AA0 mov eax, dword ptr fs:[00000030h]	2_2_02E38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E86AA4 mov eax, dword ptr fs:[00000030h]	2_2_02E86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02E3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F04A80 mov eax, dword ptr fs:[00000030h]	2_2_02F04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E68A90 mov edx, dword ptr fs:[00000030h]	2_2_02E68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6CA6F mov eax, dword ptr fs:[00000030h]	2_2_02E6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6CA6F mov eax, dword ptr fs:[00000030h]	2_2_02E6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6CA6F mov eax, dword ptr fs:[00000030h]	2_2_02E6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDEA60 mov eax, dword ptr fs:[00000030h]	2_2_02EDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EACA72 mov eax, dword ptr fs:[00000030h]	2_2_02EACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EACA72 mov eax, dword ptr fs:[00000030h]	2_2_02EACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E36A50 mov eax, dword ptr fs:[00000030h]	2_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E36A50 mov eax, dword ptr fs:[00000030h]	2_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E36A50 mov eax, dword ptr fs:[00000030h]	2_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E36A50 mov eax, dword ptr fs:[00000030h]	2_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E36A50 mov eax, dword ptr fs:[00000030h]	2_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E36A50 mov eax, dword ptr fs:[00000030h]	2_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E36A50 mov eax, dword ptr fs:[00000030h]	2_2_02E36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40A5B mov eax, dword ptr fs:[00000030h]	2_2_02E40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40A5B mov eax, dword ptr fs:[00000030h]	2_2_02E40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6CA24 mov eax, dword ptr fs:[00000030h]	2_2_02E6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5EA2E mov eax, dword ptr fs:[00000030h]	2_2_02E5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E54A35 mov eax, dword ptr fs:[00000030h]	2_2_02E54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E54A35 mov eax, dword ptr fs:[00000030h]	2_2_02E54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6CA38 mov eax, dword ptr fs:[00000030h]	2_2_02E6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EBCA11 mov eax, dword ptr fs:[00000030h]	2_2_02EBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E38BF0 mov eax, dword ptr fs:[00000030h]	2_2_02E38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E38BF0 mov eax, dword ptr fs:[00000030h]	2_2_02E38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E38BF0 mov eax, dword ptr fs:[00000030h]	2_2_02E38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5EBFC mov eax, dword ptr fs:[00000030h]	2_2_02E5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EBCBF0 mov eax, dword ptr fs:[00000030h]	2_2_02EBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E50BCB mov eax, dword ptr fs:[00000030h]	2_2_02E50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E50BCB mov eax, dword ptr fs:[00000030h]	2_2_02E50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E50BCB mov eax, dword ptr fs:[00000030h]	2_2_02E50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E30BCD mov eax, dword ptr fs:[00000030h]	2_2_02E30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E30BCD mov eax, dword ptr fs:[00000030h]	2_2_02E30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E30BCD mov eax, dword ptr fs:[00000030h]	2_2_02E30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDEBD0 mov eax, dword ptr fs:[00000030h]	2_2_02EDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40BBE mov eax, dword ptr fs:[00000030h]	2_2_02E40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E40BBE mov eax, dword ptr fs:[00000030h]	2_2_02E40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_02EE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_02EE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E2CB7E mov eax, dword ptr fs:[00000030h]	2_2_02E2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE4B4B mov eax, dword ptr fs:[00000030h]	2_2_02EE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EE4B4B mov eax, dword ptr fs:[00000030h]	2_2_02EE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F02B57 mov eax, dword ptr fs:[00000030h]	2_2_02F02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F02B57 mov eax, dword ptr fs:[00000030h]	2_2_02F02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F02B57 mov eax, dword ptr fs:[00000030h]	2_2_02F02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F02B57 mov eax, dword ptr fs:[00000030h]	2_2_02F02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC6B40 mov eax, dword ptr fs:[00000030h]	2_2_02EC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC6B40 mov eax, dword ptr fs:[00000030h]	2_2_02EC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFAB40 mov eax, dword ptr fs:[00000030h]	2_2_02EFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED8B42 mov eax, dword ptr fs:[00000030h]	2_2_02ED8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E28B50 mov eax, dword ptr fs:[00000030h]	2_2_02E28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EDEB50 mov eax, dword ptr fs:[00000030h]	2_2_02EDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5EB20 mov eax, dword ptr fs:[00000030h]	2_2_02E5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5EB20 mov eax, dword ptr fs:[00000030h]	2_2_02E5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF8B28 mov eax, dword ptr fs:[00000030h]	2_2_02EF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EF8B28 mov eax, dword ptr fs:[00000030h]	2_2_02EF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F04B00 mov eax, dword ptr fs:[00000030h]	2_2_02F04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02EAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_02EFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_02E6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_02E6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_02E5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F008C0 mov eax, dword ptr fs:[00000030h]	2_2_02F008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E30887 mov eax, dword ptr fs:[00000030h]	2_2_02E30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EBC89D mov eax, dword ptr fs:[00000030h]	2_2_02EBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EBE872 mov eax, dword ptr fs:[00000030h]	2_2_02EBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EBE872 mov eax, dword ptr fs:[00000030h]	2_2_02EBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC6870 mov eax, dword ptr fs:[00000030h]	2_2_02EC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC6870 mov eax, dword ptr fs:[00000030h]	2_2_02EC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E42840 mov ecx, dword ptr fs:[00000030h]	2_2_02E42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E60854 mov eax, dword ptr fs:[00000030h]	2_2_02E60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E34859 mov eax, dword ptr fs:[00000030h]	2_2_02E34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E34859 mov eax, dword ptr fs:[00000030h]	2_2_02E34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E52835 mov eax, dword ptr fs:[00000030h]	2_2_02E52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E52835 mov eax, dword ptr fs:[00000030h]	2_2_02E52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E52835 mov eax, dword ptr fs:[00000030h]	2_2_02E52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E52835 mov ecx, dword ptr fs:[00000030h]	2_2_02E52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E52835 mov eax, dword ptr fs:[00000030h]	2_2_02E52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E52835 mov eax, dword ptr fs:[00000030h]	2_2_02E52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E6A830 mov eax, dword ptr fs:[00000030h]	2_2_02E6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED483A mov eax, dword ptr fs:[00000030h]	2_2_02ED483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02ED483A mov eax, dword ptr fs:[00000030h]	2_2_02ED483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EBC810 mov eax, dword ptr fs:[00000030h]	2_2_02EBC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EBE9E0 mov eax, dword ptr fs:[00000030h]	2_2_02EBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E629F9 mov eax, dword ptr fs:[00000030h]	2_2_02E629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E629F9 mov eax, dword ptr fs:[00000030h]	2_2_02E629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EC69C0 mov eax, dword ptr fs:[00000030h]	2_2_02EC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02E3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02E3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02E3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02E3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02E3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02E3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E649D0 mov eax, dword ptr fs:[00000030h]	2_2_02E649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_02EFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E429A0 mov eax, dword ptr fs:[00000030h]	2_2_02E429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E309AD mov eax, dword ptr fs:[00000030h]	2_2_02E309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E309AD mov eax, dword ptr fs:[00000030h]	2_2_02E309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB89B3 mov esi, dword ptr fs:[00000030h]	2_2_02EB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB89B3 mov eax, dword ptr fs:[00000030h]	2_2_02EB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02EB89B3 mov eax, dword ptr fs:[00000030h]	2_2_02EB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E56962 mov eax, dword ptr fs:[00000030h]	2_2_02E56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E56962 mov eax, dword ptr fs:[00000030h]	2_2_02E56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E56962 mov eax, dword ptr fs:[00000030h]	2_2_02E56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02E7096E mov eax, dword ptr fs:[00000030h]	2_2_02E7096E

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_003080A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_003080A9

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002DA124 SetUnhandledExceptionFilter,		0_2_002DA124
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_002DA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_002DA155

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 291008

Jump to behavior

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_003087B1 LogonUserW,

0_2_003087B1

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002B3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_002B3B3A

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_002B48D7

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_00314C27 mouse_event,

0_2_00314C27

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\qI6cHJbHJg.exe"

Jump to behavior

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_00307CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00307CAF

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_0030874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0030874B

Source: qI6cHJbHJg.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: qI6cHJbHJg.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002D862B cpuid

0_2_002D862B

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002E4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_002E4E87

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002F1E06 GetUserNameW,

0_2_002F1E06

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002E3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_002E3F3A

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe

Code function: 0_2_002B49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002B49A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2002405456.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2002446421.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: qI6cHJbHJg.exe	Binary or memory string: WIN_81
Source: qI6cHJbHJg.exe	Binary or memory string: WIN_XP
Source: qI6cHJbHJg.exe	Binary or memory string: WIN_XPe
Source: qI6cHJbHJg.exe	Binary or memory string: WIN_VISTA
Source: qI6cHJbHJg.exe	Binary or memory string: WIN_7
Source: qI6cHJbHJg.exe	Binary or memory string: WIN_8
Source: qI6cHJbHJg.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2002405456.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2002446421.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_00326283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00326283
Source: C:\Users\user\Desktop\qI6cHJbHJg.exe	Code function: 0_2_00326747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00326747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	15 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
qI6cHJbHJg.exe	63%	Virustotal		Browse
qI6cHJbHJg.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject
qI6cHJbHJg.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0012.t-0009.t-msedge.net	13.107.246.40	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588105
Start date and time:	2025-01-10 21:31:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	qI6cHJbHJg.exe renamed because original name is a hash value
Original Sample Name:	0a602309b015e92744a9a3d7df48f1d50d76c9e074ee70410e7fcc13debd8ad0.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 51 Number of non-executed functions: 278
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.40, 20.109.210.53, 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0012.t-0009.t-msedge.net	https://bryf.atchirlisc.ru/EeMAGvIe/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	BWCStartMSI.exe	Get hash	malicious	Unknown	Browse	13.107.246.40
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.40
	vQu0zndLpi.dll	Get hash	malicious	Unknown	Browse	13.107.246.40
	mtbkkesfthae.exe	Get hash	malicious	Vidar	Browse	13.107.246.40
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.40
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.40
	https://www.cognitoforms.com/f/fWhXKikFUk-rIZ2zs1gjVw/1	Get hash	malicious	Unknown	Browse	13.107.246.40
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.40
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	13.107.246.40

Process:	C:\Users\user\Desktop\qI6cHJbHJg.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.993397591654701
Encrypted:	true
SSDEEP:	6144:RmvDRcX5sV7XzrHe0ObVzgJD0JdItUaCp7Qz:M7iKOil6qaS
MD5:	A2BE99A5012D40419E4F00CD696CE211
SHA1:	CB053B88836305074030CF538A861AA2E75BF98A
SHA-256:	06FC65F4B07BC7CA7FDB61C6913491715D1F188071832E52842172686E99CA3C
SHA-512:	418F0BAEC9596843C32F81E63D4266C3D91F68ECBCAA3DE72D9DBB98A0BC2FAC79BA1F6679449EF935F480D7997915088BB0AD71B369C5BF28881C14D5EAA72D
Malicious:	false
Reputation:	low
Preview:	...NLLBXAT1A..NO.BXET1AQ.NOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNO.BXEZ.._H.F.c.D..`. '<l2*3C <h-.",71tS$q:;!l+6e.~.q%!+)lUH^.AQHNOLB!D].\|1/.r,%.x4V.K..v"?.N..t.(.X...!6..&/e%3.AQHNOLBX..1A.IOOz...T1AQHNOL.XGU:@ZHN.HBXET1AQHN.YBXED1AQ8JOLB.ET!AQHLOLDXET1AQHHOLBXET1A!LNONBXET1ASH..LBHET!AQHN_LBHET1AQH^OLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQH`;):,ET1E.LNO\BXE.5AQXNOLBXET1AQHNOLbXE41AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET

C:\Users\user\AppData\Local\Temp\piceworth

Download File

Process:	C:\Users\user\Desktop\qI6cHJbHJg.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.993397591654701
Encrypted:	true
SSDEEP:	6144:RmvDRcX5sV7XzrHe0ObVzgJD0JdItUaCp7Qz:M7iKOil6qaS
MD5:	A2BE99A5012D40419E4F00CD696CE211
SHA1:	CB053B88836305074030CF538A861AA2E75BF98A
SHA-256:	06FC65F4B07BC7CA7FDB61C6913491715D1F188071832E52842172686E99CA3C
SHA-512:	418F0BAEC9596843C32F81E63D4266C3D91F68ECBCAA3DE72D9DBB98A0BC2FAC79BA1F6679449EF935F480D7997915088BB0AD71B369C5BF28881C14D5EAA72D
Malicious:	false
Reputation:	low
Preview:	...NLLBXAT1A..NO.BXET1AQ.NOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNO.BXEZ.._H.F.c.D..`. '<l2*3C <h-.",71tS$q:;!l+6e.~.q%!+)lUH^.AQHNOLB!D].\|1/.r,%.x4V.K..v"?.N..t.(.X...!6..&/e%3.AQHNOLBX..1A.IOOz...T1AQHNOL.XGU:@ZHN.HBXET1AQHN.YBXED1AQ8JOLB.ET!AQHLOLDXET1AQHHOLBXET1A!LNONBXET1ASH..LBHET!AQHN_LBHET1AQH^OLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQH`;):,ET1E.LNO\BXE.5AQXNOLBXET1AQHNOLbXE41AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET1AQHNOLBXET

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.182746612245764
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	qI6cHJbHJg.exe
File size:	1'201'664 bytes
MD5:	5f3623ce788d663d39d5e5f0f13b78c4
SHA1:	dc6488457a2ead79d27d38327219177514abb7ea
SHA256:	0a602309b015e92744a9a3d7df48f1d50d76c9e074ee70410e7fcc13debd8ad0
SHA512:	5660ae4684db936530beb37ab1e201eca57180515e98f2ce41fe9c44e8a374ecf3aa89a0056713d84ae04450af587d8254c0d86d91ad61c536d451e2cf64ae85
SSDEEP:	24576:Gu6J33O0c+JY5UZ+XC0kGso6FawGtmRgYGujWY:Iu0c++OCvkGs9Faw2XY
TLSH:	BD45CF2273DDC360CB669173BF2AB7016EBF7C614630B85B1F980D7DA960162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675ACD4B [Thu Dec 12 11:47:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F70D0BC62EAh
jmp 00007F70D0BB90B4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F70D0BB923Ah
cmp edi, eax
jc 00007F70D0BB959Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F70D0BB9239h
rep movsb
jmp 00007F70D0BB954Ch
cmp ecx, 00000080h
jc 00007F70D0BB9404h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F70D0BB9240h
bt dword ptr [004BE324h], 01h
jc 00007F70D0BB9710h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F70D0BB93DDh
test edi, 00000003h
jne 00007F70D0BB93EEh
test esi, 00000003h
jne 00007F70D0BB93CDh
bt edi, 02h
jnc 00007F70D0BB923Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F70D0BB9243h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F70D0BB9295h
bt esi, 03h
jnc 00007F70D0BB92E8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5cdd4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5cdd4	0x5ce00	955de7b8fbfe9a304ee1fe044443b13e	False	0.9297348166218035	data	7.897156642209299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x54099	data			1.0003224709993985
RT_GROUP_ICON	0x123854	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1238cc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1238e0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1238f4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x123908	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1239e4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:31:57.946398020 CET	63966	53	192.168.2.9	1.1.1.1
Jan 10, 2025 21:31:57.951232910 CET	53	63966	1.1.1.1	192.168.2.9
Jan 10, 2025 21:31:57.951361895 CET	63966	53	192.168.2.9	1.1.1.1
Jan 10, 2025 21:31:57.960820913 CET	63966	53	192.168.2.9	1.1.1.1
Jan 10, 2025 21:31:57.965629101 CET	53	63966	1.1.1.1	192.168.2.9
Jan 10, 2025 21:31:58.396311045 CET	53	63966	1.1.1.1	192.168.2.9
Jan 10, 2025 21:31:58.411618948 CET	63966	53	192.168.2.9	1.1.1.1
Jan 10, 2025 21:31:58.416584969 CET	53	63966	1.1.1.1	192.168.2.9
Jan 10, 2025 21:31:58.416695118 CET	63966	53	192.168.2.9	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:31:57.944236040 CET	53	62371	1.1.1.1	192.168.2.9

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 21:31:58.396311045 CET	1.1.1.1	192.168.2.9	0x1	No error (0)	shed.dual-low.s-part-0012.t-0009.t-msedge.net	s-part-0012.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:31:58.396311045 CET	1.1.1.1	192.168.2.9	0x1	No error (0)	s-part-0012.t-0009.t-msedge.net		13.107.246.40	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	15:32:01
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\qI6cHJbHJg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\qI6cHJbHJg.exe"
Imagebase:	0x2b0000
File size:	1'201'664 bytes
MD5 hash:	5F3623CE788D663D39D5E5F0F13B78C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:32:04
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\qI6cHJbHJg.exe"
Imagebase:	0x520000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2002405456.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2002446421.0000000002530000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	8.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	62

Executed Functions

Function 002B3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002B3B68
IsDebuggerPresent.KERNEL32 ref: 002B3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,003752F8,003752E0,?,?), ref: 002B3BEB

Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06

Part of subcall function 002C092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002B3C14,003752F8,?,?,?), ref: 002C096E

SetCurrentDirectoryW.KERNEL32(?), ref: 002B3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00367770,00000010), ref: 002ED281
SetCurrentDirectoryW.KERNEL32(?,003752F8,?,?,?), ref: 002ED2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00364260,003752F8,?,?,?), ref: 002ED33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 002ED346

Part of subcall function 002B3A46: GetSysColorBrush.USER32(0000000F), ref: 002B3A50
Part of subcall function 002B3A46: LoadCursorW.USER32(00000000,00007F00), ref: 002B3A5F
Part of subcall function 002B3A46: LoadIconW.USER32(00000063), ref: 002B3A76
Part of subcall function 002B3A46: LoadIconW.USER32(000000A4), ref: 002B3A88
Part of subcall function 002B3A46: LoadIconW.USER32(000000A2), ref: 002B3A9A
Part of subcall function 002B3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002B3AC0
Part of subcall function 002B3A46: RegisterClassExW.USER32(?), ref: 002B3B16

Part of subcall function 002B39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002B3A03
Part of subcall function 002B39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002B3A24
Part of subcall function 002B39D5: ShowWindow.USER32(00000000,?,?), ref: 002B3A38
Part of subcall function 002B39D5: ShowWindow.USER32(00000000,?,?), ref: 002B3A41

Part of subcall function 002B434A: _memset.LIBCMT ref: 002B4370
Part of subcall function 002B434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002B4415

Strings

This is a third-party compiled AutoIt script., xrefs: 002ED279
%4, xrefs: 002B3C44
runas, xrefs: 002ED33A

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%4
API String ID: 529118366-2314548288
Opcode ID: ad1b51032b9b6b9f21b1e5aa88762a417b2746cae902473b0c375d2e82e7bc78
Instruction ID: 0f3a10483a9a77b48c249b6e3aea5cede4d94cb8b4a80102e02507ccaad3a276
Opcode Fuzzy Hash: ad1b51032b9b6b9f21b1e5aa88762a417b2746cae902473b0c375d2e82e7bc78
Instruction Fuzzy Hash: 69512630D24249AEDB26EBF4DC45EED7B78AF44790F40846AF415B21A3CAB05661CF20

Function 002B49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 002B49CD

Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06

GetCurrentProcess.KERNEL32(?,0033FAEC,00000000,00000000,?), ref: 002B4A9A
IsWow64Process.KERNEL32(00000000), ref: 002B4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 002B4AE7
FreeLibrary.KERNEL32(00000000), ref: 002B4AF2
GetSystemInfo.KERNEL32(00000000), ref: 002B4B23
GetSystemInfo.KERNEL32(00000000), ref: 002B4B2F

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: d02a324e1006189ef5e8c140a54c966e76bc7ec09489c90f8165889b17f71321
Instruction ID: 1689bed930726c78d2fb648f1989527f3f08d04c35d3655235da23899e1b118c
Opcode Fuzzy Hash: d02a324e1006189ef5e8c140a54c966e76bc7ec09489c90f8165889b17f71321
Instruction Fuzzy Hash: 1091E6319A97C1DEC731EF7884A01EAFFF5AF2A340F84496DD0C793A42D260A558C759

Function 002B4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002B4D8E,?,?,00000000,00000000), ref: 002B4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002B4D8E,?,?,00000000,00000000), ref: 002B4EB0
LoadResource.KERNEL32(?,00000000,?,?,002B4D8E,?,?,00000000,00000000,?,?,?,?,?,?,002B4E2F), ref: 002ED937
SizeofResource.KERNEL32(?,00000000,?,?,002B4D8E,?,?,00000000,00000000,?,?,?,?,?,?,002B4E2F), ref: 002ED94C
LockResource.KERNEL32(002B4D8E,?,?,002B4D8E,?,?,00000000,00000000,?,?,?,?,?,?,002B4E2F,00000000), ref: 002ED95F

Strings

SCRIPT, xrefs: 002B4EA6

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a5bf058c34571d6897eac299457281e9553ae4e40e50abaee8b9e804f6a69540
Instruction ID: 0122625653d9f12f19ed78953aeae387fbadcc16485c543c263e41697b1fee76
Opcode Fuzzy Hash: a5bf058c34571d6897eac299457281e9553ae4e40e50abaee8b9e804f6a69540
Instruction Fuzzy Hash: 23119A74640701BFE7229F65EC88FA77BBEFBC5B51F204668F406C6261DB61E8008A60

Function 002BFCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pb7, xrefs: 002F49B9
%4, xrefs: 002BFCF3

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: BuffCharUpper
String ID: pb7$%4
API String ID: 3964851224-2664033170
Opcode ID: 13b2b883b3374f2d4cfa37385c5979edc96da55396743a0a07605e844e9c20ef
Instruction ID: 1636709e7a356a21abdbb28c4dee97cb64d8b7031c865c6c2773fb96570954ee
Opcode Fuzzy Hash: 13b2b883b3374f2d4cfa37385c5979edc96da55396743a0a07605e844e9c20ef
Instruction Fuzzy Hash: F2926970628341CFD720DF14C480B6AB7E5BF89344F14896DE99A8B362D7B1EC65CB92

Function 002BE6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dd7, xrefs: 002BEAC1
Variable must be of type 'Object'., xrefs: 002F3E62
Dd7, xrefs: 002BEABA
Dd7, xrefs: 002F3AF5
Dd7, xrefs: 002F3B2E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID: Dd7$Dd7$Dd7$Dd7$Variable must be of type 'Object'.
API String ID: 0-3687393284
Opcode ID: 93e0b5058c70b2d2861b824a8f3e625c809efb632c9e5f1a6b1b2b404a2e2dd3
Instruction ID: 79fdb24860284781f347b401f7ed50be7a94d0e513b32ea90724c5474a7ab3a2
Opcode Fuzzy Hash: 93e0b5058c70b2d2861b824a8f3e625c809efb632c9e5f1a6b1b2b404a2e2dd3
Instruction Fuzzy Hash: 55A28D74A2020ACFCF24CF58C490AEAB7B5FF58394F258469D9199B351D770EDA2CB90

Function 0031445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,002EE398), ref: 0031446A
FindFirstFileW.KERNELBASE(?,?), ref: 0031447B
FindClose.KERNEL32(00000000), ref: 0031448B

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 6d46eaac7fc394f5b2a0ac1588b0aa2b76d3b85ff0097177a545c6bc0a9c90a3
Instruction ID: 75b03522e5544ac8c6c3e17c03dca0b386747db0d81010b6ae32078d93fd7214
Opcode Fuzzy Hash: 6d46eaac7fc394f5b2a0ac1588b0aa2b76d3b85ff0097177a545c6bc0a9c90a3
Instruction Fuzzy Hash: DDE0D837814501AB82156B38EC4D8EA775C9F09335F500B15F835C20E0EB74994096D5

Function 002C09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002C0A5B
timeGetTime.WINMM ref: 002C0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002C0E53
Sleep.KERNEL32(0000000A), ref: 002C0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 002C0EFA
DestroyWindow.USER32 ref: 002C0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002C0F20
Sleep.KERNEL32(0000000A,?,?), ref: 002F4E83
TranslateMessage.USER32(?), ref: 002F5C60
DispatchMessageW.USER32(?), ref: 002F5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002F5C82

Strings

@GUI_WINHANDLE, xrefs: 002F4F8F
@GUI_CTRLHANDLE, xrefs: 002F4FE4
@GUI_CTRLID, xrefs: 002F4F3A
pb7, xrefs: 002F4F59
@COM_EVENTOBJ, xrefs: 002F54F0
pb7, xrefs: 002F57B4
pb7, xrefs: 002F5003
@TRAY_ID, xrefs: 002F578F
pb7, xrefs: 002F4FAE

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb7$pb7$pb7$pb7
API String ID: 4212290369-647323737
Opcode ID: 0514c26b6a670660457baed37abd82d3fc69acd49179aa95f8fc99504da5d156
Instruction ID: f70a0babb62a0a0dbfc8290073ff8c1bab0ff70a51fb034f4ff83a2efe45cf3c
Opcode Fuzzy Hash: 0514c26b6a670660457baed37abd82d3fc69acd49179aa95f8fc99504da5d156
Instruction Fuzzy Hash: 34B2D570624746DFD729DF24C885FAAF7E4BF84344F144A2DE659872A1C770E8A4CB82

Function 00319155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00318F5F: __time64.LIBCMT ref: 00318F69

Part of subcall function 002B4EE5: _fseek.LIBCMT ref: 002B4EFD

__wsplitpath.LIBCMT ref: 00319234

Part of subcall function 002D40FB: __wsplitpath_helper.LIBCMT ref: 002D413B

_wcscpy.LIBCMT ref: 00319247
_wcscat.LIBCMT ref: 0031925A
__wsplitpath.LIBCMT ref: 0031927F
_wcscat.LIBCMT ref: 00319295
_wcscat.LIBCMT ref: 003192A8

Part of subcall function 00318FA5: _memmove.LIBCMT ref: 00318FDE
Part of subcall function 00318FA5: _memmove.LIBCMT ref: 00318FED

_wcscmp.LIBCMT ref: 003191EF

Part of subcall function 00319734: _wcscmp.LIBCMT ref: 00319824
Part of subcall function 00319734: _wcscmp.LIBCMT ref: 00319837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00319452
_wcsncpy.LIBCMT ref: 003194C5
DeleteFileW.KERNEL32(?,?), ref: 003194FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00319511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00319522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00319534

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: f8e1e6785b6716af2aad9416f017213f0275f58ff3f4ea0115add4c93ae3daf9
Instruction ID: 122e8a6936674917f18fd9ad814155055e618a42774ba1dd1868bd27309828a1
Opcode Fuzzy Hash: f8e1e6785b6716af2aad9416f017213f0275f58ff3f4ea0115add4c93ae3daf9
Instruction Fuzzy Hash: 48C15BB1D00219AACF26DF95CC95ADEB7BDEF59340F0040AAF609E7241DB309A948F65

Function 002B3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002B3074
RegisterClassExW.USER32(00000030), ref: 002B309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002B30AF
InitCommonControlsEx.COMCTL32(?), ref: 002B30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002B30DC
LoadIconW.USER32(000000A9), ref: 002B30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002B3101

Strings

TaskbarCreated, xrefs: 002B30A4
0, xrefs: 002B3056
AutoIt v3 GUI, xrefs: 002B3090
+, xrefs: 002B305D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: fb6609bd788b1c4e13e4ee3c6441ff0842b4b216bd04be2d08e3cb66c1a39729
Instruction ID: 258eb78dfe426b99255fd6de924f90bfa0c31316091b1c8af14dc147c70cdbc2
Opcode Fuzzy Hash: fb6609bd788b1c4e13e4ee3c6441ff0842b4b216bd04be2d08e3cb66c1a39729
Instruction Fuzzy Hash: 3E314771D44349AFDB12CFA4E888A89BBF8FB09310F14456EE584E62A1D3B54585CF51

Function 002B3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002B3074
RegisterClassExW.USER32(00000030), ref: 002B309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002B30AF
InitCommonControlsEx.COMCTL32(?), ref: 002B30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002B30DC
LoadIconW.USER32(000000A9), ref: 002B30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002B3101

Strings

TaskbarCreated, xrefs: 002B30A4
0, xrefs: 002B3056
AutoIt v3 GUI, xrefs: 002B3090
+, xrefs: 002B305D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: ad35b0ecf83525f59192ac49193775a4bfd87e12ae5f49a0ec6ad9fd58e6b6a3
Instruction ID: 40d858793f680c3e6f61ef5d74cd73ec83db52d9e1a3b81d3ccdb1b6b1e0f29c
Opcode Fuzzy Hash: ad35b0ecf83525f59192ac49193775a4bfd87e12ae5f49a0ec6ad9fd58e6b6a3
Instruction Fuzzy Hash: D121C7B1D11318AFDB16DFA8ED89BDDBBF8FB08700F40412AF915A62A0D7B145848F91

Function 002B708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002B4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003752F8,?,002B37AE,?), ref: 002B4724

Part of subcall function 002D050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,002B7165), ref: 002D052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002B71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002EE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002EE909
RegCloseKey.ADVAPI32(?), ref: 002EE947
_wcscat.LIBCMT ref: 002EE9A0

Strings

\Include\, xrefs: 002B7165
Software\AutoIt v3\AutoIt, xrefs: 002B719E
Include, xrefs: 002EE8BF, 002EE900
\, xrefs: 002EE9C3

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 8670dafca5109f4f0c65bb54920183578b423b4271cdc8feb1a4263e3d9fbbd7
Instruction ID: ea0d8b2c3c0d2b37188db3869c62bd5e5a3064586e90fa575e34ff763289b783
Opcode Fuzzy Hash: 8670dafca5109f4f0c65bb54920183578b423b4271cdc8feb1a4263e3d9fbbd7
Instruction Fuzzy Hash: 8171AF714187019EC751EF25E8929ABB7ECFF84350F80092EF449972B2DB719998CF51

Function 002B3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 002B36D2
KillTimer.USER32(?,00000001), ref: 002B36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002B371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002B372A
CreatePopupMenu.USER32 ref: 002B373E
PostQuitMessage.USER32(00000000), ref: 002B374D

Strings

TaskbarCreated, xrefs: 002B3725
%4, xrefs: 002ED081, 002ED0CF

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%4
API String ID: 129472671-1770572163
Opcode ID: bb3243c1e2c2fcb8ed1952cfa82235b4900fe14fa395d8f2ec15d177d76345ae
Instruction ID: 507c2e8222475892084a12c9f66c23c2b6957e4fbb79af0a32db1dbf4972ead0
Opcode Fuzzy Hash: bb3243c1e2c2fcb8ed1952cfa82235b4900fe14fa395d8f2ec15d177d76345ae
Instruction Fuzzy Hash: 424159B1230906BFDB2AEF24DC49BF9375CEB00380F940525F506D62A2CFE49DB0A665

Function 002B3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002B3A50
LoadCursorW.USER32(00000000,00007F00), ref: 002B3A5F
LoadIconW.USER32(00000063), ref: 002B3A76
LoadIconW.USER32(000000A4), ref: 002B3A88
LoadIconW.USER32(000000A2), ref: 002B3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002B3AC0
RegisterClassExW.USER32(?), ref: 002B3B16

Part of subcall function 002B3041: GetSysColorBrush.USER32(0000000F), ref: 002B3074
Part of subcall function 002B3041: RegisterClassExW.USER32(00000030), ref: 002B309E
Part of subcall function 002B3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002B30AF
Part of subcall function 002B3041: InitCommonControlsEx.COMCTL32(?), ref: 002B30CC
Part of subcall function 002B3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002B30DC
Part of subcall function 002B3041: LoadIconW.USER32(000000A9), ref: 002B30F2
Part of subcall function 002B3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002B3101

Strings

#, xrefs: 002B3AFB
AutoIt v3, xrefs: 002B3B05
0, xrefs: 002B3AF4

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 9ec4e07afcf17d106bc96555054a9fd932ec3ab81336e5cc238f8909ed0dea03
Instruction ID: c1b6278eb48858528ef54cdca5955017b9fa5644063cffddc0f03dfcd2969df8
Opcode Fuzzy Hash: 9ec4e07afcf17d106bc96555054a9fd932ec3ab81336e5cc238f8909ed0dea03
Instruction Fuzzy Hash: 1D214D70D10304AFEB26DFA4EC49B9D7BF9FB08751F10091AE608A62A2D7F655909F84

Function 002B3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 002B38A7
/AutoIt3ExecuteScript, xrefs: 002B38BC
/ErrorStdOut, xrefs: 002B387D
R7, xrefs: 002ED213
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 002B37AE
/AutoIt3OutputDebug, xrefs: 002B3892
CMDLINERAW, xrefs: 002B37FB
CMDLINE, xrefs: 002B3822

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R7
API String ID: 1825951767-761371267
Opcode ID: de2720bd6329737929db2b381045296deca83afbd0e18396c3f88cba4a42517c
Instruction ID: b26f58b54c4a05a9f4f3b5a8580adda883b9efc9f5dd887244d9a38d19c61e01
Opcode Fuzzy Hash: de2720bd6329737929db2b381045296deca83afbd0e18396c3f88cba4a42517c
Instruction Fuzzy Hash: 2CA17C71D2021D9ADF15EBA0DC95AEEB778BF14380F44042AF415B7192EF74AA58CFA0

Function 002BF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002D0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002D0193
Part of subcall function 002D0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 002D019B
Part of subcall function 002D0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002D01A6
Part of subcall function 002D0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002D01B1
Part of subcall function 002D0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 002D01B9
Part of subcall function 002D0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 002D01C1

Part of subcall function 002C60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002BF930), ref: 002C6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002BF9CD
OleInitialize.OLE32(00000000), ref: 002BFA4A
CloseHandle.KERNEL32(00000000), ref: 002F45C8

Strings

S7, xrefs: 002BF7EB
\T7, xrefs: 002BF7F7
%4, xrefs: 002BF796, 002BF7A8, 002BF96E, 002BFA51
<W7, xrefs: 002BF930

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W7$\T7$%4$S7
API String ID: 1986988660-1010537161
Opcode ID: 3a26eb5b0d1c5dc265dbd551293b67fcf0797dfe50c96f2d7326f8e7b5acb21c
Instruction ID: 5c167ff676957e09f779a305237569d895fa88a2b705af94627f53da6f2f4974
Opcode Fuzzy Hash: 3a26eb5b0d1c5dc265dbd551293b67fcf0797dfe50c96f2d7326f8e7b5acb21c
Instruction Fuzzy Hash: CA81BDB4911A80CEE3BEDF2AA9456597BEDEB99306F90852E900DCB271E7F444C5CF10

Function 0140F328 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0140F3F9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0140F61F

Memory Dump Source

Source File: 00000000.00000002.1400762567.000000000140C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0140C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140c000_qI6cHJbHJg.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: 1f6923e70d64622c16069495fefc05df96e480aec53a4b148b38ebc4202499f2
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: 5AA13A70E00209EBDB25CFA9C994BEEBBB5BF48304F20816AE505BB2D1D7759A45CF50

Function 002B39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002B3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002B3A24
ShowWindow.USER32(00000000,?,?), ref: 002B3A38
ShowWindow.USER32(00000000,?,?), ref: 002B3A41

Strings

edit, xrefs: 002B3A1E
AutoIt v3, xrefs: 002B39FB, 002B3A00, 002B3A01

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4a1a8d8a4d1328e4faf76af352111efe92d0f6becce8b6ed1de4f6cb0cbecf5e
Instruction ID: 9ad01a35aa0a0c7de8854ff6a4c719cb15bcd481313074ebd329fdc5103dcaa8
Opcode Fuzzy Hash: 4a1a8d8a4d1328e4faf76af352111efe92d0f6becce8b6ed1de4f6cb0cbecf5e
Instruction Fuzzy Hash: 3CF03A709002907EEA3257236C89E6B2E7DD7C6F50F00042EFA08A2271C6A10880DAB0

Function 0140F108 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0140EFF8: Sleep.KERNELBASE(000001F4), ref: 0140F009

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0140F215

Strings

AQHNOLBXET1, xrefs: 0140F278, 0140F27B

Memory Dump Source

Source File: 00000000.00000002.1400762567.000000000140C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0140C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140c000_qI6cHJbHJg.jbxd

Similarity

API ID: CreateFileSleep
String ID: AQHNOLBXET1
API String ID: 2694422964-1824645079
Opcode ID: ad5272dd2fb2605ba5188c579832af19ede6143720d03267a9e42c67a89001bd
Instruction ID: efc7c81fd4108bbd45ff6c848f3690ab6b918d0fcc94d67d59fd5f1c7e769058
Opcode Fuzzy Hash: ad5272dd2fb2605ba5188c579832af19ede6143720d03267a9e42c67a89001bd
Instruction Fuzzy Hash: D3518E71D14249EBEF21DBE4C804BEFBB74AF58300F0041A9E608BB2D0D6791B49CBA5

Function 002B407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002ED3D7

Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06

_memset.LIBCMT ref: 002B40FC
_wcscpy.LIBCMT ref: 002B4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002B4160

