Edit tour

Windows Analysis Report
oEQp0EklDb.exe

Overview

General Information

Sample name:	oEQp0EklDb.exe renamed because original name is a hash value
Original sample name:	e5e0af864a6139819638bb346cc44506b80cc68cb67b1d6b3ff9ecd23638c37d.exe
Analysis ID:	1588137
MD5:	44c8c2a9b68a69c6a1e4616f9595961c
SHA1:	8ab9910b1963f581f94733e4293a8e2ac14a4d77
SHA256:	e5e0af864a6139819638bb346cc44506b80cc68cb67b1d6b3ff9ecd23638c37d
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

oEQp0EklDb.exe (PID: 768 cmdline: "C:\Users\user\Desktop\oEQp0EklDb.exe" MD5: 44C8C2A9B68A69C6A1E4616F9595961C)

RegSvcs.exe (PID: 2512