Strings

Line: , xrefs: 002ED400

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 8a8acb037c98305a03886e5e455416303a6b772a0755525a90df54e3710cf065
Instruction ID: 2dc2b460a9c8e2801483f3d9f51fc0ecf7e357f5c9268bd72c0a2a8bb7aeb7fa
Opcode Fuzzy Hash: 8a8acb037c98305a03886e5e455416303a6b772a0755525a90df54e3710cf065
Instruction Fuzzy Hash: E831E131428301AFD335FB60DC85FDA77ECAF50340F10491AF58992092DBB0A6A8CB82

Function 002B686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 002B4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002B4E0F

_free.LIBCMT ref: 002EE263
_free.LIBCMT ref: 002EE2AA

Part of subcall function 002B6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 002B6BAD

Strings

Bad directive syntax error, xrefs: 002EE292
>>>AUTOIT SCRIPT<<<, xrefs: 002EE039

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: a5e245c0247a8ebd00dc44777bdaf5bb1c181250d3a8820c9151714e45a095b1
Instruction ID: 9fad2a77162eb878343a2b32ab5d6f2aa1c9dc299fed311e91db6c29b1b8c33e
Opcode Fuzzy Hash: a5e245c0247a8ebd00dc44777bdaf5bb1c181250d3a8820c9151714e45a095b1
Instruction Fuzzy Hash: 9A919C7192025AAFCF05EFA5C8819EDB7B8FF09350F44442AF815AB2A1DB70AD65CF50

Function 002B35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002B35A1,SwapMouseButtons,00000004,?), ref: 002B35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002B35A1,SwapMouseButtons,00000004,?,?,?,?,002B2754), ref: 002B35F5
RegCloseKey.KERNELBASE(00000000,?,?,002B35A1,SwapMouseButtons,00000004,?,?,?,?,002B2754), ref: 002B3617

Strings

Control Panel\Mouse, xrefs: 002B35D2

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: d3d484723adc5c6ce137b7e6d6d22cc01081acdf811ba0c89af85e50a6892fb4
Instruction ID: f0d5e4fa558c64a47a95372e2b6a31db996d8bdd9e7d33acbf67787f263ca491
Opcode Fuzzy Hash: d3d484723adc5c6ce137b7e6d6d22cc01081acdf811ba0c89af85e50a6892fb4
Instruction Fuzzy Hash: 0D1148B5920208BFDB21CF68DC80AEEB7BCEF04780F005469E805D7210D2719E609764

Function 0140DFF8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0140E7B3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0140E849
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0140E86B

Memory Dump Source

Source File: 00000000.00000002.1400762567.000000000140C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0140C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140c000_qI6cHJbHJg.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction ID: af7366d888eb3c2a5f8464aa53e81548d75261bb94a4db3e43a13945bf56ef3a
Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction Fuzzy Hash: 8362FA30A14618DBEB25CFA5C840BDEB772EF58300F1095A9D10DEB3E0E6799E91CB59

Function 0031955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 002B4EE5: _fseek.LIBCMT ref: 002B4EFD

Part of subcall function 00319734: _wcscmp.LIBCMT ref: 00319824
Part of subcall function 00319734: _wcscmp.LIBCMT ref: 00319837

_free.LIBCMT ref: 003196A2
_free.LIBCMT ref: 003196A9
_free.LIBCMT ref: 00319714

Part of subcall function 002D2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,002D9A24), ref: 002D2D69
Part of subcall function 002D2D55: GetLastError.KERNEL32(00000000,?,002D9A24), ref: 002D2D7B

_free.LIBCMT ref: 0031971C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 121824b4c9348d1951f16e82c59d229563d9d814a262f44a93a273b4d16a6702
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: A5513DB1914258AFDF299F64CC81AEEBB7AEF48340F10449EB609A7341DB715A90CF58

Function 002D470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002D47A0
__flush.LIBCMT ref: 002D47C0
__write.LIBCMT ref: 002D47F3
__flsbuf.LIBCMT ref: 002D4821

Part of subcall function 002D8B28: __getptd_noexit.LIBCMT ref: 002D8B28

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: c7300264d6d95afa1bc1ead20d36b61613f3e13a1ae68ada9a3263b25cdc6360
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: C641D634A207469BEF18EF69CC809AEB7A6EF453A4B24813FE819C7740D770DD609B40

Function 002B44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B44CF

Part of subcall function 002B407C: _memset.LIBCMT ref: 002B40FC
Part of subcall function 002B407C: _wcscpy.LIBCMT ref: 002B4150
Part of subcall function 002B407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002B4160

KillTimer.USER32(?,00000001,?,?), ref: 002B4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002B4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002ED4B9

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 5093fba244b659ec87228d1360fc7c99f1144d4fb72480f5b69f0c03958fa701
Instruction ID: ab9d842af954d8bfbdf72f59448fc96fd8da29a7617d64b533265a1b2bd85f3c
Opcode Fuzzy Hash: 5093fba244b659ec87228d1360fc7c99f1144d4fb72480f5b69f0c03958fa701
Instruction Fuzzy Hash: 532107709547849FEB339F248885BE6BBECAF21344F44049DE6CE56182C3B42994DB51

Function 002B4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002B4CBA

Strings

AU3!P/4, xrefs: 002B4CB4
EA06, xrefs: 002ED8CC

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/4$EA06
API String ID: 4104443479-3315824915
Opcode ID: 5722fccd02888a869ff5a990403d677dec3e3b0bc7b4667da70665a5cd835341
Instruction ID: 1d4c1c82888e961e09f605195dcb2c33686322c05092db450b9b1776fec5015b
Opcode Fuzzy Hash: 5722fccd02888a869ff5a990403d677dec3e3b0bc7b4667da70665a5cd835341
Instruction Fuzzy Hash: 7A416B21A2415A67CF22BF54C8E17FE7FB29B45380F684465EC829B283D6609D6487A1

Function 002B7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002EEA39
GetOpenFileNameW.COMDLG32(?), ref: 002EEA83

Part of subcall function 002B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002B4743,?,?,002B37AE,?), ref: 002B4770

Part of subcall function 002D0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002D07B0

Strings

X, xrefs: 002EEA51

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: fbf3cffd04f0d9795ced78af0f71da17b592c1034414ff4b2cf6f52ff67f8565
Instruction ID: 2aa9413767a8a25dd556aa485dbcf716b9a65601c4924ecf2e45dc7964965e33
Opcode Fuzzy Hash: fbf3cffd04f0d9795ced78af0f71da17b592c1034414ff4b2cf6f52ff67f8565
Instruction Fuzzy Hash: 1D21C630A202889BDF019F94D845BDE7BF9AF48314F00405AE408A7341DBF45999CFA1

Function 003198E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 003198F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0031990F

Strings

aut, xrefs: 00319909

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3ffc50a1c51049642a710220ab9e4248250d63e7e29368fe2e3e435e0215caa2
Instruction ID: a97877f6e38efe8277735bcf569051a12f58f424dca6e16deb30132b56b8f1df
Opcode Fuzzy Hash: 3ffc50a1c51049642a710220ab9e4248250d63e7e29368fe2e3e435e0215caa2
Instruction Fuzzy Hash: 2ED05E7994030DAFDB619BA0DC4EFEBB73CE704700F4046B1BA54D20A1EAB095988B91

Function 0032CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d6d90cd4cb5adf509d653c003157bfbe3627cd806ea9c1483d9c23458ae538
Instruction ID: 84b90acb734ee2f3946e00f08e564cd3472c187d993f697f97cd67da6e666284
Opcode Fuzzy Hash: 41d6d90cd4cb5adf509d653c003157bfbe3627cd806ea9c1483d9c23458ae538
Instruction Fuzzy Hash: 4AF14470A083119FCB15DF28D480A6EBBE5FF89314F55892EF8999B252D730E945CF82

Function 002B434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 002B4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 002B4432

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: ca7ea1a0041ef746c6f84c5cf4dad4bb0cf36976a40257e07bf5b3aa336300c1
Instruction ID: 48928f659af0f11d8a09fad13773d2dc4e36dfffa32595fd657da6fcad37f511
Opcode Fuzzy Hash: ca7ea1a0041ef746c6f84c5cf4dad4bb0cf36976a40257e07bf5b3aa336300c1
Instruction Fuzzy Hash: 88316FB05147018FD725EF24D8846DBBBF8FB58348F100D2EE59A86252E7B1A994CB52

Function 002D571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 002D5733

Part of subcall function 002DA16B: __NMSG_WRITE.LIBCMT ref: 002DA192
Part of subcall function 002DA16B: __NMSG_WRITE.LIBCMT ref: 002DA19C

__NMSG_WRITE.LIBCMT ref: 002D573A

Part of subcall function 002DA1C8: GetModuleFileNameW.KERNEL32(00000000,003733BA,00000104,?,00000001,00000000), ref: 002DA25A
Part of subcall function 002DA1C8: ___crtMessageBoxW.LIBCMT ref: 002DA308

Part of subcall function 002D309F: ___crtCorExitProcess.LIBCMT ref: 002D30A5
Part of subcall function 002D309F: ExitProcess.KERNEL32 ref: 002D30AE

Part of subcall function 002D8B28: __getptd_noexit.LIBCMT ref: 002D8B28

RtlAllocateHeap.NTDLL(01380000,00000000,00000001,00000000,?,?,?,002D0DD3,?), ref: 002D575F

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 740d9bee2b3bbaf52ad7936d423a9620bc0d94b848649a7d13cd5238299098bf
Instruction ID: abb969e0ccca721303dc3b04e03391036e1bdea7c60b64a049f00d5fe02c2f72
Opcode Fuzzy Hash: 740d9bee2b3bbaf52ad7936d423a9620bc0d94b848649a7d13cd5238299098bf
Instruction Fuzzy Hash: E601F931630B22DAF6116B35EC42B6DB74C8B42361F200427F409D6381DEF0CC609A61

Function 003198A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00319548,?,?,?,?,?,00000004), ref: 003198BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00319548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003198D1
CloseHandle.KERNEL32(00000000,?,00319548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003198D8

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 51fd767febe7e22b5d188d4aebff12b1cbd004f167042e980b60a7e2a313fb34
Instruction ID: cf04f3b4e64b49de62ce39f659b88ebe75c43e35597500c92ca85c449cee6f39
Opcode Fuzzy Hash: 51fd767febe7e22b5d188d4aebff12b1cbd004f167042e980b60a7e2a313fb34
Instruction Fuzzy Hash: 43E08632940214BBD7231B54EC49FDA7B5DAB06770F104220FB14690E087B125119798

Function 00318D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00318D1B

Part of subcall function 002D2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,002D9A24), ref: 002D2D69
Part of subcall function 002D2D55: GetLastError.KERNEL32(00000000,?,002D9A24), ref: 002D2D7B

_free.LIBCMT ref: 00318D2C
_free.LIBCMT ref: 00318D3E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 0a1358aabe0cc68c0862a1c260fd5d50e61b0c8675794d717dff68ee5027af21
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 1FE012A161170186CB29A678B940AD353DD4F6D352715091EB40DD7286CE64FC968528

Function 002BA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 002EFC01

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: e1142d129bba4067ef785064034898b475f170ecf00f4c83e1ca25b134db5944
Instruction ID: 57e61222cfcb2ae4f31df6efa16ef4aed8ea00b68c7b2f9f4869fec9373d2f6c
Opcode Fuzzy Hash: e1142d129bba4067ef785064034898b475f170ecf00f4c83e1ca25b134db5944
Instruction Fuzzy Hash: 8D226A70528341DFC725DF14C490BAABBE1BF48384F14896DE99A8B362D771EC64CB82

Function 002B7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002B7AAB
_memmove.LIBCMT ref: 002B7B16

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: 0d63f9f61eb20721fc35e7f066889ddf9372406f2ffb0c26b67c2b7a2cc4327f
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: B43189B1624506AFC744DF68C8D1E69F3A5FF88350B15862AE519CB391DB70ED70CB90

Function 002B47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 002B4834

Part of subcall function 002D336C: __lock.LIBCMT ref: 002D3372
Part of subcall function 002D336C: DecodePointer.KERNEL32(00000001,?,002B4849,00307C74), ref: 002D337E
Part of subcall function 002D336C: EncodePointer.KERNEL32(?,?,002B4849,00307C74), ref: 002D3389

Part of subcall function 002B48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002B4915
Part of subcall function 002B48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002B492A

Part of subcall function 002B3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002B3B68
Part of subcall function 002B3B3A: IsDebuggerPresent.KERNEL32 ref: 002B3B7A
Part of subcall function 002B3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,003752F8,003752E0,?,?), ref: 002B3BEB
Part of subcall function 002B3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 002B3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002B4874

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: b7f797d948ba83e4d710cab104fe38ef773d417e1f63f96f278b77887d506ba5
Instruction ID: a82eddb9bab5209cb5946f812319c356b8834eec3977374c0adc8413ba6ffd29
Opcode Fuzzy Hash: b7f797d948ba83e4d710cab104fe38ef773d417e1f63f96f278b77887d506ba5
Instruction Fuzzy Hash: A7119D719187419FC711EF29EC4594ABBF8EF85790F10491EF149832B2DBB09994CF92

Function 002D0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002D571C: __FF_MSGBANNER.LIBCMT ref: 002D5733
Part of subcall function 002D571C: __NMSG_WRITE.LIBCMT ref: 002D573A
Part of subcall function 002D571C: RtlAllocateHeap.NTDLL(01380000,00000000,00000001,00000000,?,?,?,002D0DD3,?), ref: 002D575F

std::exception::exception.LIBCMT ref: 002D0DEC
__CxxThrowException@8.LIBCMT ref: 002D0E01

Part of subcall function 002D859B: RaiseException.KERNEL32(?,?,?,00369E78,00000000,?,?,?,?,002D0E06,?,00369E78,?,00000001), ref: 002D85F0

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 8ef4575bc6b2753349638cc0029559ff6f26cfdac2938981838319634d94abd9
Instruction ID: 1367fd08e042fb90dda28a226967aecccbbd14cec15b4f183a5f4b274fea00a3
Opcode Fuzzy Hash: 8ef4575bc6b2753349638cc0029559ff6f26cfdac2938981838319634d94abd9
Instruction Fuzzy Hash: F2F0F43582031A66CB11BAA4EC41ADFB7ACDF05310F10442BF814AA391DFB0AE60CAE1

Function 002D53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002D8B28: __getptd_noexit.LIBCMT ref: 002D8B28

__lock_file.LIBCMT ref: 002D53EB

Part of subcall function 002D6C11: __lock.LIBCMT ref: 002D6C34

__fclose_nolock.LIBCMT ref: 002D53F6

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: d07ab2b53d99b50d034b0401e0f6aa9947ea643b1bf855783eba146fb8391106
Instruction ID: cd6e415d62e2243797508676ed331c5c37c597dd0e8b4192d12beb245fd3b833
Opcode Fuzzy Hash: d07ab2b53d99b50d034b0401e0f6aa9947ea643b1bf855783eba146fb8391106
Instruction Fuzzy Hash: 27F09071830A159ADB51AF7598067AD7BA06F41374F20824BE464AB3C1CBFC8D619F52

Function 0140DFF5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0140E7B3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0140E849
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0140E86B

Memory Dump Source

Source File: 00000000.00000002.1400762567.000000000140C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0140C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140c000_qI6cHJbHJg.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: 7208c6724e8d221c4c296a1c7e30a1901b4630b9d8a2edeb1575e72e39b94e97
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: 8712DD20E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F91CF5A

Function 002D0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 002D0CB7

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 63bf481e601a4f6f57cd9e677aa91dfe15d9a9bdf10ad46fb3df1541ccc7c170
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6231A070A201069BC718DF59C4C4A69F7A6FB59300F6486A7E80ACB365DA71EDE1DB80

Function 002EFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 002EFCB7

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8bf13d952b1eb2c84af6ca36a191bd53e33dd9edcc8dc5e670c9d07faf9394e1
Instruction ID: d5b121097f5fd5f6ff6dabcfdc9063bd33764af285e20eed6456b75491ca0fbd
Opcode Fuzzy Hash: 8bf13d952b1eb2c84af6ca36a191bd53e33dd9edcc8dc5e670c9d07faf9394e1
Instruction Fuzzy Hash: DD4136745143418FDB25CF24C484B6ABBE0BF49354F0988ACE9998B362C371EC55CF42

Function 002B7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002B7BB3

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ca24f436bcb2978843170798215e8389ee3d8d2f3daa406a6b0b8f4afc5afb7e
Instruction ID: 79f72be3d7b0a8896a491cf5f1ee112188abc0c10207cdbca1e79a7a60f1b162
Opcode Fuzzy Hash: ca24f436bcb2978843170798215e8389ee3d8d2f3daa406a6b0b8f4afc5afb7e
Instruction Fuzzy Hash: 38214472624A09EBDF118F22E8417A97BB8FB54390F72846BE446C51A0EB70D4B0CB45

Function 002D06FE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ba6fa5a3fce640b42b9ba6973db0b820df440f550e9baae2d113647cd6e3c4
Instruction ID: 97dee790345a4c5252c2e70bbcd1e41f4ffa5b89dcfca1247fed7eb624accb7b
Opcode Fuzzy Hash: 42ba6fa5a3fce640b42b9ba6973db0b820df440f550e9baae2d113647cd6e3c4
Instruction Fuzzy Hash: A52126664093815FD7234F38A885BD6BFA4AF82220F0540DFE884CF977C2209C59C7A2

Function 002B4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002B4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 002B4BEF

Part of subcall function 002D525B: __wfsopen.LIBCMT ref: 002D5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002B4E0F

Part of subcall function 002B4B6A: FreeLibrary.KERNEL32(00000000), ref: 002B4BA4

Part of subcall function 002B4C70: _memmove.LIBCMT ref: 002B4CBA

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: bfbc526b6266911b6b9df4c083934302b24aec5f3083be980b1666f05959ca89
Instruction ID: 62dfe5b2481a0b5d65cce389a26b13f6633c48bb58f3a8cf7de9004059482acf
Opcode Fuzzy Hash: bfbc526b6266911b6b9df4c083934302b24aec5f3083be980b1666f05959ca89
Instruction Fuzzy Hash: DD112731A20205ABCF11FF71CC92FED77A9AF44780F508829F541A7183DAB0DA219F51

Function 002EFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 002EFD91

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5baf2cdce66f128cdace788158d65d97239d8c1384857546bba21fda41ed313c
Instruction ID: f8d839b4431e2f4912c662b3a1cc6b83de7eeec7cb084460ae3fc9e705f622b5
Opcode Fuzzy Hash: 5baf2cdce66f128cdace788158d65d97239d8c1384857546bba21fda41ed313c
Instruction Fuzzy Hash: 7A210674528341DFCB15DF24C484B5ABBE1BF88354F058968E98957722D731E825CF52

Function 002D4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 002D48A6

Part of subcall function 002D8B28: __getptd_noexit.LIBCMT ref: 002D8B28

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 72dda7e37410967f7d6b540990ab9e67be4e803833a28c631ce9769652632fdd
Instruction ID: 1d5d7d622a488fe01eb916bce255e774a785e193920b7454afacc6f0f324dc48
Opcode Fuzzy Hash: 72dda7e37410967f7d6b540990ab9e67be4e803833a28c631ce9769652632fdd
Instruction Fuzzy Hash: A7F08C31920649ABDB11BFA48C0A7EE36A1AF00365F158416F4249A391CBB88D71EF51

Function 002B4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,003752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002B4E7E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 14a2bbc901af08f22cc0ffd0dd7a4925c36f7b1a31e2a8b6a88715f24d4525e5
Instruction ID: f5197bacc5d35359a1860f7279f8622f0a339680ab6520d8a82c0f65db8d257c
Opcode Fuzzy Hash: 14a2bbc901af08f22cc0ffd0dd7a4925c36f7b1a31e2a8b6a88715f24d4525e5
Instruction Fuzzy Hash: CCF03071525712CFCB34AF64E4D4852B7E5BF143A5310897EE2D782612C771D860DF40

Function 002D0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002D07B0

Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: b9793669a6c5738e00df80355d6b605f12dfa53ba411f582f3afa62674764bfc
Instruction ID: 5d3bb3973b3c51ddac301808e5c6694e057dd03875531db7e7d780b0e71eee92
Opcode Fuzzy Hash: b9793669a6c5738e00df80355d6b605f12dfa53ba411f582f3afa62674764bfc
Instruction Fuzzy Hash: DEE0CD369441285BC721D6699C06FEA77DDDFC87A0F0441B5FC0CD7245D9749C908AD0

Function 002D525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 002D5266

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 8a50c8b4b281a8c5670881afba95169e2a5b0751e143bafe0981abcd70c24cd1
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: CBB0927644020C77CE012A82EC02A493B199B41764F408021FF0C18262E6B3AA789A89

Function 0140EFF4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0140F009

Memory Dump Source

Source File: 00000000.00000002.1400762567.000000000140C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0140C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140c000_qI6cHJbHJg.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 9a7ae311841296233417bea816cd1027f3543a060739a26015bbaaac6b2ee830
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: BAE0BF7494010DEFDB10DFE4D6496ED7BB4EF04301F1005A1FD05D7691DB309E548A62

Function 0140EFF8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0140F009

Memory Dump Source

Source File: 00000000.00000002.1400762567.000000000140C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0140C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140c000_qI6cHJbHJg.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: b126ce26a8ed8cf76f38a0cecfe1d733ea6dadb063d917cd31e3d9a61292c0c3
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 4BE0E67494010DDFDB10DFF4D6496AD7BF4EF04301F100161FD01D2281D6309D508A72

Non-executed Functions

Function 0033CABC Relevance: 77.6, APIs: 40, Strings: 4, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0033CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0033CB95
GetWindowLongW.USER32(?,000000F0), ref: 0033CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0033CC00
SendMessageW.USER32 ref: 0033CC29
_wcsncpy.LIBCMT ref: 0033CC95
GetKeyState.USER32(00000011), ref: 0033CCB6
GetKeyState.USER32(00000009), ref: 0033CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0033CCD9
GetKeyState.USER32(00000010), ref: 0033CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0033CD0C
SendMessageW.USER32 ref: 0033CD33
SendMessageW.USER32(?,00001030,?,0033B348), ref: 0033CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0033CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0033CE60
SetCapture.USER32(?), ref: 0033CE69
ClientToScreen.USER32(?,?), ref: 0033CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0033CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0033CEF5
ReleaseCapture.USER32 ref: 0033CF00
GetCursorPos.USER32(?), ref: 0033CF3A
ScreenToClient.USER32(?,?), ref: 0033CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0033CFA3
SendMessageW.USER32 ref: 0033CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0033D00E
SendMessageW.USER32 ref: 0033D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0033D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0033D06D
GetCursorPos.USER32(?), ref: 0033D08D
ScreenToClient.USER32(?,?), ref: 0033D09A
GetParent.USER32(?), ref: 0033D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0033D123
SendMessageW.USER32 ref: 0033D154
ClientToScreen.USER32(?,?), ref: 0033D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0033D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0033D20C
SendMessageW.USER32 ref: 0033D22F
ClientToScreen.USER32(?,?), ref: 0033D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0033D2B5

Part of subcall function 002B25DB: GetWindowLongW.USER32(?,000000EB), ref: 002B25EC

GetWindowLongW.USER32(?,000000F0), ref: 0033D351

Strings

F, xrefs: 0033D235
pb7, xrefs: 0033CEAF
@U=u, xrefs: 0033CB95, 0033CC00, 0033CC29, 0033CCD9, 0033CD0C, 0033CD33, 0033CE37, 0033CFA3, 0033CFD1, 0033D00E, 0033D03D, 0033D123, 0033D154, 0033D20C, 0033D22F
@GUI_DRAGID, xrefs: 0033CE9C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F$pb7
API String ID: 3977979337-545943077
Opcode ID: feff5d22ee0b7d45502e15b8a09392972758c77994fc2f52927b5d3510cee835
Instruction ID: f48a8632eb7ab44306b48ddd4ea156c6f27dc8dec0e1059ce4e3b887c8844c5d
Opcode Fuzzy Hash: feff5d22ee0b7d45502e15b8a09392972758c77994fc2f52927b5d3510cee835
Instruction Fuzzy Hash: C542CC34614340AFDB26CF24C885EAABBE9FF49310F141A19F699A72B0C771D850DF92

Function 002C6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002C71C3
_memset.LIBCMT ref: 002C7539
_memmove.LIBCMT ref: 002C76AC

Strings

P\6, xrefs: 00301AB8
]6, xrefs: 00301A22
DEFINE, xrefs: 00302103
3c,, xrefs: 003023A0
\b(?=\w), xrefs: 00303769
\b(?<=\w), xrefs: 00303773
_,, xrefs: 003023CB
[:<:]], xrefs: 002C7479
[:>:]], xrefs: 002C7492
Q\E, xrefs: 002C7FCB

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]6$3c,$DEFINE$P\6$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_,
API String ID: 1357608183-2105160573
Opcode ID: d0649391f0857d486cf4c9016aeb22ae0a9443d1bf92b9139e6ceee66f4000b4
Instruction ID: cc328107a72b4452adfef1562560db7fa9363ef2afa95b841b289f1410cb42a8
Opcode Fuzzy Hash: d0649391f0857d486cf4c9016aeb22ae0a9443d1bf92b9139e6ceee66f4000b4
Instruction Fuzzy Hash: 9793C271E1121ADFDB25CF98C891BADB7B5FF48310F25816AE945AB2C1E7709E81CB40

Function 002B48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 002B48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002ED665
IsIconic.USER32(?), ref: 002ED66E
ShowWindow.USER32(?,00000009), ref: 002ED67B
SetForegroundWindow.USER32(?), ref: 002ED685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002ED69B
GetCurrentThreadId.KERNEL32 ref: 002ED6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 002ED6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 002ED6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 002ED6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 002ED6CF
SetForegroundWindow.USER32(?), ref: 002ED6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 002ED6E7
keybd_event.USER32(00000012,00000000), ref: 002ED6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 002ED6FC
keybd_event.USER32(00000012,00000000), ref: 002ED701
MapVirtualKeyW.USER32(00000012,00000000), ref: 002ED70A
keybd_event.USER32(00000012,00000000), ref: 002ED70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 002ED719
keybd_event.USER32(00000012,00000000), ref: 002ED71E
SetForegroundWindow.USER32(?), ref: 002ED721
AttachThreadInput.USER32(?,?,00000000), ref: 002ED748

Strings

Shell_TrayWnd, xrefs: 002ED660

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f218fdc832fdf2d81a94fc3e10ca160f02d9d98d7ab45062f7747ad8a932322f
Instruction ID: c3fd9d13630059dacd24ac7480a5ad0900a3da775d6c548e7edb5d1ba1c9d407
Opcode Fuzzy Hash: f218fdc832fdf2d81a94fc3e10ca160f02d9d98d7ab45062f7747ad8a932322f
Instruction Fuzzy Hash: 2E315571E903587FEB216F629C8AF7F7E6CEB44B50F504025FA04EA1E1C6B05D11ABA1

Function 00308310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 003087E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0030882B
Part of subcall function 003087E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00308858
Part of subcall function 003087E1: GetLastError.KERNEL32 ref: 00308865

_memset.LIBCMT ref: 00308353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 003083A5
CloseHandle.KERNEL32(?), ref: 003083B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003083CD
GetProcessWindowStation.USER32 ref: 003083E6
SetProcessWindowStation.USER32(00000000), ref: 003083F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0030840A

Part of subcall function 003081CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00308309), ref: 003081E0
Part of subcall function 003081CB: CloseHandle.KERNEL32(?,?,00308309), ref: 003081F2

Strings

, xrefs: 00308362
default, xrefs: 00308405
winsta0, xrefs: 003083C8

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: a87102aebb5af15e6f3351b8d0fd47d5ee8c7cbd1171f557b13963837ee1dba8
Instruction ID: 8ef14f93578d7cae23f2d5306803615b4254f4447bca15e8c7cadea8eaeb1d1d
Opcode Fuzzy Hash: a87102aebb5af15e6f3351b8d0fd47d5ee8c7cbd1171f557b13963837ee1dba8
Instruction Fuzzy Hash: 98817CB1D02209AFDF12DFA5CC95AEE7BB9FF05308F144169F954A62A1DB318E14DB20

Function 0031C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0031C78D
FindClose.KERNEL32(00000000), ref: 0031C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0031C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0031C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0031C844
__swprintf.LIBCMT ref: 0031C890
__swprintf.LIBCMT ref: 0031C8D3

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

__swprintf.LIBCMT ref: 0031C927

Part of subcall function 002D3698: __woutput_l.LIBCMT ref: 002D36F1

__swprintf.LIBCMT ref: 0031C975

Part of subcall function 002D3698: __flsbuf.LIBCMT ref: 002D3713
Part of subcall function 002D3698: __flsbuf.LIBCMT ref: 002D372B

__swprintf.LIBCMT ref: 0031C9C4
__swprintf.LIBCMT ref: 0031CA13
__swprintf.LIBCMT ref: 0031CA62

Strings

%4d, xrefs: 0031C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 0031C88A
%02d, xrefs: 0031C91B, 0031C925, 0031C973, 0031C9C2, 0031CA11, 0031CA60

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: b1fdf0fbbf3fc2501c7642537b0cb5b503617044ed8ab0891a88be00fcce5e34
Instruction ID: a78abd15ea064292383a745422fed9480ede189037212ac6c570cc6e0b76c9d0
Opcode Fuzzy Hash: b1fdf0fbbf3fc2501c7642537b0cb5b503617044ed8ab0891a88be00fcce5e34
Instruction Fuzzy Hash: 0DA13CB2418205ABC705EFA4C886DEFB7ECEF99744F400919F595C6191EB30EA58CB62

Function 0031EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0031EFB6
_wcscmp.LIBCMT ref: 0031EFCB
_wcscmp.LIBCMT ref: 0031EFE2
GetFileAttributesW.KERNEL32(?), ref: 0031EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0031F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0031F026
FindClose.KERNEL32(00000000), ref: 0031F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0031F04D
_wcscmp.LIBCMT ref: 0031F074
_wcscmp.LIBCMT ref: 0031F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0031F09D
SetCurrentDirectoryW.KERNEL32(00368920), ref: 0031F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0031F0C5
FindClose.KERNEL32(00000000), ref: 0031F0D2
FindClose.KERNEL32(00000000), ref: 0031F0E4

Strings

*.*, xrefs: 0031F048

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 90260ae531a72e61c9cdf65ca1ef2c09ed52f5508324681aabc8efa9e02a37d1
Instruction ID: bdce4d841f7451ddffa20d6e235c7ecddb437306f9d42b98d46d6026bc1d6c32
Opcode Fuzzy Hash: 90260ae531a72e61c9cdf65ca1ef2c09ed52f5508324681aabc8efa9e02a37d1
Instruction Fuzzy Hash: 9231F6369002096FCB1AEBB4EC98AEE77AC9F4C360F504176E804E30A1DB70DE80CA55

Function 00330857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00330953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0033F910,00000000,?,00000000,?,?), ref: 003309C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00330A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00330A92
RegCloseKey.ADVAPI32(?), ref: 00330DB2
RegCloseKey.ADVAPI32(00000000), ref: 00330DBF

Strings

REG_QWORD, xrefs: 00330D00
REG_MULTI_SZ, xrefs: 00330B7A
REG_DWORD, xrefs: 00330C83
REG_SZ, xrefs: 00330AD0
REG_BINARY, xrefs: 00330D4D
REG_EXPAND_SZ, xrefs: 00330A2F

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: d658254030e38b1b9ec5839a6b342c786b79452ae819b98fd8faed49062f105a
Instruction ID: df6380323342e277dca4b875104384aefb1df1f053d717a36a21271ef1886e3b
Opcode Fuzzy Hash: d658254030e38b1b9ec5839a6b342c786b79452ae819b98fd8faed49062f105a
Instruction Fuzzy Hash: 0A0247756146019FCB19EF28C891E6AB7E5EF89310F05855DF98A9B3A2CB30EC51CF81

Function 002C66E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

0F5, xrefs: 002C6747
3c,, xrefs: 002C68FF
UCP), xrefs: 0030110D
LF), xrefs: 003012A4
0D5, xrefs: 002C6733
NO_AUTO_POSSESS), xrefs: 0030112E
CR), xrefs: 00301287
pG5, xrefs: 002C6751
LIMIT_RECURSION=, xrefs: 003011FC
LIMIT_MATCH=, xrefs: 00301170
0E5, xrefs: 002C673D
BSR_ANYCRLF), xrefs: 0030131E
CRLF), xrefs: 003012C1
ANY), xrefs: 003012DE
NO_START_OPT), xrefs: 0030114F
ANYCRLF), xrefs: 003012FB
_,, xrefs: 00301465, 0030150C, 003015B4
BSR_UNICODE), xrefs: 00301338
UTF), xrefs: 003010FA
UTF16), xrefs: 003010CF

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID: 0D5$0E5$0F5$3c,$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG5$_,
API String ID: 0-3963977302
Opcode ID: 1b39a5b44190389f3191d6a8e8b3b3160d95d18f5febdac97e552aac1a84d809
Instruction ID: 2f911eddfb4c1761da16637632e313ada473cc8971acc41f1925af75eaa11c10
Opcode Fuzzy Hash: 1b39a5b44190389f3191d6a8e8b3b3160d95d18f5febdac97e552aac1a84d809
Instruction Fuzzy Hash: 46728F75E11219DBDB25CF59C894BAEB7F5FF48310F14816AE809EB290E7709E81CB90

Function 0031F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0031F113
_wcscmp.LIBCMT ref: 0031F128
_wcscmp.LIBCMT ref: 0031F13F

Part of subcall function 00314385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003143A0

FindNextFileW.KERNEL32(00000000,?), ref: 0031F16E
FindClose.KERNEL32(00000000), ref: 0031F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0031F195
_wcscmp.LIBCMT ref: 0031F1BC
_wcscmp.LIBCMT ref: 0031F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0031F1E5
SetCurrentDirectoryW.KERNEL32(00368920), ref: 0031F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0031F20D
FindClose.KERNEL32(00000000), ref: 0031F21A
FindClose.KERNEL32(00000000), ref: 0031F22C

Strings

*.*, xrefs: 0031F190

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 6335d7205f0a3790c980df49feebb7712177fd8c79a8f23b4464fb4e1de71539
Instruction ID: 49fbc08f1141c6f6d42c1726b4ecd1c6b546fac890bb74ca0c12f8a0e85e7888
Opcode Fuzzy Hash: 6335d7205f0a3790c980df49feebb7712177fd8c79a8f23b4464fb4e1de71539
Instruction Fuzzy Hash: 2D31E93A900219BECB1AEB64EC95EEE77AC9F4D360F510571E800E31A0DB30DE85CA54

Function 0031A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0031A20F
__swprintf.LIBCMT ref: 0031A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0031A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0031A293
_memset.LIBCMT ref: 0031A2B2
_wcsncpy.LIBCMT ref: 0031A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0031A323
CloseHandle.KERNEL32(00000000), ref: 0031A32E
RemoveDirectoryW.KERNEL32(?), ref: 0031A337
CloseHandle.KERNEL32(00000000), ref: 0031A341

Strings

\??\%s, xrefs: 0031A22B
\, xrefs: 0031A247
:, xrefs: 0031A252

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: f6c95290e2c221f6c8866ece0c71f899689fffe8e80d10dabf59db1c004e02ba
Instruction ID: 3d0681ab22b272f9697cb5ee132e7ac190bcbeff279e8d450ba5e2f642d9cc03
Opcode Fuzzy Hash: f6c95290e2c221f6c8866ece0c71f899689fffe8e80d10dabf59db1c004e02ba
Instruction Fuzzy Hash: D431B475900109ABDB22DFA0DC89FFB77BCEF88741F5045B6F908D2160EB7096958B25

Function 0031001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00310097
SetKeyboardState.USER32(?), ref: 00310102
GetAsyncKeyState.USER32(000000A0), ref: 00310122
GetKeyState.USER32(000000A0), ref: 00310139
GetAsyncKeyState.USER32(000000A1), ref: 00310168
GetKeyState.USER32(000000A1), ref: 00310179
GetAsyncKeyState.USER32(00000011), ref: 003101A5
GetKeyState.USER32(00000011), ref: 003101B3
GetAsyncKeyState.USER32(00000012), ref: 003101DC
GetKeyState.USER32(00000012), ref: 003101EA
GetAsyncKeyState.USER32(0000005B), ref: 00310213
GetKeyState.USER32(0000005B), ref: 00310221

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1b31702c674f1deb9a696592a23fe376ada2cbbc973f98d6dcf8162e59679e8f
Instruction ID: ae16c1f14877cfea4d050a511cd7dd9c746ede3b1f92bc310e403a9e1735addc
Opcode Fuzzy Hash: 1b31702c674f1deb9a696592a23fe376ada2cbbc973f98d6dcf8162e59679e8f
Instruction Fuzzy Hash: 6051D92490478869FB3EDBB088547EABFB49F09380F09459A95C25A5C2DAE49BCCC761

Function 003303DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00330E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0032FDAD,?,?), ref: 00330E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003304AC

Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0033054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003305E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00330822
RegCloseKey.ADVAPI32(00000000), ref: 0033082F

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: ba8646f78338ef49208c3273b990cfe30964d46b7ac4da6ac8561ebc93e4707d
Instruction ID: 8923b73f941e9437e80e124e69a5ba0126c3684dba7fa2a3911c2d46dc6b6762
Opcode Fuzzy Hash: ba8646f78338ef49208c3273b990cfe30964d46b7ac4da6ac8561ebc93e4707d
Instruction Fuzzy Hash: E1E15E31604200AFCB19DF28C991E6ABBE9EF89314F04896DF94ADB261D730ED11CF91

Function 003283BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC

CoInitialize.OLE32 ref: 00328403
CoUninitialize.OLE32 ref: 0032840E
CoCreateInstance.OLE32(?,00000000,00000017,00342BEC,?), ref: 0032846E
IIDFromString.OLE32(?,?), ref: 003284E1
VariantInit.OLEAUT32(?), ref: 0032857B
VariantClear.OLEAUT32(?), ref: 003285DC

Strings

NULL Pointer assignment, xrefs: 003284B3
Invalid parameter, xrefs: 003284FA
Failed to create object, xrefs: 00328479, 0032852F

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: e2b4d70f1617c7612046aa78e408820262253246476d31fca66c95030c9dd445
Instruction ID: 61362f8386c99ee3b9a9f2c4b5e85bb910ad182790fe2fa85964bf5b45ffba77
Opcode Fuzzy Hash: e2b4d70f1617c7612046aa78e408820262253246476d31fca66c95030c9dd445
Instruction Fuzzy Hash: 7661D4706093229FC712EF15E888FAEB7E8AF49754F14491DF9819B291CB70ED44CB92

Function 00324164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0032418B
EmptyClipboard.USER32 ref: 00324191
GlobalAlloc.KERNEL32(00000002,?), ref: 003241A6
CloseClipboard.USER32 ref: 00324245

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 706a1be6f5b8790b9850aa50c4be43de33403042912ef32f63105228ac47584f
Instruction ID: f64207d80f9f048b62a710a9a3045b98577fe99a70dddadd2ca15bec8be3fdf0
Opcode Fuzzy Hash: 706a1be6f5b8790b9850aa50c4be43de33403042912ef32f63105228ac47584f
Instruction Fuzzy Hash: C921A135601210DFDB12AF24EC8AB6E7BACEF15750F11842AF946DB2B1DB70AC50CB54

Function 003137EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002B4743,?,?,002B37AE,?), ref: 002B4770

Part of subcall function 00314A31: GetFileAttributesW.KERNEL32(?,0031370B), ref: 00314A32

FindFirstFileW.KERNEL32(?,?), ref: 003138A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0031394B
MoveFileW.KERNEL32(?,?), ref: 0031395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0031397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0031399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 003139B9

Strings

\*.*, xrefs: 0031384E, 00313857, 0031386C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 29218da78ab374f6224f982de2e404b24136db7784a8434c12317bef63abf5be
Instruction ID: b0ebf7691db1104320a76f0348dcfecbeb97442911d919b0becfb74c35286ad0
Opcode Fuzzy Hash: 29218da78ab374f6224f982de2e404b24136db7784a8434c12317bef63abf5be
Instruction Fuzzy Hash: 53517F3180514DAACF0AFBA0C9929EDB779AF58340F640069E406BB191EF316F49CF60

Function 0031F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0031F440
Sleep.KERNEL32(0000000A), ref: 0031F470
_wcscmp.LIBCMT ref: 0031F484
_wcscmp.LIBCMT ref: 0031F49F
FindNextFileW.KERNEL32(?,?), ref: 0031F53D
FindClose.KERNEL32(00000000), ref: 0031F553

Strings

*.*, xrefs: 0031F425

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: f07bccab4d7e58bdfbc6134f76748c95f70f6ff68f2369640a78ca75a15ee845
Instruction ID: b062ed5ebeefe5302e212cc421019eccccbdbd3d4a4f4331253e292b8f36d988
Opcode Fuzzy Hash: f07bccab4d7e58bdfbc6134f76748c95f70f6ff68f2369640a78ca75a15ee845
Instruction Fuzzy Hash: 8441917190021A9FCF16EF64DC45AEEBBB8FF09310F544466E815A32A1EB309E94CF50

Function 002C3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3c,, xrefs: 002C3225
_,, xrefs: 002C3322

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c,$_,
API String ID: 674341424-370742736
Opcode ID: 6d6fc96cea8e365c6fef08305eaf79f422ebd35af44a43c88abc897f2100071a
Instruction ID: ac79daff6e5f1c9c9b5d867e1075662c8917131a188a67b072c9b667a6dfa288
Opcode Fuzzy Hash: 6d6fc96cea8e365c6fef08305eaf79f422ebd35af44a43c88abc897f2100071a
Instruction Fuzzy Hash: E0229C716283019FC724DF14C881FAEB7E4EF85350F008A2DF99A97291DB71E964CB92

Function 002C5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002C58A5
_memmove.LIBCMT ref: 002C58F5
_memmove.LIBCMT ref: 002C595B

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d9c26bf02809285465a64aa4c44b8c62124380884ea2e81e184f0471a39e58d4
Instruction ID: 00cddc7be624f4b4e0299e47962a897a55c27e4680219f9ce23d39c5a995f58a
Opcode Fuzzy Hash: d9c26bf02809285465a64aa4c44b8c62124380884ea2e81e184f0471a39e58d4
Instruction Fuzzy Hash: 5C129B70A10619DFDF08DFA5C991BEEB7B9FF48300F104669E446A7290EB76AD60CB50

Function 003151BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003087E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0030882B
Part of subcall function 003087E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00308858
Part of subcall function 003087E1: GetLastError.KERNEL32 ref: 00308865

ExitWindowsEx.USER32(?,00000000), ref: 003151F9

Strings

, xrefs: 003151E7
@, xrefs: 003151EC
SeShutdownPrivilege, xrefs: 003151C9

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1ed2a4c8d9b381d98538196408dde8ac2e8679d0310fed7e817c62780a443c62
Instruction ID: 67ec2b78e08f86c66b0b6d40716394d8185b87e8cd699e632572b80f2f3a8b95
Opcode Fuzzy Hash: 1ed2a4c8d9b381d98538196408dde8ac2e8679d0310fed7e817c62780a443c62
Instruction Fuzzy Hash: CA012433B91605ABE72F23689C9AFFB725C9B8E740F610C20F803E60D2DA715C828190

Function 00326283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003262DC
WSAGetLastError.WSOCK32(00000000), ref: 003262EB
bind.WSOCK32(00000000,?,00000010), ref: 00326307
listen.WSOCK32(00000000,00000005), ref: 00326316
WSAGetLastError.WSOCK32(00000000), ref: 00326330
closesocket.WSOCK32(00000000,00000000), ref: 00326344

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: bafd6f9659beaaae244bafcf686967eac0032ef23887fd4653b1adf2a18a8e87
Instruction ID: 99c3b193e910293e867b834a5ef475f70fce34d7ee0f043c43e120985f8a7a16
Opcode Fuzzy Hash: bafd6f9659beaaae244bafcf686967eac0032ef23887fd4653b1adf2a18a8e87
Instruction Fuzzy Hash: B121D034600210AFCB11EF64DC86A6EB7B9EF49760F558158FA16AB3E1C770AC41CB51

Function 002C5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 002D0DB6: std::exception::exception.LIBCMT ref: 002D0DEC
Part of subcall function 002D0DB6: __CxxThrowException@8.LIBCMT ref: 002D0E01

_memmove.LIBCMT ref: 00300258
_memmove.LIBCMT ref: 0030036D
_memmove.LIBCMT ref: 00300414

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 823022eb4729ac54cb3215978ca6111892d5654d9fcf2aeddd46269ff6a47ae2
Instruction ID: 480cfafae25d4cb1b338f25b5437d37bc8248247107e2e864d3f4ee04d4f26e6
Opcode Fuzzy Hash: 823022eb4729ac54cb3215978ca6111892d5654d9fcf2aeddd46269ff6a47ae2
Instruction Fuzzy Hash: 7702C470A10215DBCF09DF64D991BAEBBB9EF44300F5480A9E809DB395EB31ED64CB91

Function 002B1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 002B19FA
GetSysColor.USER32(0000000F), ref: 002B1A4E
SetBkColor.GDI32(?,00000000), ref: 002B1A61

Part of subcall function 002B1290: DefDlgProcW.USER32(?,00000020,?), ref: 002B12D8

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: d27d3cb0d5e54f56de7874c17320f398c65f2b77eb7c9c5435e6ab2b63f92a03
Instruction ID: b44b92c88c0268c033ec226c74626c579ace7f2efd6e459ad3df3c9c5b16a032
Opcode Fuzzy Hash: d27d3cb0d5e54f56de7874c17320f398c65f2b77eb7c9c5435e6ab2b63f92a03
Instruction Fuzzy Hash: CBA13A711325C6BAEB3AAE294CB8EFF355CDB463C1FD40119F502D6192CA60AD70D6B1

Function 00326747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00327D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00327DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0032679E
WSAGetLastError.WSOCK32(00000000), ref: 003267C7
bind.WSOCK32(00000000,?,00000010), ref: 00326800
WSAGetLastError.WSOCK32(00000000), ref: 0032680D
closesocket.WSOCK32(00000000,00000000), ref: 00326821

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: c7bce5c8025b57d381f20383092b9f3810b924dca1ee28d744bec31dc7dc7baf
Instruction ID: e33d887bf1ca9de9ef50f1ca5acc66b591dd4f7d12a0d8504c764a7028dcaa22
Opcode Fuzzy Hash: c7bce5c8025b57d381f20383092b9f3810b924dca1ee28d744bec31dc7dc7baf
Instruction Fuzzy Hash: 5A41C475A00210AFDB15BF249C87FAE77A8DF05794F44845CFA1AAB3D2CA709D50CB91

Function 00335376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 003353C5
IsWindowEnabled.USER32 ref: 003353D3
GetForegroundWindow.USER32(?,?,00000001), ref: 003353E0
IsIconic.USER32 ref: 003353EE
IsZoomed.USER32 ref: 003353FC

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f821508c7dafae24aeb7f84f54a5e4aa24bc08e1884e5c192f775e723d8bca2c
Instruction ID: 54f9eba9ac16a9f66ae1b46021c79cce598aeadd5eaf18a14260e52d4b28d5fe
Opcode Fuzzy Hash: f821508c7dafae24aeb7f84f54a5e4aa24bc08e1884e5c192f775e723d8bca2c
Instruction Fuzzy Hash: 7E11BF327009116FEB236F269CC4BAABBADEF457A1F414029F846D7251CBB0DD018AA0

Function 003080A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003080C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003080CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003080D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003080E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003080F6

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 68a9e80d0b09539ce9dcf5ed4fd9a0180dd97b04fc161cbf2854c2882f0f2b07
Instruction ID: 0d9a8f20ccebe15e35312283d9ce5af934be7cf5500446d8aec73726064743e5
Opcode Fuzzy Hash: 68a9e80d0b09539ce9dcf5ed4fd9a0180dd97b04fc161cbf2854c2882f0f2b07
Instruction Fuzzy Hash: B6F06235641204AFEB160FA5ECCDE673BACEF49755F400025F985C62A0CBA1DC45DE60

Function 002B4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,002B4AD0), ref: 002B4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002B4B57

Strings

kernel32.dll, xrefs: 002B4B40
GetNativeSystemInfo, xrefs: 002B4B51

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 0d1492a1ef36ae4aa35d7e124890b5769789c0b70b9c5cb2f59d4d2e9ffbd1d5
Instruction ID: c0906ac8660109dca31fb4d482681af7cb8645361240435c52986b437df5cd93
Opcode Fuzzy Hash: 0d1492a1ef36ae4aa35d7e124890b5769789c0b70b9c5cb2f59d4d2e9ffbd1d5
Instruction Fuzzy Hash: 9ED01274E10713CFDB21AF31E898B86B6D8AF05395F518839D486D6160D774D480C654

Function 0032EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0032EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0032EE4B

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

Process32NextW.KERNEL32(00000000,?), ref: 0032EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0032EF1A

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 8aa73557eacedf7d6d413320357fa23aef6c4efd2843c11eb9b6cc055ae40b3b
Instruction ID: 2e83366de50a181b22664f1227587c4b691144a248b92a5bbac44a6db2b07878
Opcode Fuzzy Hash: 8aa73557eacedf7d6d413320357fa23aef6c4efd2843c11eb9b6cc055ae40b3b
Instruction Fuzzy Hash: 0651C071518711AFD311EF20DC82EABB7E8EF94740F40492DF595972A1EB70E918CB92

Function 0030E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0030E628

Strings

(, xrefs: 0030E66E
|, xrefs: 0030E658

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 788bb768f901aa332659769ee94763ce0c04883f975de3c4f162854885573a5f
Instruction ID: 3530fbe17a89de02f67a6bf4ba03dfe86b5b11a704d6685afb7aad95d36304b7
Opcode Fuzzy Hash: 788bb768f901aa332659769ee94763ce0c04883f975de3c4f162854885573a5f
Instruction Fuzzy Hash: 1D324675A017059FDB29CF19C490A6AB7F1FF48320B15C86EE89ADB7A1E770E941CB40

Function 003222EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0032180A,00000000), ref: 003223E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00322418

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f2139aadc1fc1a2c6acb09a3e6aea95408d60f8ed459fb7ff8200efba979e5fd
Instruction ID: 9db1a9c74dbd5661046cdf74c6276e5480cd21f55cc83d3c86b0f5eaf6719f7d
Opcode Fuzzy Hash: f2139aadc1fc1a2c6acb09a3e6aea95408d60f8ed459fb7ff8200efba979e5fd
Instruction Fuzzy Hash: 0A41F675904219BFEB12DE96EC85FBBB7BCEB40314F10406AFA01A6241DA759E419A60

Function 0031B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0031B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0031B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0031B3EA

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: b1c0de9bff087e972a13333a44214a591d1fa79eda21a9dca46e00078e2488ef
Instruction ID: 47c4cbcaa46e1c3652de47339d9b6bfceacb0e2fcce778a7569d2562a8cc8cf7
Opcode Fuzzy Hash: b1c0de9bff087e972a13333a44214a591d1fa79eda21a9dca46e00078e2488ef
Instruction Fuzzy Hash: F1215E35A00518EFCB01EFA5D881AEDBBB8FF49310F1480AAE905AB351CB319965CF50

Function 003087E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 002D0DB6: std::exception::exception.LIBCMT ref: 002D0DEC
Part of subcall function 002D0DB6: __CxxThrowException@8.LIBCMT ref: 002D0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0030882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00308858
GetLastError.KERNEL32 ref: 00308865

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 7c8454916080aee760725fa1484b3c878cc1d87dc0ad755688c36fb55d523796
Instruction ID: 369785a5e8db4204feac17ca32acb8ddedd04f172601662952eda91a64cc6585
Opcode Fuzzy Hash: 7c8454916080aee760725fa1484b3c878cc1d87dc0ad755688c36fb55d523796
Instruction Fuzzy Hash: 3F116AB2914204AFE719DFA4DCC5D6BB7BDFB44710B60C52EE49697651EA30AC408B60

Function 0030874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00308774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0030878B
FreeSid.ADVAPI32(?), ref: 0030879B

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ffafc52fb799936b0b985a33512ea87cd645a3accdc5c43f035d65d88e922628
Instruction ID: 57df715b1e563f907da6e95d4244c91062e34087576baab051463afe71d15286
Opcode Fuzzy Hash: ffafc52fb799936b0b985a33512ea87cd645a3accdc5c43f035d65d88e922628
Instruction Fuzzy Hash: 12F03775E1120CBFDB04DFE49D89ABEBBBCEF08301F5044A9A905E2181E6716A048B50

Function 00318889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0031889B

Part of subcall function 002D520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00318F6E,00000000,?,?,?,?,0031911F,00000000,?), ref: 002D5213
Part of subcall function 002D520A: __aulldiv.LIBCMT ref: 002D5233

Strings

0e7, xrefs: 00318892

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e7
API String ID: 2893107130-2065499759
Opcode ID: 59e8db6542342fbf55b0e44d8f2710b4e72ee9e1fb6065adc004315b698284dd
Instruction ID: 93b7e418a2980e9bd53c2a4060167c900e3038d2dfc17d84a106c77f5c0394df
Opcode Fuzzy Hash: 59e8db6542342fbf55b0e44d8f2710b4e72ee9e1fb6065adc004315b698284dd
Instruction Fuzzy Hash: 4A21E732635510CBC32ACF29D451A91B3E5EFA9320F688E2CD0F9CB2C0CA34B945DB54

Function 0031C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0031C6FB
FindClose.KERNEL32(00000000), ref: 0031C72B

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 4ef2f50a9fd8828e2acf43ab1c7596d0e0962df58963681c15774cd513efe307
Instruction ID: a12c04e54f555783fd6c6719715aa0ca03e6d3a841d31ea683de23482176b892
Opcode Fuzzy Hash: 4ef2f50a9fd8828e2acf43ab1c7596d0e0962df58963681c15774cd513efe307
Instruction Fuzzy Hash: AD11A1766102009FDB10EF29D885A6AF7E8FF89364F00851DF9A9C72A1DB70AC11CF81

Function 0031A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00329468,?,0033FB84,?), ref: 0031A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00329468,?,0033FB84,?), ref: 0031A0A9

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 86b0320dd3c5c7bbda274b7afc97bfb66355efdadcac930c74d0a0a181f72094
Instruction ID: e389000cd692a97882d799e99670361d6c55c47e7533e9803a4c9e9561002639
Opcode Fuzzy Hash: 86b0320dd3c5c7bbda274b7afc97bfb66355efdadcac930c74d0a0a181f72094
Instruction Fuzzy Hash: 15F0E23550522DABDB229FA4CC88FEA736CBF0C362F004165F808D2181C6309954CBA1

Function 003081CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00308309), ref: 003081E0
CloseHandle.KERNEL32(?,?,00308309), ref: 003081F2

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: fb1b7c7fc45cac51d1f276d213ab04be2f36749e0f9827e7917c2519423906f5
Instruction ID: 6f5445e4b999367e20e962ca51977a2e7405d63011eb63eb997f307699914e19
Opcode Fuzzy Hash: fb1b7c7fc45cac51d1f276d213ab04be2f36749e0f9827e7917c2519423906f5
Instruction Fuzzy Hash: A7E0E671011510AFE7262B74EC45E7777EDEF04310F14C82EF49584470DB615CA1DB10

Function 002DA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,002D8D57,?,?,?,00000001), ref: 002DA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002DA163

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 50bae8e399822fe7cdc2f750ac920b66483313298984c57e87c8ca1ee72bbbbb
Instruction ID: 2ad854581c62f698663a36b62aa31a19551c760a9f85d7e2a8d6db418fd93046
Opcode Fuzzy Hash: 50bae8e399822fe7cdc2f750ac920b66483313298984c57e87c8ca1ee72bbbbb
Instruction Fuzzy Hash: E3B09235454208AFCA022B91EC49B8A3F6CEB45BB2F804020F60D85060CB6254508A91

Function 002DF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb56866162204efcfa6835379a01b1fb9672ebc75b55a849ca833d2f57fa2cd
Instruction ID: e89910ffaa2cae736eb7c43cba25df076bc1d403f8d81cb363afcf0f08a0a186
Opcode Fuzzy Hash: 4bb56866162204efcfa6835379a01b1fb9672ebc75b55a849ca833d2f57fa2cd
Instruction Fuzzy Hash: 5632F125D39F414DD7639A34D932326A24CAFB73C4F15D737E81AB9AA6EF28D8834104

Function 002E242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11f595070ad42e6913cc9706edb1e207a1cf6e222fbcc71f7c13d742ac579c0
Instruction ID: 09602bdf30d45eb30b1e2cd526145bef3a89c154ed070580ed83eb729808cbbc
Opcode Fuzzy Hash: f11f595070ad42e6913cc9706edb1e207a1cf6e222fbcc71f7c13d742ac579c0
Instruction Fuzzy Hash: F2B1E124E6AF414DD3239A398831336B65CAFBB2D5F91D71BFC2678E22FB2195834141

Function 00314C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00314C4A

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ba1391d85a3487288b9f1a0e701d2d1aa970b6cb9cc2431eed910cd05204ef40
Instruction ID: bf3f8766dfe6861522a826e6ba3852aa31e0a038745eb73d96285a0742b4df44
Opcode Fuzzy Hash: ba1391d85a3487288b9f1a0e701d2d1aa970b6cb9cc2431eed910cd05204ef40
Instruction Fuzzy Hash: 6DD05EA116520938FC1E0720AE0FFFB010DE308792FD9814971028A0C1EC805CC05070

Function 003087B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00308389), ref: 003087D1

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 9cbfea4c9d486d9b24c1f650519e7f9e684ed805390135369ffddd1643d6eddb
Instruction ID: 7e8cffc4314bf0208a5ba84b45077ce49b78128ed2aecf75a0599bd3b81df12d
Opcode Fuzzy Hash: 9cbfea4c9d486d9b24c1f650519e7f9e684ed805390135369ffddd1643d6eddb
Instruction Fuzzy Hash: 44D05E3226450EAFEF018EA8DC01EBE3B69EB04B01F808111FE15C50A1C775D835AB60

Function 002DA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 002DA12A

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 03043a7410e53940a725b58533d84a20d40fb93638d3cd7ec20f3c1c6a6cfb03
Instruction ID: 1296c07643a400fc1a766fef6e994c21e0e39c9232b124cae55da57f41e4ad31
Opcode Fuzzy Hash: 03043a7410e53940a725b58533d84a20d40fb93638d3cd7ec20f3c1c6a6cfb03
Instruction Fuzzy Hash: 86A0123000010CAB8A011B41EC044457F5CD6012A0F404020F40C41021873254104580

Function 002C8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0525651c50c03d6151377e6da7ba1d025736814f6de58aac02680e035b2ce035
Instruction ID: b12b6a2fd16b7c57b23680118afe11a4ce03cfb393e53060b38469a58af43951
Opcode Fuzzy Hash: 0525651c50c03d6151377e6da7ba1d025736814f6de58aac02680e035b2ce035
Instruction Fuzzy Hash: 85224430624517CBDF2A8E28C4A4B7DB7A5FF01304F29C66ED9468B9D2DB709DA1CB41

Function 002D21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 4e3e19bca9b13110ec72f11874b9b3ee3f6a45803d921c290c2fedf87be5dedf
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 44C185322251934ADB6D4A39843453EFAA15EB27B131A075FD8B3DB6D4EF20CD39D620

Function 002D25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: b249df14c53e36a423b5e3518c17bd6ffdb761fbbb86f0bb43498c5b5d4ee35f
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: D2C1863222519349DF2D4A39C43413EFAA15EA27B132A076FD4B2DB6D5EF10CD39D660

Function 002D1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 0e32be9daf88620cc8a5891c26c8758e048869feda8c7f539465a823ce6ae3fc
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 1EC1743222519319DF2D4A39C47413EBAA25EA2BB131A075FD4B3CBAD5EF20CD75D620

Function 00327806 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0032785B
DeleteObject.GDI32(00000000), ref: 0032786D
DestroyWindow.USER32 ref: 0032787B
GetDesktopWindow.USER32 ref: 00327895
GetWindowRect.USER32(00000000), ref: 0032789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 003279DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 003279ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327A35
GetClientRect.USER32(00000000,?), ref: 00327A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00327A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327ABB
GlobalLock.KERNEL32(00000000), ref: 00327AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327AD3
GlobalUnlock.KERNEL32(00000000), ref: 00327ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327AE3
GlobalFree.KERNEL32(00000000), ref: 00327AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00342CAC,00000000), ref: 00327B16
GlobalFree.KERNEL32(00000000), ref: 00327B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00327B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00327B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00327D7A

Strings

@U=u, xrefs: 00327B6B, 00327CFA
AutoIt v3, xrefs: 00327A2D
DISPLAY, xrefs: 00327BDD
static, xrefs: 00327A75, 00327BCC
, xrefs: 00327D00

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 3b32a5759970379beabfc474944fd2823228e4d7d6602dda67b303bb04e19434
Instruction ID: 4820b5e45e2f02cb4e78e213bf59d4baa87a001b83449700074cfff72dbb558d
Opcode Fuzzy Hash: 3b32a5759970379beabfc474944fd2823228e4d7d6602dda67b303bb04e19434
Instruction Fuzzy Hash: 71026A71910215EFDB16DFA8EC89EAE7BB9FF48310F508158F915AB2A1C770AD41CB60

Function 0033A5DA Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0033A630
GetSysColorBrush.USER32(0000000F), ref: 0033A661
GetSysColor.USER32(0000000F), ref: 0033A66D
SetBkColor.GDI32(?,000000FF), ref: 0033A687
SelectObject.GDI32(?,00000000), ref: 0033A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0033A6C1
GetSysColor.USER32(00000010), ref: 0033A6C9
CreateSolidBrush.GDI32(00000000), ref: 0033A6D0
FrameRect.USER32(?,?,00000000), ref: 0033A6DF
DeleteObject.GDI32(00000000), ref: 0033A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0033A731
FillRect.USER32(?,?,00000000), ref: 0033A763
GetWindowLongW.USER32(?,000000F0), ref: 0033A78E

Part of subcall function 0033A8CA: GetSysColor.USER32(00000012), ref: 0033A903
Part of subcall function 0033A8CA: SetTextColor.GDI32(?,?), ref: 0033A907
Part of subcall function 0033A8CA: GetSysColorBrush.USER32(0000000F), ref: 0033A91D
Part of subcall function 0033A8CA: GetSysColor.USER32(0000000F), ref: 0033A928
Part of subcall function 0033A8CA: GetSysColor.USER32(00000011), ref: 0033A945
Part of subcall function 0033A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0033A953
Part of subcall function 0033A8CA: SelectObject.GDI32(?,00000000), ref: 0033A964
Part of subcall function 0033A8CA: SetBkColor.GDI32(?,00000000), ref: 0033A96D
Part of subcall function 0033A8CA: SelectObject.GDI32(?,?), ref: 0033A97A
Part of subcall function 0033A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0033A999
Part of subcall function 0033A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0033A9B0
Part of subcall function 0033A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0033A9C5
Part of subcall function 0033A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0033A9ED

Strings

@U=u, xrefs: 0033A7B8

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID: @U=u
API String ID: 3521893082-2594219639
Opcode ID: c9e8f7650ef9c51961b65cc32fdef3ce987d47fc037450bae70e6f20b4c9f8c6
Instruction ID: 16edd0fcd4ce6584c37255f21f87258863aef322227246ded3a0e2d73c1e0864
Opcode Fuzzy Hash: c9e8f7650ef9c51961b65cc32fdef3ce987d47fc037450bae70e6f20b4c9f8c6
Instruction Fuzzy Hash: B2917B72808701FFD7129F64DC88A5BBBADFF89321F500B29F9A2961A0D771D944CB52

Function 0033356B Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0033F910), ref: 00333627
IsWindowVisible.USER32(?), ref: 0033364B

Strings

SHOWDROPDOWN, xrefs: 003336E0
GETCURRENTLINE, xrefs: 003338ED
CHECK, xrefs: 0033386D
GETCURRENTSELECTION, xrefs: 003337E3
EDITPASTE, xrefs: 0033395F
ADDSTRING, xrefs: 00333716
SETCURRENTSELECTION, xrefs: 003337B6
GETSELECTED, xrefs: 003338A3
UNCHECK, xrefs: 00333883
ISVISIBLE, xrefs: 00333637
SELECTSTRING, xrefs: 00333806
HIDEDROPDOWN, xrefs: 00333700
ISCHECKED, xrefs: 00333839
GETCURRENTCOL, xrefs: 00333928
TABLEFT, xrefs: 00333687
DELSTRING, xrefs: 00333749
@U=u, xrefs: 003338E3, 0033390A, 00333993
ISENABLED, xrefs: 0033366B
CURRENTTAB, xrefs: 003336BD
GETLINE, xrefs: 0033399B
FINDSTRING, xrefs: 00333776
GETLINECOUNT, xrefs: 003338C6
SENDCOMMANDID, xrefs: 003339DA
TABRIGHT, xrefs: 0033369D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-3469695742
Opcode ID: efa7dcb01bb4eca1b386934548603f4a78d686e221f73efe355a0939f63f7285
Instruction ID: c7abc9458f43a0caf0e2a7854b274f7f1c2d5efb9b792ac4a8e194dfc76b4705
Opcode Fuzzy Hash: efa7dcb01bb4eca1b386934548603f4a78d686e221f73efe355a0939f63f7285
Instruction Fuzzy Hash: D0D1A1342183019FCB06EF10C4D2BAE77A9AF95394F058459F9825B7E2CB31EE5ACB41

Function 002B2C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 002B2CA2
DeleteObject.GDI32(00000000), ref: 002B2CE8
DeleteObject.GDI32(00000000), ref: 002B2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 002B2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 002B2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 002EC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 002EC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002EC89D

Part of subcall function 002B1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002B2036,?,00000000,?,?,?,?,002B16CB,00000000,?), ref: 002B1B9A

SendMessageW.USER32(?,00001053), ref: 002EC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002EC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 002EC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 002EC912

Strings

0, xrefs: 002EC731
@U=u, xrefs: 002EC43B, 002EC542, 002EC81D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 464785882-975001249
Opcode ID: c72178c61b0725262d65f6b98bd07c02c212a7885bb102876f280b15463ded5f
Instruction ID: e10b30bca5ad7525c034ebaec18eccea32d49e7866f922b659910cf8d9669599
Opcode Fuzzy Hash: c72178c61b0725262d65f6b98bd07c02c212a7885bb102876f280b15463ded5f
Instruction Fuzzy Hash: EA12BD30660242EFDB15CF25C884BA9BBE5FF45340FA4456AF895DB262C731E866CF90

Function 003274AB Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 003274DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0032759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003275DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 003275ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00327633
GetClientRect.USER32(00000000,?), ref: 0032763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00327683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00327692
GetStockObject.GDI32(00000011), ref: 003276A2
SelectObject.GDI32(00000000,00000000), ref: 003276A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003276B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003276BF
DeleteDC.GDI32(00000000), ref: 003276C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003276F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0032770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00327746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0032775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0032776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0032779B
GetStockObject.GDI32(00000011), ref: 003277A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003277B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 003277BB

Strings

@U=u, xrefs: 003276FA
AutoIt v3, xrefs: 0032762B
DISPLAY, xrefs: 00327688
msctls_progress32, xrefs: 0032773C
static, xrefs: 0032767D, 00327795

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: fca24822a71fce80bc5c5d5159b01c214a9989a847982036ed78a6de6a316068
Instruction ID: 9682c3bd4f4818fc2a8140b20d69da9e1c9aac810f2400ff67b9a97cebe3beb2
Opcode Fuzzy Hash: fca24822a71fce80bc5c5d5159b01c214a9989a847982036ed78a6de6a316068
Instruction Fuzzy Hash: 04A184B1A10615BFEB15DBA4DC8AFAEBB7DEB05710F108114FA14A72E1C7B0AD40CB60

Function 0033A8CA Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0033A903
SetTextColor.GDI32(?,?), ref: 0033A907
GetSysColorBrush.USER32(0000000F), ref: 0033A91D
GetSysColor.USER32(0000000F), ref: 0033A928
CreateSolidBrush.GDI32(?), ref: 0033A92D
GetSysColor.USER32(00000011), ref: 0033A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0033A953
SelectObject.GDI32(?,00000000), ref: 0033A964
SetBkColor.GDI32(?,00000000), ref: 0033A96D
SelectObject.GDI32(?,?), ref: 0033A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0033A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0033A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0033A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0033A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0033AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0033AA32
DrawFocusRect.USER32(?,?), ref: 0033AA3D
GetSysColor.USER32(00000011), ref: 0033AA4B
SetTextColor.GDI32(?,00000000), ref: 0033AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0033AA67
SelectObject.GDI32(?,0033A5FA), ref: 0033AA7E
DeleteObject.GDI32(?), ref: 0033AA89
SelectObject.GDI32(?,?), ref: 0033AA8F
DeleteObject.GDI32(?), ref: 0033AA94
SetTextColor.GDI32(?,?), ref: 0033AA9A
SetBkColor.GDI32(?,?), ref: 0033AAA4

Strings

@U=u, xrefs: 0033A9ED

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: b37c59260c50faccf7a9b0dcfa885cac61eceb888d9d843ca6477878f4452437
Instruction ID: 4aa0d132de92e6f1e833e45c85cb46cfe43b5f545541eb7f5ecaadf3ed48a6b8
Opcode Fuzzy Hash: b37c59260c50faccf7a9b0dcfa885cac61eceb888d9d843ca6477878f4452437
Instruction Fuzzy Hash: 6E512B71D00608FFDB129FA4DC89EAEBBB9EF08320F514625F911AB2A1D7759940DF90

Function 0031AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0031AD1E
GetDriveTypeW.KERNEL32(?,0033FAC0,?,\\.\,0033F910), ref: 0031ADFB
SetErrorMode.KERNEL32(00000000,0033FAC0,?,\\.\,0033F910), ref: 0031AF59

Strings

Unknown, xrefs: 0031AE1B, 0031AEBF
USB, xrefs: 0031AEF0
CDROM, xrefs: 0031AE2F
Removable, xrefs: 0031AE4D
Fibre, xrefs: 0031AEE9
SSA, xrefs: 0031AEE2
Virtual, xrefs: 0031AF21
Network, xrefs: 0031AE39
RAID, xrefs: 0031AEF7
1394, xrefs: 0031AEDB
SCSI, xrefs: 0031AEC6
SATA, xrefs: 0031AF0C
\\.\, xrefs: 0031AD70
ATA, xrefs: 0031AED4
iSCSI, xrefs: 0031AEFE
Fixed, xrefs: 0031AE43
PhysicalDrive, xrefs: 0031ADA7
SSD, xrefs: 0031AE86
SAS, xrefs: 0031AF05
FileBackedVirtual, xrefs: 0031AF28
RAMDisk, xrefs: 0031AE25
MMC, xrefs: 0031AF1A
ATAPI, xrefs: 0031AECD

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 77ece4d477ccbe5b5605c02a716f9b335c0cc3f5ed080c2518dc60dc702cf760
Instruction ID: 9902a431d96a7af0046d5ccc70534120b7db441fc0d067162adbb2c5175ae01e
Opcode Fuzzy Hash: 77ece4d477ccbe5b5605c02a716f9b335c0cc3f5ed080c2518dc60dc702cf760
Instruction Fuzzy Hash: 4251B4B064AA059B8B1BEB50CD92CFD7364EF4C702B208157E807A76D4CA30DD96DB52

Function 00339A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00339AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00339B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00339BA7

Strings

@U=u, xrefs: 00339B8B, 00339BA7, 00339D23, 00339D56, 00339DB6, 00339E00, 00339E60, 00339E84, 00339F40
0, xrefs: 00339BE4

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$@U=u
API String ID: 2326795674-975001249
Opcode ID: fbba4fa58a0cdc96e5c59c894e4357c5e5abfc969485a8f7d45ea8d82a83e26d
Instruction ID: 460fb7ac69d2180f9ccbc2ab67a877d8ce7a468634969104ca6a2f7514e44d38
Opcode Fuzzy Hash: fbba4fa58a0cdc96e5c59c894e4357c5e5abfc969485a8f7d45ea8d82a83e26d
Instruction Fuzzy Hash: DF02AF30508301EFD726CF14C8C9BAABBE9FF49315F04452EF999962A1C7B5D944CB52

Function 002B68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 002B6931
__wcsnicmp.LIBCMT ref: 002B6949
__wcsnicmp.LIBCMT ref: 002B6961
__wcsnicmp.LIBCMT ref: 002B6979
__wcsnicmp.LIBCMT ref: 002B6991
__wcsnicmp.LIBCMT ref: 002B69A9
__wcsnicmp.LIBCMT ref: 002B69C1
__wcsnicmp.LIBCMT ref: 002B69D5
__wcsnicmp.LIBCMT ref: 002B6A16
__wcsnicmp.LIBCMT ref: 002B6A2A
__wcsnicmp.LIBCMT ref: 002B6A3E
__wcsnicmp.LIBCMT ref: 002B6A52

Strings

#include, xrefs: 002B69A3
#notrayicon, xrefs: 002B6943
#cs, xrefs: 002B69CF, 002B6A24
#requireadmin, xrefs: 002B695B
Bad directive syntax error, xrefs: 002EE31A
#OnAutoItStartRegister, xrefs: 002B6973
#pragma compile, xrefs: 002B692B
#ce, xrefs: 002B6A4C
Unterminated group of comments, xrefs: 002EE403
#include-once, xrefs: 002B698B
#comments-start, xrefs: 002B69BB, 002B6A10
#comments-end, xrefs: 002B6A38
Cannot parse #include, xrefs: 002EE3F0

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: c2d7370958c159f2289ee318d7a2c9b334c8ae117b9a9a3367e2c1953abb5c0e
Instruction ID: 87e24167dbfe78e1703c5fd8f42db45d0bab70a28854911c0ad2f9107257e725
Opcode Fuzzy Hash: c2d7370958c159f2289ee318d7a2c9b334c8ae117b9a9a3367e2c1953abb5c0e
Instruction Fuzzy Hash: A2815CB06606066ADF21AF61DC57FFF7768AF04780F444025F805AA1D2EBB4DD35CAA1

Function 003389D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00338AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00338AD2
CharNextW.USER32(0000014E), ref: 00338B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00338B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00338B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00338B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00338B86
SetWindowTextW.USER32(?,0000014E), ref: 00338BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00338BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00338C1F
_memset.LIBCMT ref: 00338C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00338C8D
_memset.LIBCMT ref: 00338CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00338D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00338D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00338E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00338E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00338E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00338EB4
DrawMenuBar.USER32(?), ref: 00338EC3
SetWindowTextW.USER32(?,0000014E), ref: 00338EEB

Strings

@U=u, xrefs: 00338AC1, 00338AD2, 00338B07, 00338B86, 00338BEE, 00338C1F, 00338C8D, 00338D16, 00338D6E, 00338E1B
0, xrefs: 00338E55

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: 519a7326e754c3ee8e0b9fc7b0bb5b035bd0512040b3f2373da76c226318fa97
Instruction ID: deeb95afc373147495917652ac4e324099f36525f9fa6b4201535ce7d87964c2
Opcode Fuzzy Hash: 519a7326e754c3ee8e0b9fc7b0bb5b035bd0512040b3f2373da76c226318fa97
Instruction Fuzzy Hash: ADE15EB1900309AFDF229F64CCC5EEEBBB9EF05710F118156F915AA290DB748A85DF60

Function 0033488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003349CA
GetDesktopWindow.USER32 ref: 003349DF
GetWindowRect.USER32(00000000), ref: 003349E6
GetWindowLongW.USER32(?,000000F0), ref: 00334A48
DestroyWindow.USER32(?), ref: 00334A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00334A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00334ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00334AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00334AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00334B09
IsWindowVisible.USER32(?), ref: 00334B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00334B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00334B58
GetWindowRect.USER32(?,?), ref: 00334B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00334B96
GetMonitorInfoW.USER32(00000000,?), ref: 00334BB0
CopyRect.USER32(?,?), ref: 00334BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00334C32

Strings

(, xrefs: 00334BA3
tooltips_class32, xrefs: 00334A96
0, xrefs: 00334975

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 47ba2fd088c6bbd3f394760a73d11f25636e3d4691307463980c153159af25a6
Instruction ID: b5a98523a172e8b490fdedf613bdf3ed11803d7609422a444728e52255f4d7fb
Opcode Fuzzy Hash: 47ba2fd088c6bbd3f394760a73d11f25636e3d4691307463980c153159af25a6
Instruction Fuzzy Hash: 75B19A70608340AFDB05DF64C885B6ABBE8FF88344F008A1DF9999B2A1D771EC45CB95

Function 0031449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 003144AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003144D2
_wcscpy.LIBCMT ref: 00314500
_wcscmp.LIBCMT ref: 0031450B
_wcscat.LIBCMT ref: 00314521
_wcsstr.LIBCMT ref: 0031452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00314548
_wcscat.LIBCMT ref: 00314591
_wcscat.LIBCMT ref: 00314598
_wcsncpy.LIBCMT ref: 003145C3

Strings

04090000, xrefs: 0031457E
%u.%u.%u.%u, xrefs: 00314626
\VarFileInfo\Translation, xrefs: 00314540
StringFileInfo\, xrefs: 0031451B
DefaultLangCodepage, xrefs: 003145AB

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 81c06f1925bdd4aed7618717414e4ffdcc096e69e2dee98a896bd59848b01460
Instruction ID: d638eb767a438a33e86cb9bdea47580599bd34e2cdf5a6f5e3db1e7eda9ea107
Opcode Fuzzy Hash: 81c06f1925bdd4aed7618717414e4ffdcc096e69e2dee98a896bd59848b01460
Instruction Fuzzy Hash: CA41F531A10200BBDB16EB74CC47EFF776CDF4A710F40456BF904E6292EA359E219AA5

Function 002B27D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002B28BC
GetSystemMetrics.USER32(00000007), ref: 002B28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002B28EF
GetSystemMetrics.USER32(00000008), ref: 002B28F7
GetSystemMetrics.USER32(00000004), ref: 002B291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002B2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002B2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002B297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002B2990
GetClientRect.USER32(00000000,000000FF), ref: 002B29AE
GetStockObject.GDI32(00000011), ref: 002B29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 002B29D5

Part of subcall function 002B2344: GetCursorPos.USER32(?), ref: 002B2357
Part of subcall function 002B2344: ScreenToClient.USER32(003757B0,?), ref: 002B2374
Part of subcall function 002B2344: GetAsyncKeyState.USER32(00000001), ref: 002B2399
Part of subcall function 002B2344: GetAsyncKeyState.USER32(00000002), ref: 002B23A7

SetTimer.USER32(00000000,00000000,00000028,002B1256), ref: 002B29FC

Strings

@U=u, xrefs: 002B29D5
AutoIt v3 GUI, xrefs: 002B2974

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 93359bb10bea974e938c02da9389cac0f533d7e9ec1d802b5af95e8ffbf8e0b9
Instruction ID: f60d1caf5bada9250eddb81529b4a19e4052b73a6e9dc85c4df4a120e0d3cfb7
Opcode Fuzzy Hash: 93359bb10bea974e938c02da9389cac0f533d7e9ec1d802b5af95e8ffbf8e0b9
Instruction Fuzzy Hash: 4CB18F71A1020AEFDB15DFA8CC85BED7BB8FB08351F504129FA19A72A0DB749861CF50

Function 0033C5FE Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623

DragQueryPoint.SHELL32(?,?), ref: 0033C627

Part of subcall function 0033AB37: ClientToScreen.USER32(?,?), ref: 0033AB60
Part of subcall function 0033AB37: GetWindowRect.USER32(?,?), ref: 0033ABD6
Part of subcall function 0033AB37: PtInRect.USER32(?,?,0033C014), ref: 0033ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0033C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0033C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0033C6BE
_wcscat.LIBCMT ref: 0033C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0033C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0033C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0033C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0033C757
DragFinish.SHELL32(?), ref: 0033C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0033C851

Strings

@GUI_DRAGFILE, xrefs: 0033C800
@U=u, xrefs: 0033C690, 0033C705, 0033C71E, 0033C735, 0033C757
pb7, xrefs: 0033C79B
@GUI_DRAGID, xrefs: 0033C7C9
@GUI_DROPID, xrefs: 0033C77E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u$pb7
API String ID: 169749273-2873430763
Opcode ID: 8eeed1d3ead24d0649e24a0092c04a55d1de7f11e70bce502c65f971fbca4427
Instruction ID: 4fd256950431f319844973d1edbc728ec0981dbdef70a333f1c554e06f20afbe
Opcode Fuzzy Hash: 8eeed1d3ead24d0649e24a0092c04a55d1de7f11e70bce502c65f971fbca4427
Instruction Fuzzy Hash: C3617B71508301AFC702EF64CC85DAFBBF8EF89750F40492EF595961A1DB709A49CB52

Function 0033BA33 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0033BA56
GetFileSize.KERNEL32(00000000,00000000), ref: 0033BA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 0033BA78
CloseHandle.KERNEL32(00000000), ref: 0033BA85
GlobalLock.KERNEL32(00000000), ref: 0033BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0033BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0033BAA6
CloseHandle.KERNEL32(00000000), ref: 0033BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0033BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00342CAC,?), ref: 0033BAD7
GlobalFree.KERNEL32(00000000), ref: 0033BAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 0033BB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 0033BB36
DeleteObject.GDI32(00000000), ref: 0033BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0033BB74

Strings

@U=u, xrefs: 0033BB74

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 9174630da458fe190ec0d0d922bbbbc01a87d2c8eb129f4148faaf151855a40f
Instruction ID: f4f901b505991855402bbd5b146f113743ce9dc532ab751c773cc4cf709fd03e
Opcode Fuzzy Hash: 9174630da458fe190ec0d0d922bbbbc01a87d2c8eb129f4148faaf151855a40f
Instruction Fuzzy Hash: 09410975A00204EFDB129F65DC88EABBBBCEF89711F514069F909DB260DB309E41DB60

Function 0030A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0030A47A
__swprintf.LIBCMT ref: 0030A51B
_wcscmp.LIBCMT ref: 0030A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0030A583
_wcscmp.LIBCMT ref: 0030A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0030A5F6
GetDlgCtrlID.USER32(?), ref: 0030A648
GetWindowRect.USER32(?,?), ref: 0030A67E
GetParent.USER32(?), ref: 0030A69C
ScreenToClient.USER32(00000000), ref: 0030A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0030A71D
_wcscmp.LIBCMT ref: 0030A731
GetWindowTextW.USER32(?,?,00000400), ref: 0030A757
_wcscmp.LIBCMT ref: 0030A76B

Part of subcall function 002D362C: _iswctype.LIBCMT ref: 002D3634

Strings

%s%u, xrefs: 0030A515

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 6067c4c36cee3620b8a3e17e70b8ec447738e404dd95e6c08e2ea1765bc4cffe
Instruction ID: c80cd3db7f2c49a273a28630ab99ae0c2fba484cd6afefd53f0a2cc3cedff2fe
Opcode Fuzzy Hash: 6067c4c36cee3620b8a3e17e70b8ec447738e404dd95e6c08e2ea1765bc4cffe
Instruction Fuzzy Hash: A4A10131205B06AFC71ADF60D894FEAB7E8FF44754F008629F999D2190DB30E955CB92

Function 0030AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0030AF18
_wcscmp.LIBCMT ref: 0030AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0030AF51
CharUpperBuffW.USER32(?,00000000), ref: 0030AF6E
_wcscmp.LIBCMT ref: 0030AF8C
_wcsstr.LIBCMT ref: 0030AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0030AFD5
_wcscmp.LIBCMT ref: 0030AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0030B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0030B055
_wcscmp.LIBCMT ref: 0030B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0030B08D
GetWindowRect.USER32(00000004,?), ref: 0030B0F6

Strings

@, xrefs: 0030AEF9
ThumbnailClass, xrefs: 0030AFE0, 0030B060

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 3bfc30a145d81c68cabaf523e75f5421ab94128816049fe0ac061bcec0016300
Instruction ID: c1707f76b08e0862bd7356b0f66dcb9c036275441a0c8939dbcbd1d7ad7637c0
Opcode Fuzzy Hash: 3bfc30a145d81c68cabaf523e75f5421ab94128816049fe0ac061bcec0016300
Instruction Fuzzy Hash: CA81BF711093069FDB06DF14D8A1FAABBE8EF44354F04846AFD859A0D5DB30DD89CBA2

Function 0033A1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0033A259
DestroyWindow.USER32(?,?), ref: 0033A2D3

Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0033A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0033A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0033A382
DestroyWindow.USER32(00000000), ref: 0033A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002B0000,00000000), ref: 0033A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0033A3F4
GetDesktopWindow.USER32 ref: 0033A40D
GetWindowRect.USER32(00000000), ref: 0033A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0033A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0033A444

Part of subcall function 002B25DB: GetWindowLongW.USER32(?,000000EB), ref: 002B25EC

Strings

0, xrefs: 0033A26F
@U=u, xrefs: 0033A36F, 0033A382, 0033A3F4, 0033A41E
tooltips_class32, xrefs: 0033A346, 0033A3D4

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 1297703922-1130792468
Opcode ID: ea7470a0cce9857f0b87242a11000a2de1a24548d2bbfab09f544451067a9958
Instruction ID: 515c79250a6bd0b46a1ae443a7fdd44a55201ab7945bc3ebda07cacb5905a72a
Opcode Fuzzy Hash: ea7470a0cce9857f0b87242a11000a2de1a24548d2bbfab09f544451067a9958
Instruction Fuzzy Hash: 5371AC71640704AFD726CF28CC89FAA7BE9FB88304F45452DF985872A0C7B0E942CB52

Function 0030ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0030AC33

Strings

[ACTIVE, xrefs: 0030AC20
[HANDLE:, xrefs: 0030AC3F
[REGEXPTITLE:, xrefs: 0030AC5B
LAST, xrefs: 0030ABF8
REGEXP=, xrefs: 0030AC48
[CLASS:, xrefs: 0030AC83
[LAST, xrefs: 0030ACE0
[ALL, xrefs: 0030ACD9
ALL, xrefs: 0030ACC7
CLASSNAME=, xrefs: 0030AC70
ACTIVE, xrefs: 0030AC0E
HANDLE=, xrefs: 0030AC2C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: dbbf4fcac0ac82de93e7c7e5f44606cafcb8448b58ecdedd82259a6318980baf
Instruction ID: bdb81021636b8cc4a13f700396f725b996a057cdaa976e53da1970efc74dc0b3
Opcode Fuzzy Hash: dbbf4fcac0ac82de93e7c7e5f44606cafcb8448b58ecdedd82259a6318980baf
Instruction Fuzzy Hash: AD31C530558705A7EA16FBA0ED13EEE77689F10794F604429F401B12D5EF516F24CE52

Function 00324FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00325013
LoadCursorW.USER32(00000000,00007F00), ref: 0032501E
LoadCursorW.USER32(00000000,00007F03), ref: 00325029
LoadCursorW.USER32(00000000,00007F8B), ref: 00325034
LoadCursorW.USER32(00000000,00007F01), ref: 0032503F
LoadCursorW.USER32(00000000,00007F81), ref: 0032504A
LoadCursorW.USER32(00000000,00007F88), ref: 00325055
LoadCursorW.USER32(00000000,00007F80), ref: 00325060
LoadCursorW.USER32(00000000,00007F86), ref: 0032506B
LoadCursorW.USER32(00000000,00007F83), ref: 00325076
LoadCursorW.USER32(00000000,00007F85), ref: 00325081
LoadCursorW.USER32(00000000,00007F82), ref: 0032508C
LoadCursorW.USER32(00000000,00007F84), ref: 00325097
LoadCursorW.USER32(00000000,00007F04), ref: 003250A2
LoadCursorW.USER32(00000000,00007F02), ref: 003250AD
LoadCursorW.USER32(00000000,00007F89), ref: 003250B8
GetCursorInfo.USER32(?), ref: 003250C8

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 9bac4798a59032d773152c8764420437d0be4d3e1d22a4dc4c8ec42277d85646
Instruction ID: a2559251cc93b03a61d0604de0928d268dff9288133f3a4dc7fb26cf5bc3ebe0
Opcode Fuzzy Hash: 9bac4798a59032d773152c8764420437d0be4d3e1d22a4dc4c8ec42277d85646
Instruction Fuzzy Hash: 9231D2B1D483196ADF119FB69C899AEBFE8FF04750F50452AE50DE7280DA78A500CFA1

Function 00334392 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00334424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0033446F

Strings

EXISTS, xrefs: 003344D8
GETTOTALCOUNT, xrefs: 00334456
COLLAPSE, xrefs: 003344B5
GETTEXT, xrefs: 003345C2
CHECK, xrefs: 0033448F
EXPAND, xrefs: 00334521
GETITEMCOUNT, xrefs: 00334551
@U=u, xrefs: 0033446F
GETSELECTED, xrefs: 0033457F
UNCHECK, xrefs: 0033464B
ISCHECKED, xrefs: 003345F2
SELECT, xrefs: 00334620

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: 0cf13e15ee60fc3f46f108d8b059f3b81a094035a68bf117680483fad6f23aac
Instruction ID: 5f7a3220c4f6db6349a0cdbde2a40bd512e9a87168f72e9cc74220f2094b2f93
Opcode Fuzzy Hash: 0cf13e15ee60fc3f46f108d8b059f3b81a094035a68bf117680483fad6f23aac
Instruction Fuzzy Hash: 28919E742143019FCB05EF10C492BAEB7E5AF96390F058869F9925B7A2CB30FD59CB81

Function 0033B7FE Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0033B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00336B11,?), ref: 0033B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0033B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0033B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0033B9C3
FreeLibrary.KERNEL32(?), ref: 0033B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0033B9DF
DestroyIcon.USER32(?), ref: 0033B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0033BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0033BA17

Part of subcall function 002D2EFD: __wcsicmp_l.LIBCMT ref: 002D2F86

Strings

.icl, xrefs: 0033B82A
@U=u, xrefs: 0033B9F7
.exe, xrefs: 0033B84A
.dll, xrefs: 0033B86D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 1212759294-1639919054
Opcode ID: 28b7bbaa14a77ea5649d1e18f22b20953e2ac4c81a34230c5ce0e9bf51a2f71f
Instruction ID: e9574b9ccebfb864ce0802afacbea693d5a44fb3dfbecb9833788bc962e81478
Opcode Fuzzy Hash: 28b7bbaa14a77ea5649d1e18f22b20953e2ac4c81a34230c5ce0e9bf51a2f71f
Instruction Fuzzy Hash: 7761DF71900219FEEB16DF64CC81FBEBBACEB08710F108516FA15DA1D1DB75A990DBA0

Function 0031A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC

CharLowerBuffW.USER32(?,?), ref: 0031A3CB
GetDriveTypeW.KERNEL32 ref: 0031A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0031A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0031A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0031A4C5

Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06

Strings

set cd door , xrefs: 0031A466
closed, xrefs: 0031A3DF, 0031A3E8
close, xrefs: 0031A3D1
close cd wait, xrefs: 0031A4B0
type cdaudio alias cd wait, xrefs: 0031A443
open, xrefs: 0031A3F2
wait, xrefs: 0031A482
open , xrefs: 0031A427

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 90ceae1f2018c239dd6c833023047f80957a856f1a87785c38ccacec3c6b6545
Instruction ID: 165cf7736a737f02faa28d2eedc5bc1b2ad6fcfb070d36ea4bd69aaac8bddc73
Opcode Fuzzy Hash: 90ceae1f2018c239dd6c833023047f80957a856f1a87785c38ccacec3c6b6545
Instruction Fuzzy Hash: EB518E711147049FC705EF20C8819AAB7F8EF98758F00896DF896972A1DB31ED5ACF82

Function 0030F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,002EE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0030F8DF
LoadStringW.USER32(00000000,?,002EE029,00000001), ref: 0030F8E8

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,002EE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0030F90A
LoadStringW.USER32(00000000,?,002EE029,00000001), ref: 0030F90D
__swprintf.LIBCMT ref: 0030F95D
__swprintf.LIBCMT ref: 0030F96E
_wprintf.LIBCMT ref: 0030FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0030FA2E

Strings

Line %d (File "%s"):, xrefs: 0030F957
Error: , xrefs: 0030F9E5
^ ERROR, xrefs: 0030F9C3
%s (%d) : ==> %s: %s %s, xrefs: 0030FA12
Line %d:, xrefs: 0030F968

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 1327bd096a5db0f788ed318c494a64cee328a6fa27f29426edc102fa35e63eaa
Instruction ID: 183d179a350bc18c9d657d2deab512bb69d4cf9a295501338ce276c5b795c0e3
Opcode Fuzzy Hash: 1327bd096a5db0f788ed318c494a64cee328a6fa27f29426edc102fa35e63eaa
Instruction Fuzzy Hash: 08416B72910219AACF15FBE0CD96EEEB77CAF58340F500065F505B6092EB316F29CEA1

Function 0031D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0031DA10
_wcscat.LIBCMT ref: 0031DA28
_wcscat.LIBCMT ref: 0031DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0031DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0031DA63
GetFileAttributesW.KERNEL32(?), ref: 0031DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0031DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0031DAA7

Strings

*.*, xrefs: 0031DAE6

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: f63f709f7cfe62ca4ea7315e9522a8c3027434b89a19321be6d2a8cef4bc2e5a
Instruction ID: 3aaf4ac7d4fe862784481884a06e11b327513ca4f748bd311a0a1ff51f722f8a
Opcode Fuzzy Hash: f63f709f7cfe62ca4ea7315e9522a8c3027434b89a19321be6d2a8cef4bc2e5a
Instruction Fuzzy Hash: 8A8193715042459FCB29DF64C8449EEB7E8AF8E350F15892EF88ACB251E734ED84CB52

Function 0033C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0033C1FC
GetFocus.USER32 ref: 0033C20C
GetDlgCtrlID.USER32(00000000), ref: 0033C217
_memset.LIBCMT ref: 0033C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0033C36D
GetMenuItemCount.USER32(?), ref: 0033C38D
GetMenuItemID.USER32(?,00000000), ref: 0033C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0033C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0033C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0033C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0033C489

Strings

0, xrefs: 0033C33A

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 57a5fad2f172ea4b9971a01db597abb66ec38f946ca3a13a91a45bd730a5c89d
Instruction ID: 36902af04788451f9f2073e09bea50354844a07ce210b68ec579676c715c9106
Opcode Fuzzy Hash: 57a5fad2f172ea4b9971a01db597abb66ec38f946ca3a13a91a45bd730a5c89d
Instruction Fuzzy Hash: 3E81AE70618301AFDB26DF25C8D4A6BBBE8FF88714F00592EF995A7291C770D904CB92

Function 0032731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0032738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0032739B
CreateCompatibleDC.GDI32(?), ref: 003273A7
SelectObject.GDI32(00000000,?), ref: 003273B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00327408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00327444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00327468
SelectObject.GDI32(00000006,?), ref: 00327470
DeleteObject.GDI32(?), ref: 00327479
DeleteDC.GDI32(00000006), ref: 00327480
ReleaseDC.USER32(00000000,?), ref: 0032748B

Strings

(, xrefs: 00327410

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: bbcdfeabd86e4a49b8b41e2c0cf9b247c21846c065c597212ef9faee61d6fbf3
Instruction ID: e6afa65d93d2f8d5e78195edf77b6a96e1d5a3819c267c404ff36c18cff42c05
Opcode Fuzzy Hash: bbcdfeabd86e4a49b8b41e2c0cf9b247c21846c065c597212ef9faee61d6fbf3
Instruction Fuzzy Hash: D2514975904319EFCB16CFA9DC85EAEBBB9FF48310F14852DF95997220C731A9408B90

Function 00314F75 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00314F7A

Part of subcall function 002D049F: timeGetTime.WINMM(?,753DB400,002C0E7B), ref: 002D04A3

Sleep.KERNEL32(0000000A), ref: 00314FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00314FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00314FEC
SetActiveWindow.USER32 ref: 0031500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00315019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00315038
Sleep.KERNEL32(000000FA), ref: 00315043
IsWindow.USER32 ref: 0031504F
EndDialog.USER32(00000000), ref: 00315060

Strings

BUTTON, xrefs: 00314FDE
@U=u, xrefs: 00315019, 00315038

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 850fc269bbe058077f395c2098f43f76766a0d926f286c3bfd031c5769132941
Instruction ID: 3755e8d80b9b63c959a070df89cd20f72376eb05e03d8dc9dadcd21e0b442dbc
Opcode Fuzzy Hash: 850fc269bbe058077f395c2098f43f76766a0d926f286c3bfd031c5769132941
Instruction Fuzzy Hash: E921C670A00A04EFE72B5F60EDCAF663B6DEB4E755F441028F109812B1EB718DD49A61

Function 002B6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 002D0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,002B6B0C,?,00008000), ref: 002D0973

Part of subcall function 002B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002B4743,?,?,002B37AE,?), ref: 002B4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 002B6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 002B6CFA

Part of subcall function 002B586D: _wcscpy.LIBCMT ref: 002B58A5

Part of subcall function 002D363D: _iswctype.LIBCMT ref: 002D3645

Strings

Error opening the file, xrefs: 002EE43D, 002EE4B8
AU3!, xrefs: 002B6B61
EA06, xrefs: 002EE452
Bad directive syntax error, xrefs: 002EE79D
>>>AUTOIT SCRIPT<<<, xrefs: 002EE496
Unterminated string, xrefs: 002EE7E4
#include depth exceeded. Make sure there are no recursive includes, xrefs: 002EE421

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: c8113d68dfca4138433dc448ac7cf8f3ac948db4431a24ceebb54e6d684eaff0
Instruction ID: 0a29994f41960aea3a5d584020f8f3e88a170371a91e42c420f799c1b80dfb99
Opcode Fuzzy Hash: c8113d68dfca4138433dc448ac7cf8f3ac948db4431a24ceebb54e6d684eaff0
Instruction Fuzzy Hash: 2202BE301283419FCB25EF20C891AEFBBE5AF98394F54491DF489972A1DB30D969CF42

Function 00312D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00312D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00312DDD
GetMenuItemCount.USER32(00375890), ref: 00312E66
DeleteMenu.USER32(00375890,00000005,00000000,000000F5,?,?), ref: 00312EF6
DeleteMenu.USER32(00375890,00000004,00000000), ref: 00312EFE
DeleteMenu.USER32(00375890,00000006,00000000), ref: 00312F06
DeleteMenu.USER32(00375890,00000003,00000000), ref: 00312F0E
GetMenuItemCount.USER32(00375890), ref: 00312F16
SetMenuItemInfoW.USER32(00375890,00000004,00000000,00000030), ref: 00312F4C
GetCursorPos.USER32(?), ref: 00312F56
SetForegroundWindow.USER32(00000000), ref: 00312F5F
TrackPopupMenuEx.USER32(00375890,00000000,?,00000000,00000000,00000000), ref: 00312F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00312F7E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 94261ebbb002243d8ad08c9b78e2ef3d0777616a4a171c6f086bcce40978a371
Instruction ID: 33d6fbf4583821723f445ad7599712a103199855f9004a27a319894815c32136
Opcode Fuzzy Hash: 94261ebbb002243d8ad08c9b78e2ef3d0777616a4a171c6f086bcce40978a371
Instruction Fuzzy Hash: 7871B270640205BEEB2A9F54DC85FEBBF68FF09754F100216F625AA1E1C7B158B0DBA4

Function 003288AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003288D7
CoInitialize.OLE32(00000000), ref: 00328904
CoUninitialize.OLE32 ref: 0032890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00328A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00328B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00342C0C), ref: 00328B6F
CoGetObject.OLE32(?,00000000,00342C0C,?), ref: 00328B92
SetErrorMode.KERNEL32(00000000), ref: 00328BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00328C25
VariantClear.OLEAUT32(?), ref: 00328C35

Strings

,,4, xrefs: 003288C1

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,4
API String ID: 2395222682-3600021901
Opcode ID: a50f1d511d243d59140c95b134d68331f47bc56fed69ec3e89a763f676f48180
Instruction ID: a32f086abc5696d52eefabeefedc6b5fbcc95c5b1cb56219d402d68760ed82be
Opcode Fuzzy Hash: a50f1d511d243d59140c95b134d68331f47bc56fed69ec3e89a763f676f48180
Instruction Fuzzy Hash: 2AC156B1608315AFC701DF68D88496BB7E9FF89348F00492DF98A9B261DB71ED05CB52

Function 003077DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06

_memset.LIBCMT ref: 0030786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003078A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003078BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003078D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00307902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0030792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00307935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0030793A

Strings

SOFTWARE\Classes\, xrefs: 0030780C
\CLSID, xrefs: 00307822
\IPC$, xrefs: 00307882

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 7204bf3ddd634f2f5f01a1f828af662f05e75b1001d8d5fc1335a6b274585a59
Instruction ID: 62ae5003f095c7e76eedf8ee4f689fc5f27371f69f7798a8c564a7f6fcd133cc
Opcode Fuzzy Hash: 7204bf3ddd634f2f5f01a1f828af662f05e75b1001d8d5fc1335a6b274585a59
Instruction Fuzzy Hash: DF411872C24229ABCF16EBA4DC95DEDB778BF44350F444029E915A71A1DB30AD14CF90

Function 00330E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0032FDAD,?,?), ref: 00330E31

Strings

HKLM, xrefs: 00330EAF
HKEY_CURRENT_CONFIG, xrefs: 00330EEE
HKEY_LOCAL_MACHINE, xrefs: 00330E9A
HKEY_USERS, xrefs: 00330F32
HKU, xrefs: 00330F43
HKCC, xrefs: 00330EFF
HKCR, xrefs: 00330ED9
HKCU, xrefs: 00330F21
HKEY_CURRENT_USER, xrefs: 00330F10
HKEY_CLASSES_ROOT, xrefs: 00330EC4

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: a344ae604c684470aa547f707e7da2ad8bda6a39cd3c5d603438248d2fbb375e
Instruction ID: 468ec478cd3048f6b05029f8e29aac7f5ed1798dab3cc86531262dc8c1ab931e
Opcode Fuzzy Hash: a344ae604c684470aa547f707e7da2ad8bda6a39cd3c5d603438248d2fbb375e
Instruction Fuzzy Hash: 6F417E3522024A8BCF16EF10D8E5BEF3768BF51344F154456FD951B2A6DB309D2ACBA0

Function 003374BB Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0033755E
CreateCompatibleDC.GDI32(00000000), ref: 00337565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00337578
SelectObject.GDI32(00000000,00000000), ref: 00337580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0033758B
DeleteDC.GDI32(00000000), ref: 00337594
GetWindowLongW.USER32(?,000000EC), ref: 0033759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003375B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003375BE

Strings

@U=u, xrefs: 00337578
static, xrefs: 003374F6

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: dddd70a0382e286491652642b922f02e9c34d4d58cc7547c046b23e0523ebe4e
Instruction ID: 567c711b97298197f372b117f8eabee360a6a697a3c2d05712a521401f598406
Opcode Fuzzy Hash: dddd70a0382e286491652642b922f02e9c34d4d58cc7547c046b23e0523ebe4e
Instruction Fuzzy Hash: CD316A72505215BFEF269F64DC89FEA3B6DEF0A361F110224FA15A60A0C735D821DBA4

Function 0030F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002EE2A0,00000010,?,Bad directive syntax error,0033F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0030F7C2
LoadStringW.USER32(00000000,?,002EE2A0,00000010), ref: 0030F7C9

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

_wprintf.LIBCMT ref: 0030F7FC
__swprintf.LIBCMT ref: 0030F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0030F88D

Strings

Line %d (File "%s"):, xrefs: 0030F833
Error: , xrefs: 0030F85B
%s (%d) : ==> %s.: %s %s, xrefs: 0030F7F7
Line %d:, xrefs: 0030F818
., xrefs: 0030F873

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 5668af4853d01caaf1d94231c5625e3e45ae3c7a630aa3e9212782c3929a62c1
Instruction ID: 23f694264509e77e8eaed9fc3e1eb1302f94892b7017fee59726736bd16286a6
Opcode Fuzzy Hash: 5668af4853d01caaf1d94231c5625e3e45ae3c7a630aa3e9212782c3929a62c1
Instruction Fuzzy Hash: DE214F3195021AAFCF12EF90CC5AEED7779BF18300F044466F515661A2DA719A28DF51

Function 003152C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06

Part of subcall function 002B7924: _memmove.LIBCMT ref: 002B79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00315330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00315346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00315357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00315369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0031537A

Strings

status PlayMe mode, xrefs: 0031532B
play PlayMe wait, xrefs: 00315364
play PlayMe, xrefs: 00315375
alias PlayMe, xrefs: 00315309
open , xrefs: 003152DF
close PlayMe, xrefs: 00315341, 0031536E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 3f69475ecd1f6cc04d22d9271b08f071bce8689b95525b9224c0488dd4d35550
Instruction ID: c34cc5947e98bd7f0daf0eb38a58661e945ff558f060dd47c4dd4adec1cfed5e
Opcode Fuzzy Hash: 3f69475ecd1f6cc04d22d9271b08f071bce8689b95525b9224c0488dd4d35550
Instruction Fuzzy Hash: AF11B220A6012979D725B761CC4AEFF7B7CEBD9B80F000929B411A20D5DEA00D55C9A0

Function 003146B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003146D2
gethostname.WSOCK32(?,00000100), ref: 003146EC
gethostbyname.WSOCK32(?), ref: 003146F9
_wcscpy.LIBCMT ref: 00314721
_memmove.LIBCMT ref: 00314734
inet_ntoa.WSOCK32(?), ref: 0031473F
_strcat.LIBCMT ref: 0031474D
_wcscpy.LIBCMT ref: 00314764
WSACleanup.WSOCK32 ref: 00314772
_wcscpy.LIBCMT ref: 00314780

Strings

0.0.0.0, xrefs: 0031471B

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 11aff9e2c770ad469f67fd374f9858be5ead48c1f9c0d078cee320cd65c4b034
Instruction ID: 39e3e2251c313877845ab9871d91d229a04e57f24b06e61bc3c2d7331055cd55
Opcode Fuzzy Hash: 11aff9e2c770ad469f67fd374f9858be5ead48c1f9c0d078cee320cd65c4b034
Instruction Fuzzy Hash: 1411D231900114AFCB2ABB70DC8AEEA77BCEB1A711F4441B6F455961A1EF708EC18A60

Function 0031D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC

CoInitialize.OLE32(00000000), ref: 0031D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0031D67D
SHGetDesktopFolder.SHELL32(?), ref: 0031D691
CoCreateInstance.OLE32(00342D7C,00000000,00000001,00368C1C,?), ref: 0031D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0031D74C
CoTaskMemFree.OLE32(?,?), ref: 0031D7A4
_memset.LIBCMT ref: 0031D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0031D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0031D840
CoTaskMemFree.OLE32(00000000), ref: 0031D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0031D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0031D880

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: f88e4b8b435c23c81687af63f9d0fbfdbb1a8ca181e96196259e975cd9e7806e
Instruction ID: e88bf825a0a73121aa70b9be7d7af1f348f24c4d0f8f87072b4dd40c9bb12bd2
Opcode Fuzzy Hash: f88e4b8b435c23c81687af63f9d0fbfdbb1a8ca181e96196259e975cd9e7806e
Instruction Fuzzy Hash: E8B1E975A00109AFDB05DFA4C885DAEBBB9EF49314F148469F909EB261DB30ED81CF50

Function 0030C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0030C283
GetWindowRect.USER32(00000000,?), ref: 0030C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0030C2F3
GetDlgItem.USER32(?,00000002), ref: 0030C2FE
GetWindowRect.USER32(00000000,?), ref: 0030C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0030C364
GetDlgItem.USER32(?,000003E9), ref: 0030C372
GetWindowRect.USER32(00000000,?), ref: 0030C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0030C3C6
GetDlgItem.USER32(?,000003EA), ref: 0030C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0030C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0030C3FE

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6ba7263ec1b5e05a899a7cb90cdcde9fcfc404ee39274f2161897450b68def73
Instruction ID: 50efa25f494aa2e56bd5b6f87639344b32a47e79fa1af934457103996d545ebf
Opcode Fuzzy Hash: 6ba7263ec1b5e05a899a7cb90cdcde9fcfc404ee39274f2161897450b68def73
Instruction Fuzzy Hash: BF515F71B10205AFDB19CFA9DD9AAAEBBBAEB88310F54822DF515D72D0D7749D008B10

Function 002B201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 002B1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002B2036,?,00000000,?,?,?,?,002B16CB,00000000,?), ref: 002B1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002B20D3
KillTimer.USER32(-00000001,?,?,?,?,002B16CB,00000000,?,?,002B1AE2,?,?), ref: 002B216E
DestroyAcceleratorTable.USER32(00000000), ref: 002EBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002B16CB,00000000,?,?,002B1AE2,?,?), ref: 002EBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002B16CB,00000000,?,?,002B1AE2,?,?), ref: 002EBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002B16CB,00000000,?,?,002B1AE2,?,?), ref: 002EBD0A
DeleteObject.GDI32(00000000), ref: 002EBD1C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 63cdc2c95e44a29a069e8cbe7fa7bb1e9eb7b4df545ebebac091805811f966cb
Instruction ID: 6a1976610e5a3d72893b4a4d51ec067dc5e00fcad1f083d71c9dedbf73dae6bb
Opcode Fuzzy Hash: 63cdc2c95e44a29a069e8cbe7fa7bb1e9eb7b4df545ebebac091805811f966cb
Instruction Fuzzy Hash: 3A619F30630B41EFCB3AAF19CD88B6677F5FB50352F908829E4465A570C7B0A8A5DF51

Function 002B21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 002B25DB: GetWindowLongW.USER32(?,000000EB), ref: 002B25EC

GetSysColor.USER32(0000000F), ref: 002B21D3

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c10453f0865b379a39e07a1fcf51a954c967e7097c1f5044edc087946144e519
Instruction ID: 584f6cb6bab797ce27d1a637aee67e1bac86b8546e09b81ff28b0131eb9da08f
Opcode Fuzzy Hash: c10453f0865b379a39e07a1fcf51a954c967e7097c1f5044edc087946144e519
Instruction Fuzzy Hash: E141F130410245EFDB265F28EC88BF93B69EB06371F584265FEA5CA1E2C7718C56DB21

Function 0031A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0033F910), ref: 0031A90B
GetDriveTypeW.KERNEL32(00000061,003689A0,00000061), ref: 0031A9D5
_wcscpy.LIBCMT ref: 0031A9FF

Strings

unknown, xrefs: 0031A996
ramdisk, xrefs: 0031A97F
cdrom, xrefs: 0031A927
fixed, xrefs: 0031A953
all, xrefs: 0031A911
network, xrefs: 0031A969
removable, xrefs: 0031A93D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: c86a38054b117c3713fe8792912e4f78e663d5828565c01d30fc4ef6ffd7afbe
Instruction ID: f8bbc0a142c4d415aa9fde6274562ad6c20073e95c9ed4aa7c6dd246bb89ed1d
Opcode Fuzzy Hash: c86a38054b117c3713fe8792912e4f78e663d5828565c01d30fc4ef6ffd7afbe
Instruction Fuzzy Hash: EB51BE311283019FC30AEF14C892AEFB7E9EF88341F05492DF595572A2DB319D99CA53

Function 00338645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003386FF

Strings

@U=u, xrefs: 00338735

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: d8bb62ff721ab46b7b5693fad817747c471173f0a36bb0373eca2027922f04ff
Instruction ID: 1e38eac58d957a452db70624799de43a5c03fcc622c6c0978df419689c662d59
Opcode Fuzzy Hash: d8bb62ff721ab46b7b5693fad817747c471173f0a36bb0373eca2027922f04ff
Instruction Fuzzy Hash: B651A230600344BFEF269F28CCC6FAD7B69EB05350F604115FA55EA5A1CFB1A990CB41

Function 002B2B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 002EC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002EC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002EC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 002EC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002EC370
DestroyIcon.USER32(00000000), ref: 002EC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002EC39C
DestroyIcon.USER32(?), ref: 002EC3AB

Part of subcall function 0033A4AF: DeleteObject.GDI32(00000000), ref: 0033A4E8

Strings

@U=u, xrefs: 002EC370, 002EC39C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID: @U=u
API String ID: 2819616528-2594219639
Opcode ID: 2688afc534af75e16145b11651470fb6c8ffa4e81c8f545d710fac15ae8cad90
Instruction ID: 7c331762c60c85ca1e9a90444bee9d8fa87c60a1a5f9e27dd4f1c03abe21dacf
Opcode Fuzzy Hash: 2688afc534af75e16145b11651470fb6c8ffa4e81c8f545d710fac15ae8cad90
Instruction Fuzzy Hash: B7519E70A20305EFDB25DF65CC85FAA3BB9EB08350F604528F94697290DBB0ECA1DB50

Function 002B9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 002B9862
__swprintf.LIBCMT ref: 002B98AC
__i64tow.LIBCMT ref: 002EF5E6

Strings

0x%p, xrefs: 002EF5C8
False, xrefs: 002EF5AE
True, xrefs: 002EF5A7
%.15g, xrefs: 002B98A6

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 43677267b9261d9a538ce6c2325aa071020923c4015dcd76f7facaea452f6309
Instruction ID: 61c43df24cebee7bf54b5e76dabfed8a333738cff0daa8fbe75056d274673c79
Opcode Fuzzy Hash: 43677267b9261d9a538ce6c2325aa071020923c4015dcd76f7facaea452f6309
Instruction Fuzzy Hash: 48411571530206AFDB24DF35C942EBA73E9FF46340F6044AEE549DB292EA719D61CB10

Function 00337152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0033716A
CreateMenu.USER32 ref: 00337185
SetMenu.USER32(?,00000000), ref: 00337194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00337221
IsMenu.USER32(?), ref: 00337237
CreatePopupMenu.USER32 ref: 00337241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0033726E
DrawMenuBar.USER32 ref: 00337276

Strings

F, xrefs: 00337262
0, xrefs: 00337160

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 502f9f2fd70eda0b20167d28ed2b5fc1f08434b979d9fa1fae61b5600c0ca30d
Instruction ID: 6a21a14f16b801a1f810a5637eb7130e81ccfb0636c9ede70620d05ce29d614e
Opcode Fuzzy Hash: 502f9f2fd70eda0b20167d28ed2b5fc1f08434b979d9fa1fae61b5600c0ca30d
Instruction Fuzzy Hash: 7C4177B5A01209EFEB22DFA4D884F9ABBB9FF09311F150428F945A7360D731A910CF90

Function 00308F8F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

Part of subcall function 0030AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0030AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00309014
GetDlgCtrlID.USER32 ref: 0030901F
GetParent.USER32 ref: 0030903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0030903E
GetDlgCtrlID.USER32(?), ref: 00309047
GetParent.USER32(?), ref: 00309063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00309066

Strings

@U=u, xrefs: 00309066
ListBox, xrefs: 00308FD1
ComboBox, xrefs: 00308F9C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 4f1c90ec11ce285cafb604a2d7d02d85c24d90ab1d3a15d991021ee7102ca928
Instruction ID: a664a17a9e8bcf67613526182bc36de36c7f88870ff83b4536540b6ff4556615
Opcode Fuzzy Hash: 4f1c90ec11ce285cafb604a2d7d02d85c24d90ab1d3a15d991021ee7102ca928
Instruction Fuzzy Hash: 3E21C470E00208BFDF06ABA0CC96EFEBB79EF45310F50415AF961972E2DB755815DA20

Function 0030907A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

Part of subcall function 0030AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0030AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003090FD
GetDlgCtrlID.USER32 ref: 00309108
GetParent.USER32 ref: 00309124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00309127
GetDlgCtrlID.USER32(?), ref: 00309130
GetParent.USER32(?), ref: 0030914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0030914F

Strings

@U=u, xrefs: 0030914F
ListBox, xrefs: 003090BC
ComboBox, xrefs: 00309087

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 9c73bfc5deab2849aca25d051f44daf2c3475e1248acf9047113f8503504f0fe
Instruction ID: 9c337ea5c7699b2d03377755c7ce399a656c0cbfe9128d086c0fdad9c0d47304
Opcode Fuzzy Hash: 9c73bfc5deab2849aca25d051f44daf2c3475e1248acf9047113f8503504f0fe
Instruction Fuzzy Hash: 6E217174A01209BFDF16ABA4CC96FFEBB68EF44300F504056F951972E2DB759815DA20

Function 00309163 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0030916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00309184
_wcscmp.LIBCMT ref: 00309196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00309211

Strings

list, xrefs: 003091F3
SHELLDLL_DefView, xrefs: 00309190
smallicons, xrefs: 003091D9
@U=u, xrefs: 00309211
details, xrefs: 003091BF
largeicons, xrefs: 003091A5

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: 92f2611b40b4086ee3a7c5c747c8ffa8f41943410167c0db46c2fd9ae48ba4eb
Instruction ID: 776257d42cd1fa6e26e98de8236b2f1ce408a5faefcff74768be0ff295d4f19d
Opcode Fuzzy Hash: 92f2611b40b4086ee3a7c5c747c8ffa8f41943410167c0db46c2fd9ae48ba4eb
Instruction Fuzzy Hash: 4E110A3625930BB9FA176624DC1BEE737DC9B25720F200427F900A44D7EF626C615994

Function 002D6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002D6E3E

Part of subcall function 002D8B28: __getptd_noexit.LIBCMT ref: 002D8B28

__gmtime64_s.LIBCMT ref: 002D6ED7
__gmtime64_s.LIBCMT ref: 002D6F0D
__gmtime64_s.LIBCMT ref: 002D6F2A
__allrem.LIBCMT ref: 002D6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D6F9C
__allrem.LIBCMT ref: 002D6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D6FD1
__allrem.LIBCMT ref: 002D6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002D7006
__invoke_watson.LIBCMT ref: 002D7077

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: c829cda6d755b9f4228ce525a6ac666f6e13e6f906c6519b7a0464a7c0d40a17
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 8471F372A60B17ABD714EE69DC45B6AB3A8AF14320F14822BF514D73C1F774DD608B90

Function 00312527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00312542
GetMenuItemInfoW.USER32(00375890,000000FF,00000000,00000030), ref: 003125A3
SetMenuItemInfoW.USER32(00375890,00000004,00000000,00000030), ref: 003125D9
Sleep.KERNEL32(000001F4), ref: 003125EB
GetMenuItemCount.USER32(?), ref: 0031262F
GetMenuItemID.USER32(?,00000000), ref: 0031264B
GetMenuItemID.USER32(?,-00000001), ref: 00312675
GetMenuItemID.USER32(?,?), ref: 003126BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00312700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00312714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00312735

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 80f8e85f4029a350202fc5524fdea33c12afb61f105e47f6e58e6d2fd626637c
Instruction ID: fac4b71cce8dffa47b74b23656ec2bea2c10079079c92e7e11cc39c7187a9d3c
Opcode Fuzzy Hash: 80f8e85f4029a350202fc5524fdea33c12afb61f105e47f6e58e6d2fd626637c
Instruction Fuzzy Hash: 85619D70900249AFDB2BCF64CC88DEFBBB9EB0A304F550459E841A7291D771ADA5DB20

Function 00336F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00336FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00336FA8
GetWindowLongW.USER32(?,000000F0), ref: 00336FCC
_memset.LIBCMT ref: 00336FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00336FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00337067

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 393426dc236d085852f2f43e7a979f851d2fc412181b367c641534da18c5d3e3
Instruction ID: 3975717ca04e44d584c97723291a46ff49f6847ab03aabf585bcaca3b432df4a
Opcode Fuzzy Hash: 393426dc236d085852f2f43e7a979f851d2fc412181b367c641534da18c5d3e3
Instruction Fuzzy Hash: 3A615BB5A00248AFDB22DFA4CC81EEE77F8EB09710F144159FA14EB2A1C775AD45DB90

Function 00306B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00306BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00306C18
VariantInit.OLEAUT32(?), ref: 00306C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00306C4A
VariantCopy.OLEAUT32(?,?), ref: 00306C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00306CB1
VariantClear.OLEAUT32(?), ref: 00306CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00306CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00306CDC
VariantClear.OLEAUT32(?), ref: 00306CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00306CF9

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0c00f32316f2fd1b81970c2244a2dba97577edd262c337e1111d1a4356d3ea33
Instruction ID: 8dce57b7d533da0d5ffad17d0347cf23458c74c97c6c58c085ddbc79226f3371
Opcode Fuzzy Hash: 0c00f32316f2fd1b81970c2244a2dba97577edd262c337e1111d1a4356d3ea33
Instruction Fuzzy Hash: DE416E71E00219AFDF01DFA9D8959AEBBBDEF08354F008069E955E7261CB30A955CFA0

Function 0033D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623

GetSystemMetrics.USER32(0000000F), ref: 0033D47C
GetSystemMetrics.USER32(0000000F), ref: 0033D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0033D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0033D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0033D716
ShowWindow.USER32(00000003,00000000), ref: 0033D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0033D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0033D77D

Strings

@U=u, xrefs: 0033D6F5, 0033D716

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: @U=u
API String ID: 1211466189-2594219639
Opcode ID: dae52c8cf0bb932bf52df20f609ca043d4e87f82e391cb54ea32d92bca9a29ff
Instruction ID: 5332839eb2b4152978b4be8486a4682bb5234fe8395925bd4bb55dc4a0518462
Opcode Fuzzy Hash: dae52c8cf0bb932bf52df20f609ca043d4e87f82e391cb54ea32d92bca9a29ff
Instruction Fuzzy Hash: 6DB1AA71A00229EFDF1ACF69D9C57AD7BB1BF04701F098069EC589F295D734A990CB90

Function 002B2E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 002B2EAE

Part of subcall function 002B1DB3: GetClientRect.USER32(?,?), ref: 002B1DDC
Part of subcall function 002B1DB3: GetWindowRect.USER32(?,?), ref: 002B1E1D
Part of subcall function 002B1DB3: ScreenToClient.USER32(?,?), ref: 002B1E45

GetDC.USER32 ref: 002ECD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002ECD45
SelectObject.GDI32(00000000,00000000), ref: 002ECD53
SelectObject.GDI32(00000000,00000000), ref: 002ECD68
ReleaseDC.USER32(?,00000000), ref: 002ECD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002ECDFB

Strings

U, xrefs: 002ECCD0
@U=u, xrefs: 002ECD45

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 2030e07594f0dfb92c8207acd9032d45f65d055afb32c6a567a90f533436231c
Instruction ID: cf8da4885c2ba8a002624a45993df37917d2f4ac0fe7d904109ad7e8c1ac684a
Opcode Fuzzy Hash: 2030e07594f0dfb92c8207acd9032d45f65d055afb32c6a567a90f533436231c
Instruction Fuzzy Hash: 2771F631910246DFCF258FA5CC80AEA3BB5FF48350F64426AED555A265C731DCA2DF60

Function 00325732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00325793
inet_addr.WSOCK32(?,?,?), ref: 003257D8
gethostbyname.WSOCK32(?), ref: 003257E4
IcmpCreateFile.IPHLPAPI ref: 003257F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00325862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00325878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 003258ED
WSACleanup.WSOCK32 ref: 003258F3

Strings

Ping, xrefs: 00325816

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f5792980fc331c6afb199ef05730ac17e5e0b18a34b6e0d3c9f219e721a4f9a9
Instruction ID: e473e1cb66308ea4af03e2c38bca44c631b4caf8a094eede715107c856582a13
Opcode Fuzzy Hash: f5792980fc331c6afb199ef05730ac17e5e0b18a34b6e0d3c9f219e721a4f9a9
Instruction Fuzzy Hash: 73518F31A047109FD712EF24EC89B6AB7E8EF49750F048929F956DB2A1DB70E940DF42

Function 0031B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0031B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0031B546
GetLastError.KERNEL32 ref: 0031B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0031B5BD

Strings

INVALID, xrefs: 0031B58F
READY, xrefs: 0031B596
NOTREADY, xrefs: 0031B57C
UNKNOWN, xrefs: 0031B575
READONLY, xrefs: 0031B588

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: aed04a00b3bab87ae3446ced1d94605e460a921b6aaa71ac1738d1fdf07f23a2
Instruction ID: 6fe335b5da9cae96bace48d4d3d36be37354dcb1e658a3dfadb62aa77184d673
Opcode Fuzzy Hash: aed04a00b3bab87ae3446ced1d94605e460a921b6aaa71ac1738d1fdf07f23a2
Instruction Fuzzy Hash: 18318335A00209DFCB16EB68C885EEDBBB9FF4E350F148125E505DB291DB719A82CB51

Function 003361D3 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003361EB
GetDC.USER32(00000000), ref: 003361F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003361FE
ReleaseDC.USER32(00000000,00000000), ref: 0033620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00336246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00336257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0033902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00336291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003362B1

Strings

@U=u, xrefs: 00336257, 003362B1

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: f80fad9b76ced00dde15d28c78a3756bc815ba787c6fc5ef50e01362b1c5b29d
Instruction ID: 995bc9679581d3516b063747098ba644dc16c1d63fd4f593374010417a302378
Opcode Fuzzy Hash: f80fad9b76ced00dde15d28c78a3756bc815ba787c6fc5ef50e01362b1c5b29d
Instruction Fuzzy Hash: C2317C72601210BFEB128F54CC8AFEB3BADEF49765F054065FE08DA292C6B59C41CB60

Function 00317990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00317A6C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: e204129ff426043b1068fe34f86c32ae8c0e56f3193ab1243793c5aad79482ed
Instruction ID: c81fef2159dd4a7ae6ee4332103be98eb63f096e9e5eae1dc4807e0680d7f6fc
Opcode Fuzzy Hash: e204129ff426043b1068fe34f86c32ae8c0e56f3193ab1243793c5aad79482ed
Instruction Fuzzy Hash: E7B18E7190820A9FDB16DFA4C884BFEB7B9EF0D321F294429E501EB251D734E981CB90

Function 003111CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003111F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00310268,?,00000001), ref: 00311204
GetWindowThreadProcessId.USER32(00000000), ref: 0031120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00310268,?,00000001), ref: 0031121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0031122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00310268,?,00000001), ref: 00311245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00310268,?,00000001), ref: 00311257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00310268,?,00000001), ref: 0031129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00310268,?,00000001), ref: 003112B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00310268,?,00000001), ref: 003112BC

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 625cdfe0e5620f2381c574c1a88d557e5aba2dd815e8542160aeb5ff340ff30b
Instruction ID: 8001f555d9b22c75c9d18ce42a204373da210dbab9df2ae98c0207c8dc2f823b
Opcode Fuzzy Hash: 625cdfe0e5620f2381c574c1a88d557e5aba2dd815e8542160aeb5ff340ff30b
Instruction Fuzzy Hash: DE31F075A00A08BFDB279F50EC8AFEA37ADEB58311F114525FE08C61A0D3B09DC18B60

Function 002BFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002BFAA6
OleUninitialize.OLE32(?,00000000), ref: 002BFB45
UnregisterHotKey.USER32(?), ref: 002BFC9C
DestroyWindow.USER32(?), ref: 002F45D6
FreeLibrary.KERNEL32(?), ref: 002F463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 002F4668

Strings

close all, xrefs: 002BFAA1

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 50ab722c21ef4fc7172b436439359c43f7b79f1a2449df7d6ee382bb8efc2b08
Instruction ID: 8668cebad4637b78c25fdf8f72cbec1678019659034bc1a94163345b63249aa0
Opcode Fuzzy Hash: 50ab722c21ef4fc7172b436439359c43f7b79f1a2449df7d6ee382bb8efc2b08
Instruction Fuzzy Hash: F3A18030721116CFCB19EF14C995BBAF764AF05780F5442BDE90AAB261DB70AD62CF50

Function 00329113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00329167
VariantInit.OLEAUT32(?), ref: 00329238
VariantInit.OLEAUT32(?), ref: 00329339
VariantClear.OLEAUT32(?), ref: 00329343
VariantClear.OLEAUT32(?), ref: 003293A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 003291C8, 003292F6, 003293AE
Incorrect Object type in FOR..IN loop, xrefs: 0032931C
,,4, xrefs: 003291E5

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,4$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-687562478
Opcode ID: 421b6f876cbb4e4578b9b83422b1a7546775e6e086551cd5a0c91e0682bf1b03
Instruction ID: 0cf9fb7e4df2cfe8c57d4bf4316b112bf5f443fa6c6592d2369cb392f7434e48
Opcode Fuzzy Hash: 421b6f876cbb4e4578b9b83422b1a7546775e6e086551cd5a0c91e0682bf1b03
Instruction Fuzzy Hash: 23919271E00229EBDF25CFA5D848FAEB7B8EF45710F10855AF515AB280D7709945CFA0

Function 0030A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0030A439), ref: 0030A377

Strings

CLASSNN, xrefs: 0030A119
REGEXPCLASS, xrefs: 0030A13C
CLASS, xrefs: 0030A0F6
TEXT, xrefs: 0030A2AE
INSTANCE, xrefs: 0030A285
NAME, xrefs: 0030A1A9

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: f6b5e680437ebd5fa6c63dc81d4f47c1ae2923d4b0a218a91ec9d47cd70a4f90
Instruction ID: 8532179e92f327f51cebb7636db636dbf3983805d7c9a9b556ae5de8e83b3927
Opcode Fuzzy Hash: f6b5e680437ebd5fa6c63dc81d4f47c1ae2923d4b0a218a91ec9d47cd70a4f90
Instruction Fuzzy Hash: FC91D731601B05ABCB09DFA0D4A2BEEFBB8BF04300F55852AD449A7291DF316999CF91

Function 0033B351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01395840), ref: 0033B3EB
IsWindowEnabled.USER32(01395840), ref: 0033B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0033B4DB
SendMessageW.USER32(01395840,000000B0,?,?), ref: 0033B512
IsDlgButtonChecked.USER32(?,?), ref: 0033B54F
GetWindowLongW.USER32(01395840,000000EC), ref: 0033B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0033B589

Strings

@U=u, xrefs: 0033B4DB, 0033B512, 0033B589

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: @U=u
API String ID: 4072528602-2594219639
Opcode ID: ff332efe70378d150b3acbca0a3785ae8858b583c2824eaeb215ef837a4a9eda
Instruction ID: ae9b609e197546ee13319b0f296316a527903f3a37243859b67803a2ead132fa
Opcode Fuzzy Hash: ff332efe70378d150b3acbca0a3785ae8858b583c2824eaeb215ef837a4a9eda
Instruction Fuzzy Hash: 78718E38604204EFEB27DF55C8D5FBAFBB9EF09310F158059EA85972A2C771A940CB54

Function 00336D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00336E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00336E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00336E52
_wcscat.LIBCMT ref: 00336EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00336EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00336EF2

Strings

SysListView32, xrefs: 00336DF6
@U=u, xrefs: 00336E24, 00336E38

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: 66a6d2f1af71cd40cde2bcbd7f1cbc2037ec1dd38a0781cf5a17862658567337
Instruction ID: 72b20adb1f0e3c60d4b6e5672a5ef2ea0d528f827effa745f94e33b2b52866f7
Opcode Fuzzy Hash: 66a6d2f1af71cd40cde2bcbd7f1cbc2037ec1dd38a0781cf5a17862658567337
Instruction Fuzzy Hash: A1419371A00348FFDB229F64CC86BEEB7A9EF08350F11452AF544E7191D6719D948B60

Function 00321A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00321A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00321A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00321ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00321AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00321AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00321B10
InternetCloseHandle.WININET(00000000), ref: 00321B57

Part of subcall function 00322483: GetLastError.KERNEL32(?,?,00321817,00000000,00000000,00000001), ref: 00322498
Part of subcall function 00322483: SetEvent.KERNEL32(?,?,00321817,00000000,00000000,00000001), ref: 003224AD

Strings

, xrefs: 00321B01

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 77b9f3001280a3e4d408d9135faefd1a9a4db057140dc6f6882e963a52f5e600
Instruction ID: 883c74e4ad61b9635a0ea0c57270a8aab88d50dddcb8ffb658ed55938d63d6dc
Opcode Fuzzy Hash: 77b9f3001280a3e4d408d9135faefd1a9a4db057140dc6f6882e963a52f5e600
Instruction Fuzzy Hash: 79416EB1901228BFEB139F50DD89FBB7BACEF18354F00412AF9059A151E7749E449BA0

Function 003362CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003362EC
GetWindowLongW.USER32(01395840,000000F0), ref: 0033631F
GetWindowLongW.USER32(01395840,000000F0), ref: 00336354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00336386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003363B0
GetWindowLongW.USER32(00000000,000000F0), ref: 003363C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003363DB

Strings

@U=u, xrefs: 003362EC, 00336386, 003363B0

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 492d1a852dc9285ff4d4e151ff5b3c5a317309b2ee6a3b90f81c0a744ada2b26
Instruction ID: 847cec8e3c7b785e6590eb20dc18089addb8841704dda5e76c8863555cc0867c
Opcode Fuzzy Hash: 492d1a852dc9285ff4d4e151ff5b3c5a317309b2ee6a3b90f81c0a744ada2b26
Instruction Fuzzy Hash: D9311639B44150AFDB22CF18DCC6F593BE9FB4A724F1A8164F5058F2B1CB71A8409B51

Function 00328C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0033F910), ref: 00328D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0033F910), ref: 00328D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00328ED6
SysFreeString.OLEAUT32(?), ref: 00328F00

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: b6e2d7178d8190b014c92381766e83b568398cde4272b561076bb230b2105af4
Instruction ID: 83d6137d0f8b94b4d4a5694b5f1b0d5da6766002ad8f4deddc808e9fa206995a
Opcode Fuzzy Hash: b6e2d7178d8190b014c92381766e83b568398cde4272b561076bb230b2105af4
Instruction Fuzzy Hash: 7DF13871A00229EFCF05DF94D884EAEB7B9FF49314F118499F905AB251DB31AE46CB90

Function 0032F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0032F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0032F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0032F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0032F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0032F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0032FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0032FA7C
CloseHandle.KERNEL32(?), ref: 0032FAAB
CloseHandle.KERNEL32(?), ref: 0032FB22

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: ba07f1067cd2434a700ed17576390f1b1d82e7170021b812a2a36b1ead1ecc3b
Instruction ID: 7942bb7be7cfc8f047e2f81801c41d0aadbad31fec687a35031bf10ccb3e6c2f
Opcode Fuzzy Hash: ba07f1067cd2434a700ed17576390f1b1d82e7170021b812a2a36b1ead1ecc3b
Instruction Fuzzy Hash: C1E1AD316042109FC716EF24D891B6ABBF5AF89354F14896EF8898B2A2CB31DC45CF52

Function 00314CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0031466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00313697,?), ref: 0031468B

Part of subcall function 0031466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00313697,?), ref: 003146A4

Part of subcall function 00314A31: GetFileAttributesW.KERNEL32(?,0031370B), ref: 00314A32

lstrcmpiW.KERNEL32(?,?), ref: 00314D40
_wcscmp.LIBCMT ref: 00314D5A
MoveFileW.KERNEL32(?,?), ref: 00314D75

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 037bd2d089ed31b33024337d2249223de8e71b00c9c438089df6e8a95ae7cec1
Instruction ID: a2a017a5d6315bd024f1ed8b7f62ab685685641d9ec62f4f8f5fb0b546c10708
Opcode Fuzzy Hash: 037bd2d089ed31b33024337d2249223de8e71b00c9c438089df6e8a95ae7cec1
Instruction Fuzzy Hash: E75142B24083459BC725EB60D8819DFB3ECAF88350F40092FF689D7152EF31A589CB66

Function 0030966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0030A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0030A84C
Part of subcall function 0030A82C: GetCurrentThreadId.KERNEL32 ref: 0030A853
Part of subcall function 0030A82C: AttachThreadInput.USER32(00000000,?,00309683,?,00000001), ref: 0030A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0030968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003096AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 003096AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 003096B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003096D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003096D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 003096E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003096F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003096FB

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 4e662928d9eb598ad9781fc02470728ad0970564ad545fb4e83e47773d0de44f
Instruction ID: 13f83679a23450c73851c0ab00272a5f6144b2234812b1051944ab6ccf05edc6
Opcode Fuzzy Hash: 4e662928d9eb598ad9781fc02470728ad0970564ad545fb4e83e47773d0de44f
Instruction Fuzzy Hash: C811A1B1D50618BEF6126F60EC8AF6A7F2DEB4C761F510425F244AB0E1C9F35C50DAA4

Function 00308921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0030853C,00000B00,?,?), ref: 0030892A
HeapAlloc.KERNEL32(00000000,?,0030853C,00000B00,?,?), ref: 00308931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0030853C,00000B00,?,?), ref: 00308946
GetCurrentProcess.KERNEL32(?,00000000,?,0030853C,00000B00,?,?), ref: 0030894E
DuplicateHandle.KERNEL32(00000000,?,0030853C,00000B00,?,?), ref: 00308951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0030853C,00000B00,?,?), ref: 00308961
GetCurrentProcess.KERNEL32(0030853C,00000000,?,0030853C,00000B00,?,?), ref: 00308969
DuplicateHandle.KERNEL32(00000000,?,0030853C,00000B00,?,?), ref: 0030896C
CreateThread.KERNEL32(00000000,00000000,00308992,00000000,00000000,00000000), ref: 00308986

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 099176727405aa62c8dafa1c968f6083a83dd2e3d8d9df23aa967d29f33e4ca5
Instruction ID: 41572c6605aa62a907f9b012b79049ba6aee3b6f27d6844503c8daaf4f28c6a0
Opcode Fuzzy Hash: 099176727405aa62c8dafa1c968f6083a83dd2e3d8d9df23aa967d29f33e4ca5
Instruction Fuzzy Hash: 2501BF75A40304FFE711ABA5EC8DF673B6CEB89711F404421FA05DB1A1CA709804DB20

Function 0032975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0030710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?,?,00307455), ref: 00307127
Part of subcall function 0030710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?), ref: 00307142
Part of subcall function 0030710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?), ref: 00307150
Part of subcall function 0030710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?), ref: 00307160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00329806
_memset.LIBCMT ref: 00329813
_memset.LIBCMT ref: 00329956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00329982
CoTaskMemFree.OLE32(?), ref: 0032998D

Strings

NULL Pointer assignment, xrefs: 003299DB

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: be6a25a72e4b6b59a2c73655b253ed31e1fd3c76c277789bfb3e4f661f492d01
Instruction ID: b1facc3cd3f6ec63f05f0aa0dd228311f63c6aafb8b4ca0c13d7827b9096fad7
Opcode Fuzzy Hash: be6a25a72e4b6b59a2c73655b253ed31e1fd3c76c277789bfb3e4f661f492d01
Instruction Fuzzy Hash: 11913871D00229EBDB11DFA5DC81FDEBBB9AF08350F10415AF419AB291DB719A44CFA0

Function 0032E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00313C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00313C7A
Part of subcall function 00313C55: Process32FirstW.KERNEL32(00000000,?), ref: 00313C88
Part of subcall function 00313C55: CloseHandle.KERNEL32(00000000), ref: 00313D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0032E9A4
GetLastError.KERNEL32 ref: 0032E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0032E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0032EA63
GetLastError.KERNEL32(00000000), ref: 0032EA6E
CloseHandle.KERNEL32(00000000), ref: 0032EAA3

Strings

SeDebugPrivilege, xrefs: 0032E9C2

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 8e5e94fa3ff70d58bf203973c97935c66a187c6ebf7df2db68fdd2a6ad385579
Instruction ID: f3f05527eaccd343d1aca401351691c115173940d21925fdb0848110bb92c4b0
Opcode Fuzzy Hash: 8e5e94fa3ff70d58bf203973c97935c66a187c6ebf7df2db68fdd2a6ad385579
Instruction Fuzzy Hash: 5241A9316002119FDB16EF24DCA6FAEBBA9AF45314F188418F9469F2D2CB74AC54CF91

Function 0033B69E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(003757B0,00000000,01395840,?,?,003757B0,?,0033B5A8,?,?), ref: 0033B712
EnableWindow.USER32(00000000,00000000), ref: 0033B736
ShowWindow.USER32(003757B0,00000000,01395840,?,?,003757B0,?,0033B5A8,?,?), ref: 0033B796
ShowWindow.USER32(00000000,00000004,?,0033B5A8,?,?), ref: 0033B7A8
EnableWindow.USER32(00000000,00000001), ref: 0033B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0033B7EF

Strings

@U=u, xrefs: 0033B7EF

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: a2dd8a72d8f8e8fa2551d90590f0e0204eeab4b6b6b6e5901ab8a9e1b5b82cc7
Instruction ID: 4c85ce32c290383d31908b5be77048c5d8e6b01ea9b0f37593b8f6026b40f1fc
Opcode Fuzzy Hash: a2dd8a72d8f8e8fa2551d90590f0e0204eeab4b6b6b6e5901ab8a9e1b5b82cc7
Instruction Fuzzy Hash: E6416234600244AFDB27CF24C4DAB94BBE1FF45350F1941B9FA488F6A2C731A856CBA1

Function 00312F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00313033

Strings

stop, xrefs: 00313004
blank, xrefs: 00312FB5
warning, xrefs: 0031301C
info, xrefs: 00312FD4
question, xrefs: 00312FEC

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 23feb4e292f65ec1716626b8f86b62ef3591a458829ee1595052a825ac7b7bbe
Instruction ID: 9c0ef227354540eca23732fd93f746181adcfbfa0b4b48f2814c67fdd8fd7bb2
Opcode Fuzzy Hash: 23feb4e292f65ec1716626b8f86b62ef3591a458829ee1595052a825ac7b7bbe
Instruction Fuzzy Hash: 51110831648346BED71B9B14DC42CEB6BDC9F2D360F10402AFA02662C1DB616F8456A1

Function 003142F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00314312
LoadStringW.USER32(00000000), ref: 00314319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0031432F
LoadStringW.USER32(00000000), ref: 00314336
_wprintf.LIBCMT ref: 0031435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0031437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00314357

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 55f55bf703fc7b18bf884cc7ec8cf5fcb760378d4886942a9ab552fa3237836e
Instruction ID: 4275ab0999c65395d94086ccd8711e79fabf67d0eac28a993045834df49803e8
Opcode Fuzzy Hash: 55f55bf703fc7b18bf884cc7ec8cf5fcb760378d4886942a9ab552fa3237836e
Instruction Fuzzy Hash: B10162F6D00208BFE752ABA0DDC9FE6776CDB08301F4005A2B749E2051EB745E954B71

Function 002B2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,002EC1C7,00000004,00000000,00000000,00000000), ref: 002B2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,002EC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 002B2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,002EC1C7,00000004,00000000,00000000,00000000), ref: 002EC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,002EC1C7,00000004,00000000,00000000,00000000), ref: 002EC286

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4dc2d91d29bb6e34f8bc6e2a633cf3ac9da66e4b016456d0b1fdb81cbb3daa14
Instruction ID: 48f12dc9bf8ff41472670413fd3e8a76f2887f16e115dcc5c9805f424059a564
Opcode Fuzzy Hash: 4dc2d91d29bb6e34f8bc6e2a633cf3ac9da66e4b016456d0b1fdb81cbb3daa14
Instruction Fuzzy Hash: 91417D316347C1DFC73AAF698CC8BEB7B95AB45380F74881DE18782560C6B0A86AC711

Function 003170C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 003170DD

Part of subcall function 002D0DB6: std::exception::exception.LIBCMT ref: 002D0DEC
Part of subcall function 002D0DB6: __CxxThrowException@8.LIBCMT ref: 002D0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00317114
EnterCriticalSection.KERNEL32(?), ref: 00317130
_memmove.LIBCMT ref: 0031717E
_memmove.LIBCMT ref: 0031719B
LeaveCriticalSection.KERNEL32(?), ref: 003171AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003171BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 003171DE

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: a29e4659aeda9320104d7f663ec62f80983210481d760bb8150f1dee1052a194
Instruction ID: 45861f401bf1623b70a5cddbe667d1d3030a5df28faeaf986b9cce6f5aea4edb
Opcode Fuzzy Hash: a29e4659aeda9320104d7f663ec62f80983210481d760bb8150f1dee1052a194
Instruction Fuzzy Hash: 93316C35900205EBCB01DFA5DC85AAFB778EF49710F5481B6E904AA256DB709E54CBA0

Function 0031EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC

Part of subcall function 002CFC86: _wcscpy.LIBCMT ref: 002CFCA9

_wcstok.LIBCMT ref: 0031EC94
_wcscpy.LIBCMT ref: 0031ED23
_memset.LIBCMT ref: 0031ED56

Strings

X, xrefs: 0031ED93

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: c6a61d36ba015abfe096f3f338e9ec5b83923cc81ca20a819c8778197a28e4ea
Instruction ID: 0c8a65f4f15716514693e8be1b7e4d09403358961e45aed643b96f1d8022e396
Opcode Fuzzy Hash: c6a61d36ba015abfe096f3f338e9ec5b83923cc81ca20a819c8778197a28e4ea
Instruction Fuzzy Hash: DEC181315187019FC719EF24C881A9AB7E4BF89354F00492DFD999B2A1DB31EC95CF92

Function 00326B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00326C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00326C21
WSAGetLastError.WSOCK32(00000000), ref: 00326C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00326CEA
inet_ntoa.WSOCK32(?), ref: 00326CA7

Part of subcall function 0030A7E9: _strlen.LIBCMT ref: 0030A7F3
Part of subcall function 0030A7E9: _memmove.LIBCMT ref: 0030A815

_strlen.LIBCMT ref: 00326D44
_memmove.LIBCMT ref: 00326DAD

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 8da843183d4a52b4205ec2eac4d08e123ae33a4b25ec5e0f77933f54f4894a65
Instruction ID: 03f00cfc5a7a02db6c17fc765899cda082520f926612c8d1f7ea7c8c1c47b1f3
Opcode Fuzzy Hash: 8da843183d4a52b4205ec2eac4d08e123ae33a4b25ec5e0f77933f54f4894a65
Instruction Fuzzy Hash: BE81F171608310AFC711EF24DC92FAAB7A8AF84714F54491DF9559B2E2DB70ED00CB91

Function 002B1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529540e5cbd15c8f035e3d8e232de13e527ce09381651ed21dc51267fea97351
Instruction ID: 02d8aabc6e36eecb133cd6e539ebf0340dfb51764be42088ed947915072099eb
Opcode Fuzzy Hash: 529540e5cbd15c8f035e3d8e232de13e527ce09381651ed21dc51267fea97351
Instruction Fuzzy Hash: B4717C30920109EFCB159F99CC98AFFBB78FF85350F508149F915AA251C730AA61CFA0

Function 0032F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0032F448
_memset.LIBCMT ref: 0032F511
ShellExecuteExW.SHELL32(?), ref: 0032F556

Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC

Part of subcall function 002CFC86: _wcscpy.LIBCMT ref: 002CFCA9

GetProcessId.KERNEL32(00000000), ref: 0032F5CD
CloseHandle.KERNEL32(00000000), ref: 0032F5FC

Strings

@, xrefs: 0032F525

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 089c6a9c4897670fd9774bc1982b4d8c68486a592edd64090e4e70736de64615
Instruction ID: b61da1947192c26e49a3ebc60b9170660db1a71011b9d22f0dcefa77020f69b2
Opcode Fuzzy Hash: 089c6a9c4897670fd9774bc1982b4d8c68486a592edd64090e4e70736de64615
Instruction Fuzzy Hash: 9961BF75A10629DFCB05EF64D8819AEBBF5FF49310F148069E85AAB361CB30AD51CF90

Function 00310F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00310F8C
GetKeyboardState.USER32(?), ref: 00310FA1
SetKeyboardState.USER32(?), ref: 00311002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00311030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0031104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00311095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003110B8

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f4fe0f76afef708ce98a9a23f3e43728c7236df020ebada733e89806c0eb1483
Instruction ID: ca8389a9383ae1e6369963f90454ec3d66fd39cc9e613b8074b4d1244e5d4bed
Opcode Fuzzy Hash: f4fe0f76afef708ce98a9a23f3e43728c7236df020ebada733e89806c0eb1483
Instruction Fuzzy Hash: 8651D3A09047D53DFB3B46348C46BF6BFA95B0E304F098589E2D4898D2C2E9ECD5D751

Function 00310D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00310DA5
GetKeyboardState.USER32(?), ref: 00310DBA
SetKeyboardState.USER32(?), ref: 00310E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00310E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00310E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00310EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00310EC9

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b54d71524c8d81dfe2b95a017ac91aa5720ebd1220d4ac76326e18c880cbd76c
Instruction ID: 82a375259dacf7f67305086faef9e2b7603ea3d3ab114fea3f9e34d669d9937d
Opcode Fuzzy Hash: b54d71524c8d81dfe2b95a017ac91aa5720ebd1220d4ac76326e18c880cbd76c
Instruction Fuzzy Hash: 6251E5A0504BD57DFB3F83758C55BFABEA96B0A300F098889E1D45A8C2C3D5ACD5D760

Function 003155FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0031560A
_wcsncpy.LIBCMT ref: 0031563F
_wcsncpy.LIBCMT ref: 00315671
_wcsncpy.LIBCMT ref: 003156A4
_wcsncpy.LIBCMT ref: 003156E6
_wcsncpy.LIBCMT ref: 00315720
_wcsncpy.LIBCMT ref: 0031574F

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 5f7568659f1b8a78acaf8dfbac3bf30cb9cb4fb1d771727ceb7f84df3dd9695a
Instruction ID: a609c587d6c9f2eec368955eb2aa50643c4c80d772bb1dad4acf7bba5483f0e7
Opcode Fuzzy Hash: 5f7568659f1b8a78acaf8dfbac3bf30cb9cb4fb1d771727ceb7f84df3dd9695a
Instruction Fuzzy Hash: 7B41C765C20214B6CB16EBB4CC46ACFB3B89F48310F504857E518E3361FB35A6A5CBE6

Function 0033A056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

@U=u, xrefs: 0033A14F

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: eab766dfcf347441f3b8a14d2cd4e68b00d867cca44ba0a6be2484615082dc1f
Instruction ID: 99654222d14ec6436aea23eb57ce1dddef36ce80987a1e4dc578f5aee8e04991
Opcode Fuzzy Hash: eab766dfcf347441f3b8a14d2cd4e68b00d867cca44ba0a6be2484615082dc1f
Instruction Fuzzy Hash: E341F635D04904BFD726DF28CCC9FAABBACEB09310F160265F896A72E1C770AD41DA51

Function 0030D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0030D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0030D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0030D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0030D69D

Strings

DllGetClassObject, xrefs: 0030D610
,,4, xrefs: 0030D578

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,4$DllGetClassObject
API String ID: 753597075-733645947
Opcode ID: dcfb0b717cb76c1651396713fb3a63ef104703a52b423166e184d7b35544fd96
Instruction ID: 6ca247009a2169180d769230b3c42d5667a5e2eeeb97d114485acad501d75611
Opcode Fuzzy Hash: dcfb0b717cb76c1651396713fb3a63ef104703a52b423166e184d7b35544fd96
Instruction Fuzzy Hash: B24182B1601208EFDF06CF94C894A9ABBF9EF44314F5581A9ED099F245D7B2DD44CBA0

Function 00313671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0031466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00313697,?), ref: 0031468B

Part of subcall function 0031466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00313697,?), ref: 003146A4

lstrcmpiW.KERNEL32(?,?), ref: 003136B7
_wcscmp.LIBCMT ref: 003136D3
MoveFileW.KERNEL32(?,?), ref: 003136EB
_wcscat.LIBCMT ref: 00313733
SHFileOperationW.SHELL32(?), ref: 0031379F

Strings

\*.*, xrefs: 0031372D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 33620d850b70548cd95d7584352e886a0996be7f826ebe8efecbcc1f8420756c
Instruction ID: 86085490fc79e31082ff4681bb1cc924eadb334686c7746b8a83532b67c1d9f9
Opcode Fuzzy Hash: 33620d850b70548cd95d7584352e886a0996be7f826ebe8efecbcc1f8420756c
Instruction Fuzzy Hash: 5B41A271508344AEC756EF64D4919DFB7ECAF8C380F40092EF489C7291EA34D689CB52

Function 00337291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003372AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00337351
IsMenu.USER32(?), ref: 00337369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003373B1
DrawMenuBar.USER32 ref: 003373C4

Strings

0, xrefs: 0033729E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: d41fa4f17f65ec9bf4c5a7ed4de2da25dae0bdb11fedd6c6121bfbc82403e185
Instruction ID: 6b07815904edb4062fcdbc3e34e6274192ec5c907c6786707224f2e4b3c7f579
Opcode Fuzzy Hash: d41fa4f17f65ec9bf4c5a7ed4de2da25dae0bdb11fedd6c6121bfbc82403e185
Instruction Fuzzy Hash: 4E4125B9A05209EFDB22DF50D884E9ABBB8FB09320F158429FD55A7260D730AD50DF90

Function 00330FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00330FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00330FFE
FreeLibrary.KERNEL32(00000000), ref: 003310B5

Part of subcall function 00330FA5: RegCloseKey.ADVAPI32(?), ref: 0033101B
Part of subcall function 00330FA5: FreeLibrary.KERNEL32(?), ref: 0033106D
Part of subcall function 00330FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00331090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00331058

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: aa1f117d08b28f651ec0b81e50e64b17cf6a3365d721f669136f0e41b1b897de
Instruction ID: f0ed8cf9f20623331db0ca18841ee6663049d5db9c760c997cb7e31c1c03ca11
Opcode Fuzzy Hash: aa1f117d08b28f651ec0b81e50e64b17cf6a3365d721f669136f0e41b1b897de
Instruction Fuzzy Hash: F7310D71D01109BFDB1A9F94DCC9EFFB7BCEF08300F40016AE501A2151EA749E899AA0

Function 00326173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00327D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00327DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003261C6
WSAGetLastError.WSOCK32(00000000), ref: 003261D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0032620E
connect.WSOCK32(00000000,?,00000010), ref: 00326217
WSAGetLastError.WSOCK32 ref: 00326221
closesocket.WSOCK32(00000000), ref: 0032624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00326263

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 66b7239fe83357f312da6234760189e49074df297f2f83ddf03ec10ef7749ff4
Instruction ID: 953987f3ee2e8e3f1cb1fc9ab6192bd7f107a0dde1dc7dfe461e3ee094ad8105
Opcode Fuzzy Hash: 66b7239fe83357f312da6234760189e49074df297f2f83ddf03ec10ef7749ff4
Instruction Fuzzy Hash: BC319031600228AFDF11AF24DC86BBE77ACEF45750F054429F905AB291CB74AC54CBA1

Function 00308E90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

Part of subcall function 0030AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0030AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00308F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00308F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00308F57

Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06

Strings

@U=u, xrefs: 00308F14, 00308F27, 00308F57
ListBox, xrefs: 00308ED3
ComboBox, xrefs: 00308E9E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: @U=u$ComboBox$ListBox
API String ID: 365058703-2258501812
Opcode ID: a5a8ae7ca61e7ffbf3fa017510c04295fc6622f37a8974cc0a5bc49301a61545
Instruction ID: 7ef4c9ef452cac87f20e01af0cd25c5e279b09fa0ae72e91d810c8130041c96e
Opcode Fuzzy Hash: a5a8ae7ca61e7ffbf3fa017510c04295fc6622f37a8974cc0a5bc49301a61545
Instruction Fuzzy Hash: 16212071A05105BFDB16ABB0DC96DFFB769DF453A0F048529F461972E0CB384C1A9A10

Function 0030F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0030F671
__wcsnicmp.LIBCMT ref: 0030F692
__wcsnicmp.LIBCMT ref: 0030F6AC

Strings

#notrayicon, xrefs: 0030F669
#requireadmin, xrefs: 0030F68C
#OnAutoItStartRegister, xrefs: 0030F6A6

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 9c3472170677d31b45f9b742d9a41425744da208b2491ad046cbc5232a7700bb
Instruction ID: 1af6642fd2acc2f5929afef6aa4830bb1e71309fa5ed7b87759b4e0d5fa178d7
Opcode Fuzzy Hash: 9c3472170677d31b45f9b742d9a41425744da208b2491ad046cbc5232a7700bb
Instruction Fuzzy Hash: D8219E722165116FD232E634EC22FB7B3DCDF55780F11403AF442869D1EB919D62C796

Function 0030B1EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0030B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0030B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0030B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0030B27F
_wcsstr.LIBCMT ref: 0030B289

Strings

@U=u, xrefs: 0030B221, 0030B259

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: a7bb5d1c27ba26ba98a8d16db529c40820f63192ae5a0a82e63ad80efad655c9
Instruction ID: 8faa5625be83c1017df39059c4bbbc3f181ec166b41a14c9d26c5fb78e1ca7ed
Opcode Fuzzy Hash: a7bb5d1c27ba26ba98a8d16db529c40820f63192ae5a0a82e63ad80efad655c9
Instruction Fuzzy Hash: BE212931605200BBEB169B79DC59E7FBBACDF49710F01813AF804DA1E1EF61DC509660

Function 00309307 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00309320

Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00309352
__itow.LIBCMT ref: 0030936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00309392
__itow.LIBCMT ref: 003093A3

Strings

@U=u, xrefs: 00309320, 00309352, 00309392

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID: @U=u
API String ID: 2983881199-2594219639
Opcode ID: 3054bda6750122cd8814df3a21bec56e39035004611d723fdc75d1f1f375a11c
Instruction ID: 81d582f3dd84934649199fb155db14eaec9460dbac2de913500746feade4971c
Opcode Fuzzy Hash: 3054bda6750122cd8814df3a21bec56e39035004611d723fdc75d1f1f375a11c
Instruction Fuzzy Hash: FB21DA35B02204ABDB129B649C96FEF7BADEB88710F044066F905DB1D2D670CD518F91

Function 003375CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002B1D73
Part of subcall function 002B1D35: GetStockObject.GDI32(00000011), ref: 002B1D87
Part of subcall function 002B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 002B1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00337632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0033763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0033764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00337659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00337665

Strings

Msctls_Progress32, xrefs: 00337603

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: dc65a3d2bbb40e7e2de373d573dd7016b50cdc73b9ee8e9892ca5f848e6929f1
Instruction ID: bceeedbca84776145e5ea08d12269b2b526c5c4321e96e04ca8b2805699e4ace
Opcode Fuzzy Hash: dc65a3d2bbb40e7e2de373d573dd7016b50cdc73b9ee8e9892ca5f848e6929f1
Instruction Fuzzy Hash: AB11B6B1110119BFEF158F64CC86EE77F5DEF08798F014115F604A6050C6729C21DBA4

Function 0033B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0033B644
_memset.LIBCMT ref: 0033B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00376F20,00376F64), ref: 0033B682
CloseHandle.KERNEL32 ref: 0033B694

Strings

o7, xrefs: 0033B63E
do7, xrefs: 0033B64D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o7$do7
API String ID: 3277943733-2183443977
Opcode ID: 280c0ff112e93931a3df1478bea000a971d8b215022cc7de9334254071558e20
Instruction ID: 629ed43e86449a46429ba9d8ea6ccf80e829e3f3ea77c67715455a99180cc479
Opcode Fuzzy Hash: 280c0ff112e93931a3df1478bea000a971d8b215022cc7de9334254071558e20
Instruction Fuzzy Hash: C3F05EB6540700BFE2223B61BC57FBB7A9CEB08395F004021FA0DE6192D7754C148BA8

Function 002D406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002D3F85), ref: 002D4085
GetProcAddress.KERNEL32(00000000), ref: 002D408C
EncodePointer.KERNEL32(00000000), ref: 002D4097
DecodePointer.KERNEL32(002D3F85), ref: 002D40B2

Strings

combase.dll, xrefs: 002D4080
RoUninitialize, xrefs: 002D4074

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 06f95632a42297f74dc345a78bd191c83987c73c3c3b00bfacc4d7738c79404a
Instruction ID: b8e751ad6a6f29f4756ea4009de3898bc3d1fad8c4acac5c1b0362915006b696
Opcode Fuzzy Hash: 06f95632a42297f74dc345a78bd191c83987c73c3c3b00bfacc4d7738c79404a
Instruction Fuzzy Hash: 4AE09274A96201EFEB22BF61EC49B463BACB704743F904426F115E61A0CBB65644AA15

Function 003164B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0031660B
_memmove.LIBCMT ref: 00316546

Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC

_memmove.LIBCMT ref: 003165B9
_memmove.LIBCMT ref: 003166A0
_memmove.LIBCMT ref: 003166B9
_memmove.LIBCMT ref: 003166D5

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
Instruction ID: 42bf5323aabcbaf14dd3a42fd060b6ad0f9144fd20e0f75a2065286fafadc58b
Opcode Fuzzy Hash: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
Instruction Fuzzy Hash: 0461AD3051425A9BCF06EFA0CC82EFE37A9AF49348F048519F9555B2A2DB34EDA5CF50

Function 003301E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

Part of subcall function 00330E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0032FDAD,?,?), ref: 00330E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003302BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003302FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00330320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00330349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0033038C
RegCloseKey.ADVAPI32(00000000), ref: 00330399

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: f853d20cf53c2f5ce342e297a069013df82e9c5161bc01cc8c4f18bf90539081
Instruction ID: 2ef4be0ebf7db42fdba47af0efe322f87e01fdc314c2eeae102a756440e0b9b3
Opcode Fuzzy Hash: f853d20cf53c2f5ce342e297a069013df82e9c5161bc01cc8c4f18bf90539081
Instruction Fuzzy Hash: AD515C31218200AFC709EF64C895EAFBBE9FF89314F44491DF5958B2A2DB31E915CB52

Function 00335799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 003357FB
GetMenuItemCount.USER32(00000000), ref: 00335832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0033585A
GetMenuItemID.USER32(?,?), ref: 003358C9
GetSubMenu.USER32(?,?), ref: 003358D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00335928

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 82445d2710f268651cdcc3f7ab1df30f793431dfc844b70b44e921bcad3b6463
Instruction ID: e4f38b3d1ad419824cebb8534cf5916cea7a4ea32cce27a154d41f93747b5343
Opcode Fuzzy Hash: 82445d2710f268651cdcc3f7ab1df30f793431dfc844b70b44e921bcad3b6463
Instruction Fuzzy Hash: B7516D31E00615EFCF12DF64C885AAEB7B5EF48320F114069E841BB361CB70AE41CB90

Function 0030EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0030EF06
VariantClear.OLEAUT32(00000013), ref: 0030EF78
VariantClear.OLEAUT32(00000000), ref: 0030EFD3
_memmove.LIBCMT ref: 0030EFFD
VariantClear.OLEAUT32(?), ref: 0030F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0030F078

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 599075e71fbabc4bb062b3c8eba78646d8ea9e8182bf43f64803798d9966d9ab
Instruction ID: bf15a8c7717157c0781931cc50e65e0d72c064a8e2a46e5da2e81008c534615b
Opcode Fuzzy Hash: 599075e71fbabc4bb062b3c8eba78646d8ea9e8182bf43f64803798d9966d9ab
Instruction Fuzzy Hash: 16516AB5A00209EFCB25CF58C890AAAB7B8FF4C314F158569E959DB341E735E911CFA0

Function 0031220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00312258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003122A3
IsMenu.USER32(00000000), ref: 003122C3
CreatePopupMenu.USER32 ref: 003122F7
GetMenuItemCount.USER32(000000FF), ref: 00312355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00312386

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: c9c9b1e1c0b764c1fd6e0ee007fb0dbafacc1115e3912d614167ab6082301f6a
Instruction ID: ee4c86e533e2e8f865503c9158e533be5c73c1889b0d54463c8f865eb84a35c5
Opcode Fuzzy Hash: c9c9b1e1c0b764c1fd6e0ee007fb0dbafacc1115e3912d614167ab6082301f6a
Instruction Fuzzy Hash: 5351C434900209DFDF2ACF64C888BDFBBF5BF49314F154929E8619B290D37489A5CB51

Function 002B1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 002B179A
GetWindowRect.USER32(?,?), ref: 002B17FE
ScreenToClient.USER32(?,?), ref: 002B181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002B182C
EndPaint.USER32(?,?), ref: 002B1876

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: c0ceb75ca7bdf245ba268ef9c58a5d5745649695c5a7e27b7af780a0fe7925c1
Instruction ID: b16d4e5faa9074fd8d25adaaf5dc8893be0a3bfe8ec6a8b3006dabc9a8e4295c
Opcode Fuzzy Hash: c0ceb75ca7bdf245ba268ef9c58a5d5745649695c5a7e27b7af780a0fe7925c1
Instruction Fuzzy Hash: 2041BF30510701AFD722DF25CC94FA67BE8FB45360F544629FAA8872A1C7709865DB62

Function 0032709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00324E41,?,?,00000000,00000001), ref: 003270AC

Part of subcall function 003239A0: GetWindowRect.USER32(?,?), ref: 003239B3

GetDesktopWindow.USER32 ref: 003270D6
GetWindowRect.USER32(00000000), ref: 003270DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0032710F

Part of subcall function 00315244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003152BC

GetCursorPos.USER32(?), ref: 0032713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00327199

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 127afc86e9e6e2840184a080b9c6297e25512d98f5ac451d716a3b0296a249a5
Instruction ID: ef3e08d8ce44b6132ad5fb608e1b174fefa3a909f9cfc79e75e60f4db6f12920
Opcode Fuzzy Hash: 127afc86e9e6e2840184a080b9c6297e25512d98f5ac451d716a3b0296a249a5
Instruction Fuzzy Hash: 3331FE32509315AFD721DF14D849F9BBBAAFF88304F00092AF48897191CB30EA19CB92

Function 00308879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003080A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003080C0
Part of subcall function 003080A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003080CA
Part of subcall function 003080A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003080D9
Part of subcall function 003080A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003080E0
Part of subcall function 003080A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003080F6

GetLengthSid.ADVAPI32(?,00000000,0030842F), ref: 003088CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003088D6
HeapAlloc.KERNEL32(00000000), ref: 003088DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 003088F6
GetProcessHeap.KERNEL32(00000000,00000000,0030842F), ref: 0030890A
HeapFree.KERNEL32(00000000), ref: 00308911

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 8a8219d5bf88a2b0bd0d51adf532c55a89e900df30689db30ddcf9ae90717ae0
Instruction ID: 03507fa1f2064fdc6e57f5adff74d034ec2a485f881a0d6e8065c3fc3adba049
Opcode Fuzzy Hash: 8a8219d5bf88a2b0bd0d51adf532c55a89e900df30689db30ddcf9ae90717ae0
Instruction Fuzzy Hash: 1811AC71A02209FFDB16AFA4DC5ABBE7BACEB44311F508028F885D7250CB329944DB60

Function 003085B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003085E2
OpenProcessToken.ADVAPI32(00000000), ref: 003085E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003085F8
CloseHandle.KERNEL32(00000004), ref: 00308603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00308632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00308646

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: c76fd024ea6d3a436820d487b41d15b42b258a771981f5c46ba17bb8db54188d
Instruction ID: 8ac137e33515c601986b8ba85fcb26e8daf6b71eb62d6ab76cd87b537e018681
Opcode Fuzzy Hash: c76fd024ea6d3a436820d487b41d15b42b258a771981f5c46ba17bb8db54188d
Instruction Fuzzy Hash: D111597250120DAFDF128FA8DD89BEE7BADEF09344F054065FE44A21A0C7728D64EB60

Function 0030B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0030B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0030B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0030B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0030B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0030B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0030B7FE

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3f51456fc46096ec9bf733c6aa0f60a46f60dc3ddff0ba51031fc248c8c3454c
Instruction ID: ec3876e4b73005546366d63d597047593f19e4de47bbd477963212def86e14bf
Opcode Fuzzy Hash: 3f51456fc46096ec9bf733c6aa0f60a46f60dc3ddff0ba51031fc248c8c3454c
Instruction Fuzzy Hash: 9F018475E00209BFEB119BA69D85E5EBFBCEF48711F004075FA04A7291D6719C00CF90

Function 002D0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002D0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 002D019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002D01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002D01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 002D01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 002D01C1

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 71ede40d3df374af9632c971876e33cea99e41ef687498bcae6d8ec68f9f67b3
Instruction ID: a6315eb8864654b35de577ebfd4ce20ca1448c971b63b7f90a6177bc75d01760
Opcode Fuzzy Hash: 71ede40d3df374af9632c971876e33cea99e41ef687498bcae6d8ec68f9f67b3
Instruction Fuzzy Hash: 8A0148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15847941C7B5A864CBE5

Function 003153E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003153F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0031540F
GetWindowThreadProcessId.USER32(?,?), ref: 0031541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0031542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00315437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0031543E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 2162838fd56d738ff6bc1fc89d2829a3ddc8993638a5e55c84c4919b2baebca9
Instruction ID: 8488dd4fd495fae070652d9df58ca1be8e0f37f3a7ebc04857335383a4898967
Opcode Fuzzy Hash: 2162838fd56d738ff6bc1fc89d2829a3ddc8993638a5e55c84c4919b2baebca9
Instruction Fuzzy Hash: 65F09631940558BFD3225B52DC4EEEF7B7CEFC6B11F400169F904D1060D7A01A0186B5

Function 00317230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00317243
EnterCriticalSection.KERNEL32(?,?,002C0EE4,?,?), ref: 00317254
TerminateThread.KERNEL32(00000000,000001F6,?,002C0EE4,?,?), ref: 00317261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,002C0EE4,?,?), ref: 0031726E

Part of subcall function 00316C35: CloseHandle.KERNEL32(00000000,?,0031727B,?,002C0EE4,?,?), ref: 00316C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00317281
LeaveCriticalSection.KERNEL32(?,?,002C0EE4,?,?), ref: 00317288

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 26c472608a67323ba9ee69e9f2c1a6e28428d08fa4b5c581e68aa438cf71009b
Instruction ID: 7f157b945470f04437542dfe659ebb47045fd9f8586ae9a5dc7a4f8d6c615270
Opcode Fuzzy Hash: 26c472608a67323ba9ee69e9f2c1a6e28428d08fa4b5c581e68aa438cf71009b
Instruction Fuzzy Hash: 13F09A3A840202EFD7131B64ED8CDDB373DEF48302F800931F602D00A1CBB61842CA50

Function 00308992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0030899D
UnloadUserProfile.USERENV(?,?), ref: 003089A9
CloseHandle.KERNEL32(?), ref: 003089B2
CloseHandle.KERNEL32(?), ref: 003089BA
GetProcessHeap.KERNEL32(00000000,?), ref: 003089C3
HeapFree.KERNEL32(00000000), ref: 003089CA

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 57ca2ac9fa2cf63637b8139592393aea698cc7e96c4e0038c3c4dcb05c82f609
Instruction ID: c881b7eed59e2d95f9cb6393191d559dd9550973c73a9a5c35fc527288f19e93
Opcode Fuzzy Hash: 57ca2ac9fa2cf63637b8139592393aea698cc7e96c4e0038c3c4dcb05c82f609
Instruction Fuzzy Hash: DCE0C236804001FFDA021FE2EC4CD1ABB6DFB89362F908230F21981070CB329424DB50

Function 00307530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00342C7C,?), ref: 003076EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00342C7C,?), ref: 00307702
CLSIDFromProgID.OLE32(?,?,00000000,0033FB80,000000FF,?,00000000,00000800,00000000,?,00342C7C,?), ref: 00307727
_memcmp.LIBCMT ref: 00307748

Strings

,,4, xrefs: 0030753D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,4
API String ID: 314563124-3600021901
Opcode ID: e64c7c74fa7a92f149eaf9e2ffb180d047be191a8952bfd8f2e60bb3d737469d
Instruction ID: 7b79845c9d4860f6258e2ad25e7eebdc3fa2aced6ab32a7e83bbd73dbb2d5b0b
Opcode Fuzzy Hash: e64c7c74fa7a92f149eaf9e2ffb180d047be191a8952bfd8f2e60bb3d737469d
Instruction Fuzzy Hash: 53813B75E00109EFCB05DFA4C994EEEB7B9FF89315F204158E506AB290DB71AE06CB60

Function 003285ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00328613
CharUpperBuffW.USER32(?,?), ref: 00328722
VariantClear.OLEAUT32(?), ref: 0032889A

Part of subcall function 00317562: VariantInit.OLEAUT32(00000000), ref: 003175A2
Part of subcall function 00317562: VariantCopy.OLEAUT32(00000000,?), ref: 003175AB
Part of subcall function 00317562: VariantClear.OLEAUT32(00000000), ref: 003175B7

Strings

Incorrect Parameter format, xrefs: 0032864B, 0032880D
AUTOIT.ERROR, xrefs: 00328728

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 7ec42aff93d96b8ae6782a3e4fca24c57ac3d54662246bb15e3c975a3406d0c0
Instruction ID: bab0288926e59581151c83acf6e5e4bd63477a85b72e2047a5d432d8d828ddd3
Opcode Fuzzy Hash: 7ec42aff93d96b8ae6782a3e4fca24c57ac3d54662246bb15e3c975a3406d0c0
Instruction Fuzzy Hash: 54919B706083019FC711DF24D48499ABBF8EF89754F14892EF99A8B362DB31ED45CB92

Function 00312A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002CFC86: _wcscpy.LIBCMT ref: 002CFCA9

_memset.LIBCMT ref: 00312B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00312BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00312C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00312C97

Strings

0, xrefs: 00312B73

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 0da9db4f9777189b8363760fc73b85df917df74b731f254faf7b2a776efeba9e
Instruction ID: 8c538cba2058f96ac648979b9c380e64d8b72ac41dbcec5f3c7bdab5321443de
Opcode Fuzzy Hash: 0da9db4f9777189b8363760fc73b85df917df74b731f254faf7b2a776efeba9e
Instruction Fuzzy Hash: 4951D1716083009FD72E9F28D845AAF77E8EF9D350F054A2DF995D6290DB70CCA48B92

Function 002C3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002C3277
_memmove.LIBCMT ref: 002C3310
_free.LIBCMT ref: 002C3336
_memmove.LIBCMT ref: 002C33E9

Strings

3c,, xrefs: 002C3225
_,, xrefs: 002C3322

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c,$_,
API String ID: 2620147621-370742736
Opcode ID: c547d049cdf9ff844e0f88f710db80c521c5618619beb993041cab74c3187204
Instruction ID: e23bf2b0b44317ec8017dcdbea61b9e462a82093ce5c140ca885e19f97638b40
Opcode Fuzzy Hash: c547d049cdf9ff844e0f88f710db80c521c5618619beb993041cab74c3187204
Instruction Fuzzy Hash: 79514B716247428FDB29CF28C490B6ABBE5FF85314F04892DE98987361D731E911CB82

Function 002C6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002C6248
_memmove.LIBCMT ref: 002C62E4
_memset.LIBCMT ref: 002C6308

Strings

ERCP, xrefs: 002C61B3
3c,, xrefs: 002C62AF

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c,$ERCP
API String ID: 2532777613-3822882533
Opcode ID: 307609f4eeb8e04359158fff407d1de0839ca0598e1d8489083c096ec0b52fb5
Instruction ID: 5ff8e1245f0cefaeddd84829c7de30249a4a3d02253705643149da7ee7d522b2
Opcode Fuzzy Hash: 307609f4eeb8e04359158fff407d1de0839ca0598e1d8489083c096ec0b52fb5
Instruction Fuzzy Hash: 0851B170910306DFDB25CF55C985BAAB7F8EF04304F20866EE84AC7291E771EA54CB51

Function 003397F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0139E6A0,?), ref: 00339863
ScreenToClient.USER32(00000002,00000002), ref: 00339896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00339903

Strings

@U=u, xrefs: 0033995E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 5cf82ff4376a80e64ffb9629c407534a151d33a639f156e4c45a3564c5ae8c89
Instruction ID: b956fe3d02d9c29b1ca1ffe15a26f3da66a07969ac4258ee44d00ff97efe0822
Opcode Fuzzy Hash: 5cf82ff4376a80e64ffb9629c407534a151d33a639f156e4c45a3564c5ae8c89
Instruction Fuzzy Hash: 03514E34A00209EFDB26CF14C8C0BAE7BB5FF85360F15825AF8559B2A0D770AD81CB90

Function 003097F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003114BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00309296,?,?,00000034,00000800,?,00000034), ref: 003114E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0030983F

Part of subcall function 00311487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003092C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003114B1

Part of subcall function 003113DE: GetWindowThreadProcessId.USER32(?,?), ref: 00311409
Part of subcall function 003113DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0030925A,00000034,?,?,00001004,00000000,00000000), ref: 00311419
Part of subcall function 003113DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0030925A,00000034,?,?,00001004,00000000,00000000), ref: 0031142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003098AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003098F9

Strings

@U=u, xrefs: 0030983F, 003098AC, 003098F9
@, xrefs: 00309911

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: e8c112b1433acaf60052f7d53360c7b89f88f1d2251ad983c025af11eccfa9e7
Instruction ID: 5457c15195991ff3c2a548f8c406ac75f8025b5bad77c5078c847d2c7ba0df77
Opcode Fuzzy Hash: e8c112b1433acaf60052f7d53360c7b89f88f1d2251ad983c025af11eccfa9e7
Instruction Fuzzy Hash: A4415C76901218BFCB15DFA4CD96BDEBBB8EB09700F004199FA55B7181DA706E85CBA0

Function 00312753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003127C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003127DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00312822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00375890,00000000), ref: 0031286B

Strings

0, xrefs: 003127B5

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 09edbecdcb66626b6f318400882d0d693d30cf2f516a2b089c08bb23b54960b3
Instruction ID: 7b07f347dcd903dd0fe481981feef16e31c627938006a7501398832571f12c7c
Opcode Fuzzy Hash: 09edbecdcb66626b6f318400882d0d693d30cf2f516a2b089c08bb23b54960b3
Instruction Fuzzy Hash: 1441CF702043019FDB2ADF25C884B9BBBE8EF89310F05492DF8A59B2D1D730E865CB52

Function 00338851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003388DE

Strings

@U=u, xrefs: 0033892D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: db5be1553c5c5e4169eaaa2129fec200e365b9bfe146846af667c89ea74a329c
Instruction ID: bc2d6e6d1e1a6e9da74be89f95888392a642dd42e9a1a16b506b2d82caff37d3
Opcode Fuzzy Hash: db5be1553c5c5e4169eaaa2129fec200e365b9bfe146846af667c89ea74a329c
Instruction Fuzzy Hash: 7531F234600308BFEB279F28CCC5FB877A8EB09310FA54512FA15EA1A1CF71E9409B52

Function 0032D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0032D7C5

Part of subcall function 002B784B: _memmove.LIBCMT ref: 002B7899

Strings

none, xrefs: 0032D8A0
cdecl, xrefs: 0032D81C
winapi, xrefs: 0032D836
stdcall, xrefs: 0032D847

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 1cee99ced3403d62053faebe6179757e03606c3b339664b759c67cdf4cfa1839
Instruction ID: ad06b2575e9822e003161075b745b44fae75c5aacc96a17ed1da72f711ab365e
Opcode Fuzzy Hash: 1cee99ced3403d62053faebe6179757e03606c3b339664b759c67cdf4cfa1839
Instruction Fuzzy Hash: 24318371914629ABCF01EF54C8919EEB3B5FF04320F10862AE865977D5DB71AD15CF80

Function 0032182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0032184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00321872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003218A2
InternetCloseHandle.WININET(00000000), ref: 003218E9

Part of subcall function 00322483: GetLastError.KERNEL32(?,?,00321817,00000000,00000000,00000001), ref: 00322498
Part of subcall function 00322483: SetEvent.KERNEL32(?,?,00321817,00000000,00000000,00000001), ref: 003224AD

Strings

, xrefs: 00321893

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a1ece0e7036597b50f414a254a8e55dd5bb47d5624d5e2166d07cbd1e721bebc
Instruction ID: 4f7b7b25573dcfa581f456c0d4a48499028b4d238e70ffbbfd5545e933c14b6e
Opcode Fuzzy Hash: a1ece0e7036597b50f414a254a8e55dd5bb47d5624d5e2166d07cbd1e721bebc
Instruction Fuzzy Hash: 0021CFB2500318BFEB129F61EDC5EBF77EDEB59744F10412AF805A6240EB219D0497A1

Function 003363E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002B1D73
Part of subcall function 002B1D35: GetStockObject.GDI32(00000011), ref: 002B1D87
Part of subcall function 002B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 002B1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00336461
LoadLibraryW.KERNEL32(?), ref: 00336468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0033647D
DestroyWindow.USER32(?), ref: 00336485

Strings

SysAnimate32, xrefs: 0033643C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 7be61184d919b6304ca3c9a9ff449be91a8bcfac543afae735aa4802547e5aff
Instruction ID: 586eb90cf7a121803d7519019cdec3b61efa410eb2e09beb2477a38caaf363f9
Opcode Fuzzy Hash: 7be61184d919b6304ca3c9a9ff449be91a8bcfac543afae735aa4802547e5aff
Instruction Fuzzy Hash: 5221BB71A00205BFEF124F65ECC2EBA37ACEB48324F118629FA10960A0C731DC519720

Function 00316D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00316DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00316DEF
GetStdHandle.KERNEL32(0000000C), ref: 00316E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00316E3B

Strings

nul, xrefs: 00316E36

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 21e1d9bb7102b8233da4a580fc0d6810cece7a7ffa5a8d3784041450488e8aad
Instruction ID: 4c8a4f901afea761423ff20f59425e3300caeabbd9982e12066e1a49f57fe115
Opcode Fuzzy Hash: 21e1d9bb7102b8233da4a580fc0d6810cece7a7ffa5a8d3784041450488e8aad
Instruction Fuzzy Hash: F821A774600209EFDB259FA9EC46ADA77F8EF48720F204A19FCA1D72D0D7709990CB50

Function 00316E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00316E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00316EBB
GetStdHandle.KERNEL32(000000F6), ref: 00316ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00316F06

Strings

nul, xrefs: 00316F01

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ce66107647ccf9bab99eccfbf4ec9d9f4010f988da1769a687c3b948395942f9
Instruction ID: 848546b9c406dc5e8e6ad53333aad8f0fa29217d7d9bca1ffca2187d1e2237c1
Opcode Fuzzy Hash: ce66107647ccf9bab99eccfbf4ec9d9f4010f988da1769a687c3b948395942f9
Instruction Fuzzy Hash: E421A1795003059FDB269FA9DD46AEA77A8EF49720F200B19FCE0D72D0D770A891CB60

Function 0031AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0031AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0031ACA8
__swprintf.LIBCMT ref: 0031ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0033F910), ref: 0031ACFF

Strings

%lu, xrefs: 0031ACBB

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 9348d8e22d5f35d7aab096865bfe7589de8cb8f8ca24eed291231c0b4725a7a4
Instruction ID: c42587a67d9f884c7c71594f9186aee2018b741a735bef86c70846057e9b0d53
Opcode Fuzzy Hash: 9348d8e22d5f35d7aab096865bfe7589de8cb8f8ca24eed291231c0b4725a7a4
Instruction Fuzzy Hash: 44216D30A00109AFCB11EF65C985EEEBBB8EF49314F004069F909EB252DA31EA51CB61

Function 00311142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0030FCED,?,00310D40,?,00008000), ref: 0031115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0030FCED,?,00310D40,?,00008000), ref: 00311184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0030FCED,?,00310D40,?,00008000), ref: 0031118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0030FCED,?,00310D40,?,00008000), ref: 003111C1

Strings

@1, xrefs: 0031119D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @1
API String ID: 2875609808-1806379685
Opcode ID: 74b16dc2aa9f6791c4e439f992785ff6aa6938c40cb1215f68d64792810efd20
Instruction ID: c597d0948eaaef4ed2c7e762146a454555b5e4746ecc7891d168329a287f0da0
Opcode Fuzzy Hash: 74b16dc2aa9f6791c4e439f992785ff6aa6938c40cb1215f68d64792810efd20
Instruction Fuzzy Hash: E2111831D00519EBCF069FA5E889BEEFB78FB09711F414066EB41B2240CB7095A08BA5

Function 0032EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0032EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0032EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0032ED6A
CloseHandle.KERNEL32(?), ref: 0032EDEB

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 986d7fbace717d0a05bbd8b73ab0b95ff0b7031892430b8b55cf8eae46a6db5b
Instruction ID: 18a7bd0e5dcbf1f404579c1f740916aa660782048dc20927f70f3bddab3d4f4e
Opcode Fuzzy Hash: 986d7fbace717d0a05bbd8b73ab0b95ff0b7031892430b8b55cf8eae46a6db5b
Instruction Fuzzy Hash: 2E819E716043119FD721EF28D886F6AB7E9AF48750F04881DFA999B292DB70AC50CF81

Function 002D541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 002D547B
_memcpy_s.LIBCMT ref: 002D54ED
__read_nolock.LIBCMT ref: 002D554B
__filbuf.LIBCMT ref: 002D556E
_memset.LIBCMT ref: 002D55B2

Part of subcall function 002D8B28: __getptd_noexit.LIBCMT ref: 002D8B28

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: ef7e4292e3abb9495ec898da5de770ff41e44235f8b649e3b8cc37bf28da6de5
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: AF51D830A20B16DBDB258F69D88066E77A6AF40320F64872BF825963D0D7F1DDB08F41

Function 00330037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

Part of subcall function 00330E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0032FDAD,?,?), ref: 00330E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003300FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0033013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00330183
RegCloseKey.ADVAPI32(?,?), ref: 003301AF
RegCloseKey.ADVAPI32(00000000), ref: 003301BC

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: dce4316dfafa6a37634004f86ca8c084dd6b2f11473ced5464fca4606e366ada
Instruction ID: aec43a1cc65d35a7a4c00074340a26bccf075bca658063e299e509d6106b8a98
Opcode Fuzzy Hash: dce4316dfafa6a37634004f86ca8c084dd6b2f11473ced5464fca4606e366ada
Instruction Fuzzy Hash: 74516D31618204AFC719EF58CC91FAAB7E9FF84314F44492DF5968B2A2DB31E914CB52

Function 0032D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0032D927
GetProcAddress.KERNEL32(00000000,?), ref: 0032D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0032D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0032DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0032DA21

Part of subcall function 002B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00317896,?,?,00000000), ref: 002B5A2C
Part of subcall function 002B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00317896,?,?,00000000,?,?), ref: 002B5A50

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 86b8e107355296e4d6dd7a1b81df42f6af5bddd76a988e7668f1c99fa1ad5de5
Instruction ID: 3edb3d5299cdfb1625738ff3122f545b8719379e57fd3ec1a20fda9674c626b5
Opcode Fuzzy Hash: 86b8e107355296e4d6dd7a1b81df42f6af5bddd76a988e7668f1c99fa1ad5de5
Instruction Fuzzy Hash: CE512635A04619DFCB01EFA8D4849ADB7B8FF09324B05C065E955AB322D730ED95CF90

Function 0031E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0031E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0031E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0031E687

Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0031E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0031E6B4

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 1106ef4d2f40e40ca6089e9f1fd2ae2a85ee6fd8482daa37dfbe98ccc8e5291a
Instruction ID: f653d88d8cf88de61cef11702cc9a2d52528f6cfb8884dbe3a911fde99a9f045
Opcode Fuzzy Hash: 1106ef4d2f40e40ca6089e9f1fd2ae2a85ee6fd8482daa37dfbe98ccc8e5291a
Instruction Fuzzy Hash: 6E511835A10205DFCB05EF64C981AAEBBF5EF09354F1480A9E909AB362CB31ED61DF50

Function 002B2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002B2357
ScreenToClient.USER32(003757B0,?), ref: 002B2374
GetAsyncKeyState.USER32(00000001), ref: 002B2399
GetAsyncKeyState.USER32(00000002), ref: 002B23A7

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 3c2d0bfd65795f2f7fd6699d06d7b4dfd7babbff9ae1db7f671668f320069ff3
Instruction ID: da1627336276c3330cbfe6e5587987c3a413ad1adbaf1ec756d74faca3763bb8
Opcode Fuzzy Hash: 3c2d0bfd65795f2f7fd6699d06d7b4dfd7babbff9ae1db7f671668f320069ff3
Instruction Fuzzy Hash: 9E41A335914206FFCF169F69CC85AE9BBB4FB05360F604355F829962A0C7349DA4DF90

Function 003063AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003063E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00306433
TranslateMessage.USER32(?), ref: 0030645C
DispatchMessageW.USER32(?), ref: 00306466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00306475

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: a4c967bc7504407236bd022b08a9956bcfcc83915accf77fbcaea4c30ec487bc
Instruction ID: 7f0e754de742553ecda3e8cb8a41599efacc7e5d028aee03b6cc23d7c1104e10
Opcode Fuzzy Hash: a4c967bc7504407236bd022b08a9956bcfcc83915accf77fbcaea4c30ec487bc
Instruction Fuzzy Hash: 64310A31A01642AFDB3BCF71CC96BB67BACAB01310F550169E425C30F5E77594A9D7A0

Function 00308A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00308A30
PostMessageW.USER32(?,00000201,00000001), ref: 00308ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00308AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00308AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00308AF8

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a53c5673f4d1bd9c40210ecd85f287efd384c25d1a68cdab791a07ddd89a3f8a
Instruction ID: 9ff2100552f734656a58ffcd97da8af01c3a95be75d6b21fd14b8b2b50d4bbae
Opcode Fuzzy Hash: a53c5673f4d1bd9c40210ecd85f287efd384c25d1a68cdab791a07ddd89a3f8a
Instruction Fuzzy Hash: EA310071A00219EFCF00CFA8D98DA9E7BB9EB04315F10822AF865EA1D0C7B09914CB90

Function 0033B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623

GetWindowLongW.USER32(?,000000F0), ref: 0033B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0033B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0033B1CF
GetSystemMetrics.USER32(00000004), ref: 0033B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00320E90,00000000), ref: 0033B216

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: fde1915d927970345e349df94a38371140fe153b872df766c3dcf18c489d69df
Instruction ID: e301e6de250ac920d5bb80360f7163b30aaefe1a89e8dd2031f42a90e3d679df
Opcode Fuzzy Hash: fde1915d927970345e349df94a38371140fe153b872df766c3dcf18c489d69df
Instruction Fuzzy Hash: 5F219171E10655EFCB269F389C84A6AB7A8FB05361F124B28FA36D71E0D73098508B90

Function 002B12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002B134D
SelectObject.GDI32(?,00000000), ref: 002B135C
BeginPath.GDI32(?), ref: 002B1373
SelectObject.GDI32(?,00000000), ref: 002B139C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0dc3598a3b94bc5110342bc01b45d8f7a0d1f18fa4fc5d8ca67e31ef5468e473
Instruction ID: a244b01edc1dc6d5af31e8905cb866aafd3954d6cec5391e6bd1e52d225010a7
Opcode Fuzzy Hash: 0dc3598a3b94bc5110342bc01b45d8f7a0d1f18fa4fc5d8ca67e31ef5468e473
Instruction Fuzzy Hash: 14217F30D20609EFDB268F65DD447A93BECEB00351F98426AE814961B1E3B098F1CF51

Function 00314A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00314ABA
__beginthreadex.LIBCMT ref: 00314AD8
MessageBoxW.USER32(?,?,?,?), ref: 00314AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00314B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00314B0A

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 3c9c13580fda1005ad2b2ae4e6716d4d9e4e57fb8296fcf9ba0b3c52d7e1f558
Instruction ID: 0a604ecbc05941d590150c55b4542fe5e60ef3e142d17992e4ab097eb414595d
Opcode Fuzzy Hash: 3c9c13580fda1005ad2b2ae4e6716d4d9e4e57fb8296fcf9ba0b3c52d7e1f558
Instruction Fuzzy Hash: 01110C76D08204BFD7179FA8EC44ADB7FACEB49321F144269F814D3251D671CD448BA0

Function 00308202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0030821E
GetLastError.KERNEL32(?,00307CE2,?,?,?), ref: 00308228
GetProcessHeap.KERNEL32(00000008,?,?,00307CE2,?,?,?), ref: 00308237
HeapAlloc.KERNEL32(00000000,?,00307CE2,?,?,?), ref: 0030823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00308255

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: be3cfab37465a7e0ce67edc5fb9351828df6da76b0655804afaacb18b0cb1bee
Instruction ID: 41c03e19624115d6c881422b0fb3a6c855f56c07ba10d29a4c65564ed452356d
Opcode Fuzzy Hash: be3cfab37465a7e0ce67edc5fb9351828df6da76b0655804afaacb18b0cb1bee
Instruction Fuzzy Hash: 7E016271A01604FFDB124FA6DC88D677B6CEF85754F500829F849C2160DA318C10DA60

Function 0030710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?,?,00307455), ref: 00307127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?), ref: 00307142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?), ref: 00307150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?), ref: 00307160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00307044,80070057,?,?), ref: 0030716C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8576d1cd46d56cda0abc2ca59efeb622d0bbfb0fea03a59fedfc4a38c6c6b6f8
Instruction ID: 836b5bfeaf57489a4f7976d5654e484c2ce412257b827ec6eaf4b693cccb8269
Opcode Fuzzy Hash: 8576d1cd46d56cda0abc2ca59efeb622d0bbfb0fea03a59fedfc4a38c6c6b6f8
Instruction Fuzzy Hash: 0A017C76A02204BFDB1A4F64DC84AAA7BBDEB447A1F150065FD08D62A0D731ED41DBA0

Function 00315244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00315260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0031526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00315276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00315280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003152BC

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a7f0f0d90f2bdf0e2686b3102411b7545abff3647ebebccb1f883c0d1d69929a
Instruction ID: 6aade422e5b86be4b9796ee3e5fb8f281e1dcb062133a41433b2f8a0dbf65a93
Opcode Fuzzy Hash: a7f0f0d90f2bdf0e2686b3102411b7545abff3647ebebccb1f883c0d1d69929a
Instruction Fuzzy Hash: E1015732D01A19DBCF06EFE4E8899EEBB7CBB4D311F810856E945F2140CB3059958BA1

Function 0030810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00308121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0030812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0030813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00308141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00308157

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0964672e0798e417d6289bc31048dc8a6dff8d295cb5091daff51f1256726705
Instruction ID: 1f2294bd776ac2e18d926a5bba0081cd2f4c403ed50387a89e733d264a08eb82
Opcode Fuzzy Hash: 0964672e0798e417d6289bc31048dc8a6dff8d295cb5091daff51f1256726705
Instruction Fuzzy Hash: 1EF06275601304BFEB160FA5ECD8E673BACFF49754F400025F985C61A0CB61DD55DA60

Function 0030C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0030C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0030C20E
MessageBeep.USER32(00000000), ref: 0030C226
KillTimer.USER32(?,0000040A), ref: 0030C242
EndDialog.USER32(?,00000001), ref: 0030C25C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ae1acaf8224d646c454f640a336360cf77e34eec5818e280ab09390a3e3bac52
Instruction ID: 43e43065a64e69c435378ec191ae648acc219cd04bef4687102b1c393b2ccbac
Opcode Fuzzy Hash: ae1acaf8224d646c454f640a336360cf77e34eec5818e280ab09390a3e3bac52
Instruction Fuzzy Hash: E501A730814704ABEB225B60DD9EB96777CBB00705F400669A582918E0D7E469548B50

Function 002B13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002B13BF
StrokeAndFillPath.GDI32(?,?,002EB888,00000000,?), ref: 002B13DB
SelectObject.GDI32(?,00000000), ref: 002B13EE
DeleteObject.GDI32 ref: 002B1401
StrokePath.GDI32(?), ref: 002B141C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4dcad25771a95bd6e94ba09e87eaf3806e7d8cee838206b4ffa17628fa7151ff
Instruction ID: c2418fffedb65881f006ff8f2acb436ba53c5a017d195a3270e06b96d42d8d54
Opcode Fuzzy Hash: 4dcad25771a95bd6e94ba09e87eaf3806e7d8cee838206b4ffa17628fa7151ff
Instruction Fuzzy Hash: 51F0FB30511A09EFDB2B5F1AED887983FA8E701366F488224E429480B2C77045F5DF11

Function 0031C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0031C432
CoCreateInstance.OLE32(00342D6C,00000000,00000001,00342BDC,?), ref: 0031C44A

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

CoUninitialize.OLE32 ref: 0031C6B7

Strings

.lnk, xrefs: 0031C3C6, 0031C3EE, 0031C3F8

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 8eeacf9d7798fcfb95ef91e779258f66e615e918555b4bdceec2ed2e6c121e38
Instruction ID: 078884ebd72948fc9cec780134e6a9a9b646419d1ddfc2384a0c2a570850db05
Opcode Fuzzy Hash: 8eeacf9d7798fcfb95ef91e779258f66e615e918555b4bdceec2ed2e6c121e38
Instruction Fuzzy Hash: 39A14A71214205AFD700EF54C881EABB7ECFF89394F00491CF5559B1A2EB71EA59CB92

Function 002C2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 002D0DB6: std::exception::exception.LIBCMT ref: 002D0DEC
Part of subcall function 002D0DB6: __CxxThrowException@8.LIBCMT ref: 002D0E01

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

Part of subcall function 002B7A51: _memmove.LIBCMT ref: 002B7AAB

__swprintf.LIBCMT ref: 002C2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 002C2D66

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 621a41d3f9ad2c84f2806031d6152cba34955eaa2e0e1940fd34cb78c7506a4f
Instruction ID: 4a09bb1d18b8a059f9dd797e917d00558d87ecae32a60a67b001ec66ec8589d3
Opcode Fuzzy Hash: 621a41d3f9ad2c84f2806031d6152cba34955eaa2e0e1940fd34cb78c7506a4f
Instruction Fuzzy Hash: 8F917D31128616DFC714EF24C889DBEB7B4EF85754F00492DF585AB2A1DA30ED68CB52

Function 0031B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 002B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002B4743,?,?,002B37AE,?), ref: 002B4770

CoInitialize.OLE32(00000000), ref: 0031B9BB
CoCreateInstance.OLE32(00342D6C,00000000,00000001,00342BDC,?), ref: 0031B9D4
CoUninitialize.OLE32 ref: 0031B9F1

Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC

Strings

.lnk, xrefs: 0031B99D, 0031B9AB

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 316d19eb3937571115a9d7fdccdcf6b85265db09d20b941c91064cab9450d8d9
Instruction ID: efdfd10414ec9693cc7e323deb5f655859b2235a882d4ac223415389a450a54f
Opcode Fuzzy Hash: 316d19eb3937571115a9d7fdccdcf6b85265db09d20b941c91064cab9450d8d9
Instruction Fuzzy Hash: AAA145756043019FCB05EF14C484D9ABBE5FF89314F058998F9999B3A1CB31EC85CB91

Function 0030B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0030B4BE

Strings

AutoIt3GUI, xrefs: 0030B436
%4, xrefs: 0030B561
Container, xrefs: 0030B43B

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%4
API String ID: 3565006973-3553967331
Opcode ID: 2b6e487e39793a246c40f087228edd15b024664d31721b3a2860fa30d303f57e
Instruction ID: 82f98ce5ec2de323cabebb513e11f4661501bdd314065cac0741eef1fbf373e2
Opcode Fuzzy Hash: 2b6e487e39793a246c40f087228edd15b024664d31721b3a2860fa30d303f57e
Instruction Fuzzy Hash: EE916974601601AFDB15CF24C894B6ABBF9FF49700F2084AEF94ACB6A1DB70E841CB50

Function 002D501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002D50AD

Part of subcall function 002E00F0: __87except.LIBCMT ref: 002E012B

Strings

pow, xrefs: 002D5085, 002D50A2

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: d1a3ec5979b7b739ef2b9f269375b41b95fc7088c8af3c0814bac842a6cd7f33
Instruction ID: 41eca4ee0224463967b61fa1a364e1538355d4cf96f90cc9d110163675a5795d
Opcode Fuzzy Hash: d1a3ec5979b7b739ef2b9f269375b41b95fc7088c8af3c0814bac842a6cd7f33
Instruction Fuzzy Hash: 2551BC2097C54382DB117F25C88137E2BD49B01301F648D5AE4C98E3A9DFF48DFA9E82

Function 002F8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002F862B
_memmove.LIBCMT ref: 002F8685

Strings

3c,, xrefs: 002F860C
_,, xrefs: 002F86FF, 002FDFDC, 002FDFF8

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _memmove
String ID: 3c,$_,
API String ID: 4104443479-370742736
Opcode ID: 8ade6735bbe1b4d26e392e43cf7dadab36c1bacd4e8153530a0e4b310b27765b
Instruction ID: 8042310df4950048cd5ece1fd3f25787fb661522756d0a7e484f9d690e1ef74e
Opcode Fuzzy Hash: 8ade6735bbe1b4d26e392e43cf7dadab36c1bacd4e8153530a0e4b310b27765b
Instruction Fuzzy Hash: FF518DB091061A9FCF20CF68C890ABEFBB1FF44344F148529E95AD7250EB30E965CB51

Function 00337946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0033F910,00000000,?,?,?,?), ref: 003379DF
GetWindowLongW.USER32 ref: 003379FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00337A0C

Strings

SysTreeView32, xrefs: 003379B1

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b0fe67f96e9220c9054a7842d850357a9d1692974e88490a80383013b94e3ad9
Instruction ID: 6f859daf09b34ef47c9864e74e98c72dfb780745be0bacf17e418f17c15f9bd0
Opcode Fuzzy Hash: b0fe67f96e9220c9054a7842d850357a9d1692974e88490a80383013b94e3ad9
Instruction Fuzzy Hash: FF31CF71604206AFDB268E38DC81BEA77A9EF05324F218725F875A32E0D731ED618B50

Function 003373D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00337461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00337475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00337499

Strings

SysMonthCal32, xrefs: 0033742C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 862623aad15f077f0c191525ebbf58cc81db12e059b5ed875c1a30e62603af1d
Instruction ID: 4401d3b4b4bc91dd2d5500ca284164aa87e260b64c5d8cf4ca75c5aa7f86e873
Opcode Fuzzy Hash: 862623aad15f077f0c191525ebbf58cc81db12e059b5ed875c1a30e62603af1d
Instruction Fuzzy Hash: E621D372500218AFDF268F55CC86FEA3B69EF48724F120214FE556B1D0DA75BC90CBA0

Function 00336CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00336D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00336D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00336D70

Strings

Listbox, xrefs: 00336D08

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ddfa07ff37c70b5c9e7a768f1d456b71f333be3c2e7c60780c5fa23d571d8562
Instruction ID: 541d7e8ec1441916d1cd97c265395be2acf3dd44d6c9dde571638af1755dc120
Opcode Fuzzy Hash: ddfa07ff37c70b5c9e7a768f1d456b71f333be3c2e7c60780c5fa23d571d8562
Instruction Fuzzy Hash: 95215032610118BFEF168F54DC86EAB3BAEEB89750F51C128FA459B1A0C6719C519BA0

Function 003239E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00323A66

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00323A58
%4, xrefs: 003239F4
, $, xrefs: 00323AA6

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%4
API String ID: 3506404897-4045604893
Opcode ID: c0c574cae269a6a2d97a76235a1fdad52760cbd60b8b3245ee91d9f6f58cd915
Instruction ID: 5fa922a508349572e8c3c4c809f820e0f22fa40adc4ea168a66f759ed2dd060e
Opcode Fuzzy Hash: c0c574cae269a6a2d97a76235a1fdad52760cbd60b8b3245ee91d9f6f58cd915
Instruction Fuzzy Hash: 19219330A10119AFCF12EF64DC82EEE77B9AF48340F404469F555AB185DB34EA55CF61

Function 00308C4B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00308C6D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00308C84
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00308CBC

Strings

@U=u, xrefs: 00308CBC

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: c59a84178f5d6f09810780de6299e58ec5cebdc321860580b528a13066e57930
Instruction ID: 78fc94f35d2d3e013446047697fc3f9fe35798559deae6b1bcb421ed52d4b99a
Opcode Fuzzy Hash: c59a84178f5d6f09810780de6299e58ec5cebdc321860580b528a13066e57930
Instruction Fuzzy Hash: 5A21A172A02118BFEB11DBA8C882DAFF7BDEF44350F11045AE545E32A4DA71AD409BA4

Function 0033770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00337772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00337787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00337794

Strings

msctls_trackbar32, xrefs: 00337749

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 30efdd242f70211bd5f68a362f2ad1bf3f2dc8bd0882863b919b8545791292ac
Instruction ID: 655edf281cfa9eb8806618a8d71d7f206b31f449c1bd1a73f6986e6505221a7c
Opcode Fuzzy Hash: 30efdd242f70211bd5f68a362f2ad1bf3f2dc8bd0882863b919b8545791292ac
Instruction Fuzzy Hash: 20113A72200208BFEF355F60CC41FE7776CEF89B54F024118F64196090C272E811CB10

Function 00336920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003369A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003369B1

Strings

@U=u, xrefs: 003369B1
edit, xrefs: 00336986

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: f9450eb33af22b0b2e9dab4b6fc6e1c659709b1fc34f383df6643e799559cfa3
Instruction ID: 1c69237e56a22d30a166180cc9e380d19c902cb5dd3bf139aa22a754762d9f34
Opcode Fuzzy Hash: f9450eb33af22b0b2e9dab4b6fc6e1c659709b1fc34f383df6643e799559cfa3
Instruction Fuzzy Hash: 31118F71500108BFEB128E64DC86BEB376DEB06374F618724F9A5971E0C771DC909B60

Function 00308E05 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

Part of subcall function 0030AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0030AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00308E73

Strings

@U=u, xrefs: 00308E73
ListBox, xrefs: 00308E3D
ComboBox, xrefs: 00308E12

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 117f774ebe20be276f7aba3b5fffe7e9d6408c7011ad184604153cf2b37f11ea
Instruction ID: f57bc1dcc13d73d5d93bc2d85deb687e1eb743c6192a934aeb6c5e96965591a2
Opcode Fuzzy Hash: 117f774ebe20be276f7aba3b5fffe7e9d6408c7011ad184604153cf2b37f11ea
Instruction Fuzzy Hash: B8012871716229ABCF16FBA0CC669FE7368EF413A0F440A19F8755B2D1DF315818C690

Function 00308CFD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

Part of subcall function 0030AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0030AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00308D6B

Strings

@U=u, xrefs: 00308D6B
ListBox, xrefs: 00308D35
ComboBox, xrefs: 00308D0A

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 5828a27b7eac2455cf5e7796ab9a1de7956efef11572c49609ecbe3e9c082572
Instruction ID: 140b8928471a515d2e289a7997f537db076f416d9e7e500afd779b49ec32f69f
Opcode Fuzzy Hash: 5828a27b7eac2455cf5e7796ab9a1de7956efef11572c49609ecbe3e9c082572
Instruction Fuzzy Hash: 4701F771B42509ABCF16EBA0C966EFF73ACDF15380F540119B841672D1DE105E18D6B1

Function 00308D82 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B7DE1: _memmove.LIBCMT ref: 002B7E22

Part of subcall function 0030AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0030AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00308DEE

Strings

@U=u, xrefs: 00308DEE
ListBox, xrefs: 00308DBA
ComboBox, xrefs: 00308D8F

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 33efa4628bcc809c28a3124502a4a0274d44a931332029c5f19e424bb4ec48ed
Instruction ID: d735947e6e1fdb61630f7ac2562c02b13d9bed4c5d15b9b9880825384d2d6e14
Opcode Fuzzy Hash: 33efa4628bcc809c28a3124502a4a0274d44a931332029c5f19e424bb4ec48ed
Instruction Fuzzy Hash: 0F01F271B46109ABCF12EBA4C962AFF73AC8F11380F144119B841672D2DE218E18D6B1

Function 002D6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 002D6B93
__calloc_crt.LIBCMT ref: 002D6BAC

Strings

6, xrefs: 002D6BD1
@B7, xrefs: 002D6BC3

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __calloc_crt
String ID: 6$@B7
API String ID: 3494438863-1161358885
Opcode ID: 0f1858a5d69d5155ba0b0d624fbb9fb422f45fa8686f1262fa371a4ae77c6e8a
Instruction ID: 6009eabde4a23363e85c6ea13d0cc4b2ec9f9ce61d050199e2df95a09db85571
Opcode Fuzzy Hash: 0f1858a5d69d5155ba0b0d624fbb9fb422f45fa8686f1262fa371a4ae77c6e8a
Instruction Fuzzy Hash: 56F06879628A128BF7798F69BC55B566799E700734F500817E104EE391FBF08CD5CAC4

Function 0033ACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,003757B0,0033D809,000000FC,?,00000000,00000000,?,?,?,002EB969,?,?,?,?,?), ref: 0033ACD1
GetFocus.USER32 ref: 0033ACD9

Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623

Part of subcall function 002B25DB: GetWindowLongW.USER32(?,000000EB), ref: 002B25EC

SendMessageW.USER32(0139E6A0,000000B0,000001BC,000001C0), ref: 0033AD4B

Strings

@U=u, xrefs: 0033AD4B

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: b4cdbd5874f5af8575aee41089503e6a55e9703889f3c56da9ebf550ca880e2b
Instruction ID: 9c2ebf2d999f030dfe387465d9a21bab4b29ea24992c7c94a24fb5b4b4066a1b
Opcode Fuzzy Hash: b4cdbd5874f5af8575aee41089503e6a55e9703889f3c56da9ebf550ca880e2b
Instruction Fuzzy Hash: 72019631600A009FC72A9B28D8D8AA537E9EB89321F59027DF415872B1CB31AC46CF51

Function 002C6063 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002C603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 002C6051

SendMessageW.USER32(?,0000000C,00000000,?), ref: 002C607F
GetParent.USER32(?), ref: 00300D46
InvalidateRect.USER32(00000000,?,002C3A4F,?,00000000,00000001), ref: 00300D4D

Strings

@U=u, xrefs: 002C607F

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: 49e61cd8c32663a89bc26ce8dcc806e3944a523f6183accf6722933990f28d71
Instruction ID: 0d5d37a8eea7c206077ce833540493baa3f82d0b988f4d08794ae7b6df278846
Opcode Fuzzy Hash: 49e61cd8c32663a89bc26ce8dcc806e3944a523f6183accf6722933990f28d71
Instruction Fuzzy Hash: 23F0A030520204FFEF222F60DC4EFA57B59BB21341F24552CF644AA0B0C6B26860EB50

Function 002B4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,002B4B83,?), ref: 002B4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002B4C56

Strings

kernel32.dll, xrefs: 002B4C3F
Wow64RevertWow64FsRedirection, xrefs: 002B4C50

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: ecfc182f9d98e7f330dc83b0c2229404b5103647bc74269682186d93d6bea496
Instruction ID: 046534c31e76e34d12f1d47f4c4034aff53d93eaafa2ddcd17ed8b7c48074357
Opcode Fuzzy Hash: ecfc182f9d98e7f330dc83b0c2229404b5103647bc74269682186d93d6bea496
Instruction Fuzzy Hash: FED01270D10713CFD7216F31D98968677D8AF05791F51C83AD997D6165E670D480C650

Function 002B4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,002B4BD0,?,002B4DEF,?,003752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002B4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002B4C23

Strings

kernel32.dll, xrefs: 002B4C0C
Wow64DisableWow64FsRedirection, xrefs: 002B4C1D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 621c09ba51c47320361eb6ff01510f92fd0cf456c0532c882a1b45b2df2902e2
Instruction ID: fedd4e178527a12498ac32fccdde5c77b6f30eb8dc4a5319df9ae6e217f7149f
Opcode Fuzzy Hash: 621c09ba51c47320361eb6ff01510f92fd0cf456c0532c882a1b45b2df2902e2
Instruction Fuzzy Hash: 40D0EC70911713CFD7216F71D988686BAD9AF09B91F51883AD886D6161E6B0D4808650

Function 00330DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00331039), ref: 00330DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00330E07

Strings

RegDeleteKeyExW, xrefs: 00330E01
advapi32.dll, xrefs: 00330DF0

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 183f2a249ed6797f230d5acec495e625139697d5b3fb8926e2ab6d0c1cef9924
Instruction ID: b89276d6d17be6b68794ca36ec9e2c479d95dfe85090dc41182b2e87be9b7051
Opcode Fuzzy Hash: 183f2a249ed6797f230d5acec495e625139697d5b3fb8926e2ab6d0c1cef9924
Instruction Fuzzy Hash: 38D0C730A00B23CFC7268F72D888383B2E8AF02342F02CC3ED582C2160E6B0D890CA40

Function 003290E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00328CF4,?,0033F910), ref: 003290EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00329100

Strings

kernel32.dll, xrefs: 003290E9
GetModuleHandleExW, xrefs: 003290FA

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 6dca49fbb01d9e1f973e87e1f522635ba781e58d19bf320911b0883f95941ec4
Instruction ID: 7ab9fa631fadc12498da9d2c4ffa4acb2dbfd548c08eb5baba511b6a3cc984be
Opcode Fuzzy Hash: 6dca49fbb01d9e1f973e87e1f522635ba781e58d19bf320911b0883f95941ec4
Instruction Fuzzy Hash: E6D01774D50723CFDB229F32E898646B6E8AF15351F53C83AD886D65A4EA70D880CA90

Function 002F1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002F1718
__swprintf.LIBCMT ref: 002F1749

Strings

WIN_XPe, xrefs: 002F1788
%.3d, xrefs: 002F1723

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: c8a3c51dd080324c037f5c44e54ebbef2d668e2684bac7f260c6bea1750e08c6
Instruction ID: 0e81d9964d42ce5093635c289a8df4aea5dd8ddabf86a6e3783abd5557055e14
Opcode Fuzzy Hash: c8a3c51dd080324c037f5c44e54ebbef2d668e2684bac7f260c6bea1750e08c6
Instruction Fuzzy Hash: B1D01271C3410CEAC705A7919989CF9F37CAB19391FA00472F60AD2040E3B29B74DA21

Function 0030717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a761b91e7726c5a93b929b05180a17ff3bc0ffa7182655dfe7f3883b7dcbf8c
Instruction ID: 56142b598f2fb5a1ff28e77a0ef87b56fab18c51c50d683807f938cf2b36bffd
Opcode Fuzzy Hash: 2a761b91e7726c5a93b929b05180a17ff3bc0ffa7182655dfe7f3883b7dcbf8c
Instruction Fuzzy Hash: 1DC19F74E05216EFDB15CFA5C894EAEBBB9FF48300B158598E805EB291D730ED81DB90

Function 0032E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0032E0BE
CharLowerBuffW.USER32(?,?), ref: 0032E101

Part of subcall function 0032D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0032D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0032E301
_memmove.LIBCMT ref: 0032E314

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 9edbd320d54b767900e42b574edd65d3039c09d75292a819f072d4767fdd1eca
Instruction ID: 085f78a09dd75fe3cc5247ee3cd13424988296796d9f12428d55d92d80b5e7c4
Opcode Fuzzy Hash: 9edbd320d54b767900e42b574edd65d3039c09d75292a819f072d4767fdd1eca
Instruction Fuzzy Hash: 5FC156716083119FC705DF28C481A6ABBE4FF89354F14896EF89A9B351D730E946CF82

Function 00328093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003280C3
CoUninitialize.OLE32 ref: 003280CE

Part of subcall function 0030D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0030D5D4

VariantInit.OLEAUT32(?), ref: 003280D9
VariantClear.OLEAUT32(?), ref: 003283AA

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 0c072b1f3017e2578889c7b9fc8169afb55c202fab3c4337f1a159c0c24e06fd
Instruction ID: f483bc2cb85b2f4a60001c871e9ce1e4aa4cef1fcc6865f78493a2d970e5dec5
Opcode Fuzzy Hash: 0c072b1f3017e2578889c7b9fc8169afb55c202fab3c4337f1a159c0c24e06fd
Instruction Fuzzy Hash: 2DA168396147119FCB01DF24D881B6AB7E4BF89354F048808FA9A9B3A1CB30EC54CF82

Function 0030687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0030688E
SysAllocString.OLEAUT32(00000000), ref: 00306937
VariantCopy.OLEAUT32 ref: 00306966
VariantClear.OLEAUT32(?), ref: 0030698D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 1c8f65101b82cfea729704e7ad786dc845e9acf8a70db6dbb3fe6aee6ce07eb9
Instruction ID: 4dba1b980f1c2ac3e26294f2057879da8bdf34b02c205af198393fe424fd5d0a
Opcode Fuzzy Hash: 1c8f65101b82cfea729704e7ad786dc845e9acf8a70db6dbb3fe6aee6ce07eb9
Instruction Fuzzy Hash: 9651C2B47113019EDB25AF65D8B2B6AB3E9AF45310F20D81FE596DB6D5DB30D8A08B00

Function 003269AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 003269D1
WSAGetLastError.WSOCK32(00000000), ref: 003269E1

Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00326A45
WSAGetLastError.WSOCK32(00000000), ref: 00326A51

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: b5be7d98d1f612ed5c0271f7e6173c642b926483065d0e6b3c7a879390748493
Instruction ID: e1fd78c9f14fce020713eda3110e0fa329094593ad3b4d4ccabf84b7297b2cb3
Opcode Fuzzy Hash: b5be7d98d1f612ed5c0271f7e6173c642b926483065d0e6b3c7a879390748493
Instruction Fuzzy Hash: BD41C174700200AFEB25AF24DC87F7A77A8AF05B54F44C418FA19AF2D2DA709D50CB91

Function 0032641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0033F910), ref: 003264A7
_strlen.LIBCMT ref: 003264D9

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 5db58faf88c72fe51be93fab1aa9fc763e73b76e68c04226ab237ccb3c972f83
Instruction ID: dc6b3938dc1be3ec6179b3d51f0cef34cf927df6fa4efc7da963f81c57d19ce9
Opcode Fuzzy Hash: 5db58faf88c72fe51be93fab1aa9fc763e73b76e68c04226ab237ccb3c972f83
Instruction Fuzzy Hash: CE41A431A04114AFCB15FBA8ECD6FEEB7B9AF05310F148155F91A9B292DB30AD50CB50

Function 0031B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0031B89E
GetLastError.KERNEL32(?,00000000), ref: 0031B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0031B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0031B915

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 27e425ffae12ba6003dceb149a8aaf35b7155fe15ec37b7a2a2e06df045b4d76
Instruction ID: a6ee2a7d814a0478b02469ab1ca3c3ab30874f5dfee1a656307224ef59152030
Opcode Fuzzy Hash: 27e425ffae12ba6003dceb149a8aaf35b7155fe15ec37b7a2a2e06df045b4d76
Instruction Fuzzy Hash: FE410639A00650DFCB15EF15C484A99BBF5AF4A750F09C098ED4A9B362CB30FD91CB91

Function 0033AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0033AB60
GetWindowRect.USER32(?,?), ref: 0033ABD6
PtInRect.USER32(?,?,0033C014), ref: 0033ABE6
MessageBeep.USER32(00000000), ref: 0033AC57

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 980b07ea29153262290195a49a836e015ea2d5f124eb6b0e7a066a68aa7a95a0
Instruction ID: db27d1b3cb34172f5020e03980a9c201f147ed7e094c60c93606c15c44dd1067
Opcode Fuzzy Hash: 980b07ea29153262290195a49a836e015ea2d5f124eb6b0e7a066a68aa7a95a0
Instruction Fuzzy Hash: EA416F30A00919EFCF27DF58D8C4A59BBF9FB49310F1991A9E499DB261D730A841CB92

Function 00310AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00310B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00310B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00310BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00310BFB

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1aba60d6bdb5285eacce567192cd598dfb2378cdc81c1184ff5b1ae0ad603ec9
Instruction ID: 7796fa4ebee8d6f322f851b8bb94b172bb74735c2217c94af7f3bf20cbb62e05
Opcode Fuzzy Hash: 1aba60d6bdb5285eacce567192cd598dfb2378cdc81c1184ff5b1ae0ad603ec9
Instruction Fuzzy Hash: 4A313770D48208AEFB3F8A258C05BFABBA9AB4D318F44825AE491561D1C3F5C9C09751

Function 00310C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00310C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00310C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00310CE1
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00310D33

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ac7600424243fd4e185b2dd70c3166b79a27a14f64d3fd545147aa938df48fa4
Instruction ID: 6186329c21bbd67577b03693839feb46e9f1b828e8925a3b16c2c0595a07c24a
Opcode Fuzzy Hash: ac7600424243fd4e185b2dd70c3166b79a27a14f64d3fd545147aa938df48fa4
Instruction Fuzzy Hash: AB315830940308AEFF3F8B689C15BFEBB6AAB4D310F04432AE4905A5D1C3B599D58BD1

Function 002E61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002E61FB
__isleadbyte_l.LIBCMT ref: 002E6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002E6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002E628D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 445c540a1247101fa43a1002e5c059249e325ec5903dec2c5f9153f53b78895b
Instruction ID: 45bba755c19babc3da5a5d900731ece9aefbff95799e0cac0a440ce5ee362de0
Opcode Fuzzy Hash: 445c540a1247101fa43a1002e5c059249e325ec5903dec2c5f9153f53b78895b
Instruction Fuzzy Hash: 6131F230A50286AFDF228F76CC48BAA7FA9FF51390F554029E9248B191D771EC60DB90

Function 00334EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00334F02

Part of subcall function 00313641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0031365B
Part of subcall function 00313641: GetCurrentThreadId.KERNEL32 ref: 00313662
Part of subcall function 00313641: AttachThreadInput.USER32(00000000,?,00315005), ref: 00313669

GetCaretPos.USER32(?), ref: 00334F13
ClientToScreen.USER32(00000000,?), ref: 00334F4E
GetForegroundWindow.USER32 ref: 00334F54

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0861418563609ada1d1d6727b8eea4ac762015a7d105c6abc9cd16329f111fe8
Instruction ID: a6dc79fc382eb5e4fb24a382c9999a474a15eeb6245c5b0c3246e38f7671bae7
Opcode Fuzzy Hash: 0861418563609ada1d1d6727b8eea4ac762015a7d105c6abc9cd16329f111fe8
Instruction Fuzzy Hash: 6F311872E00108AFDB01EFA5C8859EEB7FDEF99300F10406AE515E7251DA75AE55CBA0

Function 0033C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623

GetCursorPos.USER32(?), ref: 0033C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,002EB9AB,?,?,?,?,?), ref: 0033C4E7
GetCursorPos.USER32(?), ref: 0033C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,002EB9AB,?,?,?), ref: 0033C56E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 7460a1ee99bbe71c7553264c2c60d430709fb1594c00c694852d20469d63e964
Instruction ID: 8ec8112014e3bbe0bd2014f85773061e82a27f69f04dba8dc9e02c93d8b62f70
Opcode Fuzzy Hash: 7460a1ee99bbe71c7553264c2c60d430709fb1594c00c694852d20469d63e964
Instruction Fuzzy Hash: BC31D235610018FFDB27CF59C898EEA7BB9EB0A310F444069F9099B262C731AD50DFA4

Function 00308656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0030810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00308121
Part of subcall function 0030810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0030812B
Part of subcall function 0030810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0030813A
Part of subcall function 0030810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00308141
Part of subcall function 0030810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00308157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003086A3
_memcmp.LIBCMT ref: 003086C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003086FC
HeapFree.KERNEL32(00000000), ref: 00308703

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 7198e9b93c4fd1fa25005e7b1533269e6e8bec2e8dc17c5f4e81bb6e792f9e2b
Instruction ID: 1fc14a23aa3318502a1c8e4cc9458bdba6ce5bd61ea8ee81b1e4de9e25bf2106
Opcode Fuzzy Hash: 7198e9b93c4fd1fa25005e7b1533269e6e8bec2e8dc17c5f4e81bb6e792f9e2b
Instruction Fuzzy Hash: 1E219D71E02208EFDB11DFA8C959BEEB7B8EF44304F164059E585AB281DB31AE05CB90

Function 002D098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 002D09AE

Part of subcall function 002B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00317896,?,?,00000000), ref: 002B5A2C
Part of subcall function 002B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00317896,?,?,00000000,?,?), ref: 002B5A50

_fprintf.LIBCMT ref: 002D09E5
OutputDebugStringW.KERNEL32(?), ref: 00305DBB

Part of subcall function 002D4AAA: _flsall.LIBCMT ref: 002D4AC3

__setmode.LIBCMT ref: 002D0A1A

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 51549757d7147b0cffe79732e9076aaa9d3a4dda307e4d722713122c80f9aff1
Instruction ID: f898b27b674dac773b47e38779b6cac74792cec7efefb8f8b06f8b18b0629041
Opcode Fuzzy Hash: 51549757d7147b0cffe79732e9076aaa9d3a4dda307e4d722713122c80f9aff1
Instruction Fuzzy Hash: 601157319286046FC705B3B49C86AFE77AC9F45360F244027F205A72D2EE705CA25BE0

Function 00321767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003217A3

Part of subcall function 0032182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0032184C
Part of subcall function 0032182D: InternetCloseHandle.WININET(00000000), ref: 003218E9

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 7d4077951efac8ae35954e05f10f9d04c2f7a26f641243a8aa48b2ab03023c7f
Instruction ID: af1184c2b4deab23e8186793f4e44b2cb1e9c06281d3d674fbd168fa7669e9f3
Opcode Fuzzy Hash: 7d4077951efac8ae35954e05f10f9d04c2f7a26f641243a8aa48b2ab03023c7f
Instruction Fuzzy Hash: BB21C331600615BFEB139F64ED81FBBBBADFF98710F10412AFA119A650DB71D811A7A0

Function 00313A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0033FAC0), ref: 00313A64
GetLastError.KERNEL32 ref: 00313A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00313A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0033FAC0), ref: 00313ADF

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: efded9bf31b390171a83bc9d82adb89e2fb6b468a6023c16a282aaf82e263f5e
Instruction ID: adc99b46c7b4524642bf538b7001f2ef38a14718eb2e6269d56c8e94fef92af0
Opcode Fuzzy Hash: efded9bf31b390171a83bc9d82adb89e2fb6b468a6023c16a282aaf82e263f5e
Instruction Fuzzy Hash: B52186745082059F8715EF28C8818EB77E8EE59364F144A2DF4D9C72A1D731DE95CF82

Function 002E50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002E5101

Part of subcall function 002D571C: __FF_MSGBANNER.LIBCMT ref: 002D5733
Part of subcall function 002D571C: __NMSG_WRITE.LIBCMT ref: 002D573A
Part of subcall function 002D571C: RtlAllocateHeap.NTDLL(01380000,00000000,00000001,00000000,?,?,?,002D0DD3,?), ref: 002D575F

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d73436aa332b1c58599b58dfa65a2ceb68ed951f913da12208f4c22d46248d30
Instruction ID: 221d7203f30be872d065646e8e944e8139d0ee7e72d0db7dc5c06da1db8926c7
Opcode Fuzzy Hash: d73436aa332b1c58599b58dfa65a2ceb68ed951f913da12208f4c22d46248d30
Instruction Fuzzy Hash: 9911E372974A62AECB322F72EC45B5D37989F04369F50452BF94C9E250DE70CC609A90

Function 00326369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00317896,?,?,00000000), ref: 002B5A2C
Part of subcall function 002B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00317896,?,?,00000000,?,?), ref: 002B5A50

gethostbyname.WSOCK32(?,?,?), ref: 00326399
WSAGetLastError.WSOCK32(00000000), ref: 003263A4
_memmove.LIBCMT ref: 003263D1
inet_ntoa.WSOCK32(?), ref: 003263DC

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e11fcfc821ab034fff4a0fbbfcfddaf7d4b041d1e746500b5a65ba98c82744c0
Instruction ID: fae325297be1a983f0d8779c0f41897664807bacc26a7cdb358f843fa0217fe9
Opcode Fuzzy Hash: e11fcfc821ab034fff4a0fbbfcfddaf7d4b041d1e746500b5a65ba98c82744c0
Instruction Fuzzy Hash: 15116031910119AFCB05FBA4DD86DEEB7B8AF09310F544065F506AB261DB30AE24CFA1

Function 00308B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00308B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00308B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00308B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00308BA4

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 512fd97af26cd64dc2359f210e33c8184127ffedc99b3c81cf0f0b7e3c0821a5
Instruction ID: 8e8a767d83856798657dad1c2498d7eff441d46aca43743e9a8718d1f3e5a34b
Opcode Fuzzy Hash: 512fd97af26cd64dc2359f210e33c8184127ffedc99b3c81cf0f0b7e3c0821a5
Instruction Fuzzy Hash: 1F112A79901218FFEB11DFA5CD85FADBBB8FB48710F2040A5EA40B7290DA716E11DB94

Function 002B1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623

DefDlgProcW.USER32(?,00000020,?), ref: 002B12D8
GetClientRect.USER32(?,?), ref: 002EB5FB
GetCursorPos.USER32(?), ref: 002EB605
ScreenToClient.USER32(?,?), ref: 002EB610

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: e6613e580b45560cffa1eb3ca37d722ae0de4cfc4b23564d5fb00aa4595b51d6
Instruction ID: f867da672d5cbeddf91c291459405f150e501d5992a3c9d759f02c4531c4801c
Opcode Fuzzy Hash: e6613e580b45560cffa1eb3ca37d722ae0de4cfc4b23564d5fb00aa4595b51d6
Instruction Fuzzy Hash: 39116A35A20029EFCB15DF98C899DEE77B8EB05341F800456F901E7150C730BA618BA5

Function 0030D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0030D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0030D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0030D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0030D897

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c9335401b1d5a9b8ddcda065098fd44756b4bd520afcc003b5f11b21282a2cf5
Instruction ID: 3068293eded064baca4a728742f1e7808d1f29053d1c585e8bd28711da10de75
Opcode Fuzzy Hash: c9335401b1d5a9b8ddcda065098fd44756b4bd520afcc003b5f11b21282a2cf5
Instruction Fuzzy Hash: 4D11A171A02304DFE3218F91ED48F93BBFCEB00B00F50C569A516C6480D7B0E508DBA1

Function 002E6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 002E6FDB

Part of subcall function 002E76C2: __fltout2.LIBCMT ref: 002E76EB

__cftog_l.LIBCMT ref: 002E7001
__cftoe_l.LIBCMT ref: 002E7033

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 37a55529ed351dbcb7bdba684db331082670829f6af3815022254d9d53c40712
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 88014C724A818ABBCF165F85CC05CEE3F66BB28395F988415FE1858031D236C9B1AF81

Function 0033B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0033B2E4
ScreenToClient.USER32(?,?), ref: 0033B2FC
ScreenToClient.USER32(?,?), ref: 0033B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0033B33B

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 46caf079084bb1b90a9254bf24cc1b27d13f939db43747f7437fca2ab71580eb
Instruction ID: b3a00bd11965d9a244281978a8a86b09e789b9385ae32c211eb8b464233f6e59
Opcode Fuzzy Hash: 46caf079084bb1b90a9254bf24cc1b27d13f939db43747f7437fca2ab71580eb
Instruction Fuzzy Hash: 951143B9D00609EFDB41CFA9C8859EEFBB9FB08310F508166E914E3220D735AA558F50

Function 00316BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00316BE6

Part of subcall function 003176C4: _memset.LIBCMT ref: 003176F9

_memmove.LIBCMT ref: 00316C09
_memset.LIBCMT ref: 00316C16
LeaveCriticalSection.KERNEL32(?), ref: 00316C26

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 68d9d046eaace5241d4219e4ddec734d313abdbe7da63d9bab43a297efa3694b
Instruction ID: 3fe709e5dd9d585e54c0821f5484d89fc21ee1b1dce03ea4e55748104e2a9eb8
Opcode Fuzzy Hash: 68d9d046eaace5241d4219e4ddec734d313abdbe7da63d9bab43a297efa3694b
Instruction Fuzzy Hash: C1F0543A100100ABCF066F55DCC5E8ABB29EF49320F088061FE089E267C771E851CBB4

Function 002B2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002B2231
SetTextColor.GDI32(?,000000FF), ref: 002B223B
SetBkMode.GDI32(?,00000001), ref: 002B2250
GetStockObject.GDI32(00000005), ref: 002B2258
GetWindowDC.USER32(?,00000000), ref: 002EBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 002EBE90
GetPixel.GDI32(00000000,?,00000000), ref: 002EBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 002EBEC2
GetPixel.GDI32(00000000,?,?), ref: 002EBEE2
ReleaseDC.USER32(?,00000000), ref: 002EBEED

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: c844055125d1402d838961265bc3cbd241e63b138d2b0df60e2af51bc17699d7
Instruction ID: efd9cb06918fdac9bf9ce41756e5c508b3a2197f5079bbba1cb1eed03a75cfcf
Opcode Fuzzy Hash: c844055125d1402d838961265bc3cbd241e63b138d2b0df60e2af51bc17699d7
Instruction Fuzzy Hash: 88E03031954245EEDF225F64FC4D7D83B14EB15332F448366FA69480E187714590DB11

Function 00308712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0030871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,003082E6), ref: 00308722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003082E6), ref: 0030872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,003082E6), ref: 00308736

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 27ffca1d965619e1a568e2b30ae27b0fa6c0f97e07b115baaba9d52f26aa1624
Instruction ID: f5e4a1e367ae0d3a27a79276afebf36d0270fc40249ae21402b418213f7c3ff3
Opcode Fuzzy Hash: 27ffca1d965619e1a568e2b30ae27b0fa6c0f97e07b115baaba9d52f26aa1624
Instruction Fuzzy Hash: F1E08636A122119FD7215FB49D4CB573BACEF50B91F554828B2C5C9091DB348441C750

Function 002B6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%4, xrefs: 002B624E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID: %4
API String ID: 0-762753230
Opcode ID: 0fb3c1658dfd41f9dd5a36fe943eae579c08682aedcc39e1c6b30a06da1ef6c2
Instruction ID: 3d02f00984564045611ebd9b6d01381caeb44dced5fde81cd9756c9b76ffb174
Opcode Fuzzy Hash: 0fb3c1658dfd41f9dd5a36fe943eae579c08682aedcc39e1c6b30a06da1ef6c2
Instruction Fuzzy Hash: 88B12B71C2010ADBCF24EF94C489AFDB7B8FF44390F544166E905A7191DB789EA1CB51

Function 0032AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0032AFAE

Strings

xb7, xrefs: 0032B010
xb7, xrefs: 0032AFE4

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __itow_s
String ID: xb7$xb7
API String ID: 3653519197-2383554142
Opcode ID: c15cf06b45bee8e28d83594c1f726054db681ee9194abf8f5265653dbe846437
Instruction ID: a6cbfc13b05add55d6296cf631575bad6894dc1a09883a3c62e09165fb7762a5
Opcode Fuzzy Hash: c15cf06b45bee8e28d83594c1f726054db681ee9194abf8f5265653dbe846437
Instruction Fuzzy Hash: 6FB17F70A00219EFCB25DF54D891EFABBB9FF58340F14845AF9459B252EB30E991CB60

Function 0031AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 002CFC86: _wcscpy.LIBCMT ref: 002CFCA9

Part of subcall function 002B9837: __itow.LIBCMT ref: 002B9862
Part of subcall function 002B9837: __swprintf.LIBCMT ref: 002B98AC

__wcsnicmp.LIBCMT ref: 0031B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0031B0F6

Strings

LPT, xrefs: 0031B027

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: f9f65fcc3db86934feea12cb5aa155a61b56e1ac9bae3d9177da95a52cc584d1
Instruction ID: 10ef548da22d7f0332e416178a79a1609403cde75d35f8d3c69eeb4070b0a996
Opcode Fuzzy Hash: f9f65fcc3db86934feea12cb5aa155a61b56e1ac9bae3d9177da95a52cc584d1
Instruction Fuzzy Hash: A5617175A10215AFCB19DF94C891EEEF7B9EF0C310F118169F916AB2A1D770AE80CB50

Function 002C2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 002C2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 002C2981

Strings

@, xrefs: 002C2975

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 7b554210f9803daa2cd3afbf75bb85f879f4897b5b5f2393c94f8e51b6e9739f
Instruction ID: 55abe9ee8977310c2bd1f68ea015d6864306ed48c0aaf0be61af8ed83d0103ae
Opcode Fuzzy Hash: 7b554210f9803daa2cd3afbf75bb85f879f4897b5b5f2393c94f8e51b6e9739f
Instruction Fuzzy Hash: DA5134724287449BD320EF10D886BEBBBECFB85385F81885DF2D8410A1DB319579CB66

Function 00319734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 002B4F0B: __fread_nolock.LIBCMT ref: 002B4F29

_wcscmp.LIBCMT ref: 00319824
_wcscmp.LIBCMT ref: 00319837

Strings

FILE, xrefs: 00319770

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 6a4edb2c2243d89e8d8ea38b3e15a108ddb302b8fd5ebb790160d2855bb0574c
Instruction ID: 650c519a8f812517a6a7fc66caf9c644a83c41d8506bd9a12c5a56a3532882c3
Opcode Fuzzy Hash: 6a4edb2c2243d89e8d8ea38b3e15a108ddb302b8fd5ebb790160d2855bb0574c
Instruction Fuzzy Hash: C741D871A00209BADF25AFA0CC85FEFB7BDDF89750F01047AF904B7281DA71A9548B61

Function 002F0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 002F057F

Strings

Dd7, xrefs: 002BA151
Dd7, xrefs: 002BA317

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ClearVariant
String ID: Dd7$Dd7
API String ID: 1473721057-1285796119
Opcode ID: 2d5515199060b79896e45efb07429c091b7ed25f1b53f6a3577422397052c5c6
Instruction ID: c6da1e9b1a6fe84f952e850753e3c589df07fad111cd0c983b5e509d6648d01a
Opcode Fuzzy Hash: 2d5515199060b79896e45efb07429c091b7ed25f1b53f6a3577422397052c5c6
Instruction Fuzzy Hash: 075105786283429FD764CF19C490A6ABBF1FB99394F54885DE9898B321D331EC91CF42

Function 0032258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0032259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003225D4

Strings

|, xrefs: 003225A5

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 4d983a563f2dcf962c6bf59ab88e8eb9d2491e9c2931a74f880b5d154f7952e5
Instruction ID: 3d44386bae5ed88cc75c4fa9239a1f186cd123c23d1996a38b473b4befb34f58
Opcode Fuzzy Hash: 4d983a563f2dcf962c6bf59ab88e8eb9d2491e9c2931a74f880b5d154f7952e5
Instruction Fuzzy Hash: 0A31F671C10119EBDF01EFA1DC85EEEBFB9FF08350F140069E915A6162EA315966EFA0

Function 00337A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00337B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00337B76

Strings

', xrefs: 00337ACA

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4d1e2316733407a9a0140f27846724a066e86b0c9b8467fcc807688d433efe09
Instruction ID: 6bddcbeeaa8f40c895dfcc01af6d16f1020e7bc6f9b14a198954727ab42e6ce9
Opcode Fuzzy Hash: 4d1e2316733407a9a0140f27846724a066e86b0c9b8467fcc807688d433efe09
Instruction Fuzzy Hash: 8941F8B4A0520AAFDB25CF64C9C1BDABBB9FB09300F15016AE909EB351D770A951CF90

Function 00336A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00336B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00336B53

Strings

static, xrefs: 00336AB3

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ee61f047edf4a5497382601937950be73312aacfaa754578b8aac7337a85ca86
Instruction ID: 7e1a5625b4a146e3dde4f74a0e17076d3b8f2ca5af851899af075aa9383428da
Opcode Fuzzy Hash: ee61f047edf4a5497382601937950be73312aacfaa754578b8aac7337a85ca86
Instruction Fuzzy Hash: 74319E71210604AEEB129F65CC81BFBB3ADFF48760F11C619F9A9D7190DA30AC91CB60

Function 0030994C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00309965
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0030999F

Strings

@U=u, xrefs: 00309965, 0030999F

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 3a62c59e5a572f1331b163bec113b3db650ec70198e61a07cff47118c95eaf81
Instruction ID: 4d594af4e7d0d67caa47025c3d43de58e78632dec03af05d4fa1cdb5e43a55ab
Opcode Fuzzy Hash: 3a62c59e5a572f1331b163bec113b3db650ec70198e61a07cff47118c95eaf81
Instruction Fuzzy Hash: 7021D731E11215ABCB12EBA8C891EEEB779EFC8750F01406AF915A72D1EB709C418B50

Function 003128A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00312911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0031294C

Strings

0, xrefs: 0031290A

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 64970ec027095d6869e1b77fe352f1fec00e19228a4aac448d63b46ac41c7cd4
Instruction ID: 88cf994c4b17221eedc7ac216d3d8be20b8a06678827577ec29ec15c3d04c766
Opcode Fuzzy Hash: 64970ec027095d6869e1b77fe352f1fec00e19228a4aac448d63b46ac41c7cd4
Instruction Fuzzy Hash: D531C331A003059FEB2ECF5CC885BEFBBB9EF49350F151029E985A61A0D77099B4CB51

Function 0030A9B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002C603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 002C6051

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0030AA10
_strlen.LIBCMT ref: 0030AA1B

Strings

@U=u, xrefs: 0030AA10

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 51bf85bf474b659c2c67851aff18acc51e5000d73d3be17434df5c36d6ffd3e0
Instruction ID: 0061971650625beaedcbf1c845d5e5c2e891359d9529911fc99a2c6885733376
Opcode Fuzzy Hash: 51bf85bf474b659c2c67851aff18acc51e5000d73d3be17434df5c36d6ffd3e0
Instruction Fuzzy Hash: DC1105323057056ACB15AE78EDE2AFE7B699F49750F00002EF9068A1D3DE249855DA51

Function 00336865 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003155FD: GetLocalTime.KERNEL32 ref: 0031560A
Part of subcall function 003155FD: _wcsncpy.LIBCMT ref: 0031563F
Part of subcall function 003155FD: _wcsncpy.LIBCMT ref: 00315671
Part of subcall function 003155FD: _wcsncpy.LIBCMT ref: 003156A4
Part of subcall function 003155FD: _wcsncpy.LIBCMT ref: 003156E6

SendMessageW.USER32(?,00001002,00000000,?), ref: 003368FF

Strings

@U=u, xrefs: 003368FF
SysDateTimePick32, xrefs: 003368BD

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: 32042c70a820e03b8d9b675ffa3392f0a7d9123be7c7dcf3f93686be02f12b3e
Instruction ID: 1ddf6046c2c5b89849737c012832d3bbf813b811c11836e914a881398d2bb1a8
Opcode Fuzzy Hash: 32042c70a820e03b8d9b675ffa3392f0a7d9123be7c7dcf3f93686be02f12b3e
Instruction Fuzzy Hash: 3D210671740219BFEF229E54DCC3FEA73AAEB48750F218519F950AB1D0D6B1AC908B60

Function 00309225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0030923E

Part of subcall function 003113DE: GetWindowThreadProcessId.USER32(?,?), ref: 00311409
Part of subcall function 003113DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0030925A,00000034,?,?,00001004,00000000,00000000), ref: 00311419
Part of subcall function 003113DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0030925A,00000034,?,?,00001004,00000000,00000000), ref: 0031142F

Part of subcall function 003114BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00309296,?,?,00000034,00000800,?,00000034), ref: 003114E6

SendMessageW.USER32(?,00001073,00000000,?), ref: 003092A5

Part of subcall function 00311487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003092C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003114B1

Strings

@U=u, xrefs: 0030923E, 003092A5

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: e91d8b07a9f275be0f8d7f87faac0a594ba3e1ae94a259987851b2d8ed62e986
Instruction ID: 61fb7480e92635e59f241dac042c59e18d9aa2d5ced18434f657096f798cfe6a
Opcode Fuzzy Hash: e91d8b07a9f275be0f8d7f87faac0a594ba3e1ae94a259987851b2d8ed62e986
Instruction Fuzzy Hash: 5C215E31902128AFDF16DBA4CC81FDDBBB8FF09710F1001A6F658AB191DA705A94CFA0

Function 003366D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00336761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0033676C

Strings

Combobox, xrefs: 0033672E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 968eb734cacb65802b7c54b6b91c0e793a4c6399a91a42dca09554608133b9df
Instruction ID: a91e5cf3855e5d3881c5d4f58545375a82d88da44cd8645be5bd8b8746c9768c
Opcode Fuzzy Hash: 968eb734cacb65802b7c54b6b91c0e793a4c6399a91a42dca09554608133b9df
Instruction Fuzzy Hash: C011B271210208BFEF268F54CCC2EEB376EEB493A8F518129F91897290D671DC5187A0

Function 003396F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00339778, 003397A1

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 7efd85023ab45f15158138d68632657dd88aa177180283eb56739ff7f9b3ba16
Instruction ID: 88ef68158caa1e52bc368ec908fe572d5add1301fc8f8f948f2694c205bb2947
Opcode Fuzzy Hash: 7efd85023ab45f15158138d68632657dd88aa177180283eb56739ff7f9b3ba16
Instruction Fuzzy Hash: 7021A235124108FFEB168F58CCC5FFA37A8EB05310F414156FA16DA2E0C6B2E950DB60

Function 00336C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 002B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002B1D73
Part of subcall function 002B1D35: GetStockObject.GDI32(00000011), ref: 002B1D87
Part of subcall function 002B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 002B1D91

GetWindowRect.USER32(00000000,?), ref: 00336C71
GetSysColor.USER32(00000012), ref: 00336C8B

Strings

static, xrefs: 00336C4E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ecea4dc390c441b89b03c3facc7f048f3408199e5dcda03dd31f99b1afaf8953
Instruction ID: 8ffce847a74aadcbf27ae5b27269da9301a91c39acccd977262e5e2c5534bc5a
Opcode Fuzzy Hash: ecea4dc390c441b89b03c3facc7f048f3408199e5dcda03dd31f99b1afaf8953
Instruction Fuzzy Hash: 28212C72910209AFDF05DFA8CC86EEA7BA8FB08314F015629F955D2250D735E850DB60

Function 003129AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00312A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00312A41

Strings

0, xrefs: 00312A18

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5c36348a12e476d2d283e72d165075482bf8de96c813568faf7c55303ee4c590
Instruction ID: f407ce0dbebf4e25f2c4cbe078ff83238b789d8a100743dc9555695e387b748c
Opcode Fuzzy Hash: 5c36348a12e476d2d283e72d165075482bf8de96c813568faf7c55303ee4c590
Instruction Fuzzy Hash: 00118E32901114AFDB3BDB98D844BEB77BCAF49310F164021E859E7290DB70ADAAC791

Function 003221D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0032222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00322255

Strings

<local>, xrefs: 0032221D

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 78318e4db39e852682fa8e9c7d8992b574de97a627c047ad3ac1daa9f205067c
Instruction ID: 5aeb8970a1b669e98be8ec08784f16682579e68e0d4e9becd940fa17fd0065b3
Opcode Fuzzy Hash: 78318e4db39e852682fa8e9c7d8992b574de97a627c047ad3ac1daa9f205067c
Instruction Fuzzy Hash: 2711A070541335FEDB2A8F51AC85EBBFBACFF16751F10862AF91546400D2716990D6F0

Function 003384E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00338530

Strings

@U=u, xrefs: 00338530, 0033856C

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 9c54bc92aaf6809b3846fa8c8b0d2257be71f7b0bd3855b4f80398bf23545d36
Instruction ID: cd1d0852227638dbb00320ed4f7882a1fbad486a11ca541e27343891461d2275
Opcode Fuzzy Hash: 9c54bc92aaf6809b3846fa8c8b0d2257be71f7b0bd3855b4f80398bf23545d36
Instruction Fuzzy Hash: 7E21E775A00209EFCB16CF94D880CEA7BB9FB4D350F014154FD06A7360DA31AD61DB90

Function 003365B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 0033662C

Strings

@U=u, xrefs: 0033662C
button, xrefs: 00336603

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 960409ff3940e4b58e125632d6bc2fa4e9a0b7a84d496b252695481226f7f0b8
Instruction ID: e14bfd0d9cd999785b07b582ad768ad68144bd6ee721ebfa06e5560e0289cbf9
Opcode Fuzzy Hash: 960409ff3940e4b58e125632d6bc2fa4e9a0b7a84d496b252695481226f7f0b8
Instruction Fuzzy Hash: 9711E132150205BFEF128F60CC92FEA376AEF09354F118218FA51A71A0C776ECA19B10

Function 0033788C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 003378D8

Strings

@U=u, xrefs: 003378D8

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: f6089c9469c4ddeb3bf47472eb82c2ebf0beb968491c7d4f7fee5bb0ed7df8c8
Instruction ID: 3a378ec01514028f0ae623eaec69c7c9c34db39a2740b894665795c971984aa8
Opcode Fuzzy Hash: f6089c9469c4ddeb3bf47472eb82c2ebf0beb968491c7d4f7fee5bb0ed7df8c8
Instruction Fuzzy Hash: D011BE70504744AFD732CF34C8D2AE7BBE9BF05310F50861DE9AA87291DB7169419BA0

Function 003094A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003114BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00309296,?,?,00000034,00000800,?,00000034), ref: 003114E6

SendMessageW.USER32(?,0000102B,?,00000000), ref: 00309509
SendMessageW.USER32(?,0000102B,?,00000000), ref: 0030952E

Strings

@U=u, xrefs: 00309509, 0030952E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 05eaa9947121425f4d30634719a2162e8924b6cf8bb603fbed42287580b66083
Instruction ID: 76f097450d2c7670ddaafcfcb0b6ee2ca50a4580a3ed9568ef62b9d8a12726fd
Opcode Fuzzy Hash: 05eaa9947121425f4d30634719a2162e8924b6cf8bb603fbed42287580b66083
Instruction Fuzzy Hash: DA012B32901118ABDB22AF25DC86FEABB7CDB08310F00416AF915A71D1DB706D94CB60

Function 002C092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002B3C14,003752F8,?,?,?), ref: 002C096E

Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06

_wcscat.LIBCMT ref: 002F4CB7

Strings

S7, xrefs: 002C09AE

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S7
API String ID: 257928180-3441049348
Opcode ID: 2764b1578a8cf786d1d1e51546cdeedf8798bd6dc8e707eb6355bea5c7553c51
Instruction ID: 684deff57e325bc6b79a7eb47f3464fd813364731ea3406db5e32155128bb176
Opcode Fuzzy Hash: 2764b1578a8cf786d1d1e51546cdeedf8798bd6dc8e707eb6355bea5c7553c51
Instruction Fuzzy Hash: 9011A934A25609DA9B51FB64C846FDD73E8AF08790F0045A6B549D3191DAB096A44F10

Function 00318D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00318DAC
__fread_nolock.LIBCMT ref: 00318DC1

Strings

EA06, xrefs: 00318DF3

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 7b6b15edbb6984a79708c7202ca6eedbc955a8e4f1ef1f8dcc3ab7ac02545f1a
Instruction ID: 53b28e365d5af8f2702eb89f2fb8efaef4a0394ae3564ea80d2fd6e9425431dc
Opcode Fuzzy Hash: 7b6b15edbb6984a79708c7202ca6eedbc955a8e4f1ef1f8dcc3ab7ac02545f1a
Instruction Fuzzy Hash: C301F9718042187EDB19CBA8D856EEE7BFCDB15301F00419FF552D2281E9B4EA148BA0

Function 003095D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 003095FB
SendMessageW.USER32(?,0000040D,?,00000000), ref: 0030962E

Part of subcall function 00311487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003092C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003114B1

Part of subcall function 002B7BCC: _memmove.LIBCMT ref: 002B7C06

Strings

@U=u, xrefs: 003095FB, 0030962E

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_memmove
String ID: @U=u
API String ID: 339422723-2594219639
Opcode ID: 25e0f57db4e6da063a2b34820520a29ce6cf2ad40f143e9725743b1829b91df5
Instruction ID: 2d40b5d5daa5b01eb54cfb765006180f3aa60d6eeaffcff4ec18dbb660862461
Opcode Fuzzy Hash: 25e0f57db4e6da063a2b34820520a29ce6cf2ad40f143e9725743b1829b91df5
Instruction Fuzzy Hash: 82015771801118AFDB65AEA0CC91EDA77BCEB18341F8080AAF649A6151DE714E99CF90

Function 0030C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0030C534

Part of subcall function 0030C816: _memmove.LIBCMT ref: 0030C860
Part of subcall function 0030C816: VariantInit.OLEAUT32(00000000), ref: 0030C882
Part of subcall function 0030C816: VariantCopy.OLEAUT32(00000000,?), ref: 0030C88C

VariantClear.OLEAUT32(?), ref: 0030C556

Strings

d}6, xrefs: 0030C517

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}6
API String ID: 2932060187-3853789388
Opcode ID: d31a5a7c9ca550e28d2f2534872f3e865428aeb1a2818a0016fa70725dab9161
Instruction ID: 4e1e86ab57e67da097bfc992838d9179a5cdcc24ed7830176f9aa40daec52d7d
Opcode Fuzzy Hash: d31a5a7c9ca550e28d2f2534872f3e865428aeb1a2818a0016fa70725dab9161
Instruction Fuzzy Hash: A8110C719007089FC721DFAAD8C489AF7F8FF08354B50862EE58AD7651E771AA48CF90

Function 0033C57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002B2612: GetWindowLongW.USER32(?,000000EB), ref: 002B2623

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,002EB93A,?,?,?), ref: 0033C5F1

Part of subcall function 002B25DB: GetWindowLongW.USER32(?,000000EB), ref: 002B25EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0033C5D7

Strings

@U=u, xrefs: 0033C5D7

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: 9296097d38acae788c1f783f27b4bd0db175ae2fe80e17a19f511d074fe7abcf
Instruction ID: f21754b14c66b0acfbcae1d7b27086e36b14ca3629a18d562a307257df5fdfab
Opcode Fuzzy Hash: 9296097d38acae788c1f783f27b4bd0db175ae2fe80e17a19f511d074fe7abcf
Instruction Fuzzy Hash: ED01D431200214EFEB275F19CCD8F6A3BAAFF86361F140128F9552B2E0CB71A851DB91

Function 0030953C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0030954C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00309564

Strings

@U=u, xrefs: 0030954C, 00309564

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: f76d57cb471e8b97c3f6c5b678334cd8b06bc1c3f19c91df3ae19852d190587e
Instruction ID: ab1f2c8185fd6b2a44d18b770f970f9dad9d65e2785350220abce88bb95102c0
Opcode Fuzzy Hash: f76d57cb471e8b97c3f6c5b678334cd8b06bc1c3f19c91df3ae19852d190587e
Instruction Fuzzy Hash: 49E0653574321176F23315679D9BFD75E09DB8AB61F150026F705A91D2C9D24D4182A0

Function 00314F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00314F46
_wcscmp.LIBCMT ref: 00314F58

Strings

#32770, xrefs: 00314F52

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 5a9a7916789ce0425b6d7c53db1e05ea5f104ee9c9b64c699eabd2d8c55db938
Instruction ID: ee07fdea90e6c6acfeb1c470b66e6ae3835e888da6b1adf580a22ed3ee3ce307
Opcode Fuzzy Hash: 5a9a7916789ce0425b6d7c53db1e05ea5f104ee9c9b64c699eabd2d8c55db938
Instruction Fuzzy Hash: 08E0D832A0062C2BD721DB99EC4AFE7F7ACEB49B70F010167FD04D3151E9609A958BE1

Function 002EB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002EB314: _memset.LIBCMT ref: 002EB321

Part of subcall function 002D0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002EB2F0,?,?,?,002B100A), ref: 002D0945

IsDebuggerPresent.KERNEL32(?,?,?,002B100A), ref: 002EB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002B100A), ref: 002EB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002EB2FE

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 9648a81065d9f7f5b926b21b382e2e7106d57c8f8b046cf6c7c126c159104f30
Instruction ID: 5cb05fb0736a4fd0f513d8b8a1078c3e66df5852470fa5f573c42437b19b322c
Opcode Fuzzy Hash: 9648a81065d9f7f5b926b21b382e2e7106d57c8f8b046cf6c7c126c159104f30
Instruction Fuzzy Hash: 35E06D746107418FD7229F29D5457877BE8AF00714F408D6DE886C7661E7B4D458CBA1

Function 002F1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 002F1775

Part of subcall function 0032BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,002F195E,?), ref: 0032BFFE
Part of subcall function 0032BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0032C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 002F196D

Strings

WIN_XPe, xrefs: 002F1788

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 9ca46a1132c15bd584500cd3768c526e48c5d76daba3440488bae2f94987c546
Instruction ID: a5fd8be207b7fbd91cb2f29793898244512ed08212f85a08633764bbdb90e247
Opcode Fuzzy Hash: 9ca46a1132c15bd584500cd3768c526e48c5d76daba3440488bae2f94987c546
Instruction Fuzzy Hash: FEF0AC7082010DDFDB16EB55D994AFCF7B8AB58341FA400A5E106A6090D7754EA4DF60

Function 00335964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0033596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00335981

Part of subcall function 00315244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003152BC

Strings

Shell_TrayWnd, xrefs: 00335967

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 78c3b6e5ab7d116a177753396dd4c597ce1b69491cd7b47f45fd0b8be3c6b899
Instruction ID: 9290eb26b6721521f79b580a02d9f042cee6bb5ae4b05cd7cc97deb1884bd060
Opcode Fuzzy Hash: 78c3b6e5ab7d116a177753396dd4c597ce1b69491cd7b47f45fd0b8be3c6b899
Instruction Fuzzy Hash: 29D0C932784711BAE669AB709C4BFD76A18AB55B55F000825B34AAA1E0C9E09800C654

Function 00335998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003359AE
PostMessageW.USER32(00000000), ref: 003359B5

Part of subcall function 00315244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003152BC

Strings

Shell_TrayWnd, xrefs: 003359A7

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f8d7bbae9b9d85b2e328e6e2bb92bda3b1e3cf34b3b7ba19e27ea1c8c2de267a
Instruction ID: 93a48ae3f5d9184222b82ad32bd78015eb72ad2f7ba19d597d11a19d8b8a5b6a
Opcode Fuzzy Hash: f8d7bbae9b9d85b2e328e6e2bb92bda3b1e3cf34b3b7ba19e27ea1c8c2de267a
Instruction Fuzzy Hash: 7BD0C932780711BAE66AAB709C4BFD76A18AB59B55F400825B346EA1E0C9E0A800C658

Function 003093DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003093E9
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 003093F7

Strings

@U=u, xrefs: 003093E9, 003093F7

Memory Dump Source

Source File: 00000000.00000002.1399688052.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.1399666491.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.000000000033F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399770983.0000000000364000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399818897.000000000036E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1399841555.0000000000377000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_qI6cHJbHJg.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: d30e34150361674783a9342601a7e03b99817a8ae56a292af5d0ee2602fdc32f
Instruction ID: 07e91db493816426fc1ca4c30f0ca6f866ad6ee2d4e37203dfef4e85bd7b8d98
Opcode Fuzzy Hash: d30e34150361674783a9342601a7e03b99817a8ae56a292af5d0ee2602fdc32f
Instruction Fuzzy Hash: 3AC00231541180BAEA221B77AD4ED873E3DE7CAF52B51116CB211950B5C6650095D624

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qI6cHJbHJg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut2354.tmp

C:\Users\user\AppData\Local\Temp\piceworth

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
qI6cHJbHJg.exe

Function 002B3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 002B49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 002B4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00319155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 002B3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 002B3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 002B708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 002B3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 002B3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 002B3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 002BF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 0140F328 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002B39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0140F108 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139
fileCOMMON

Function 002B407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre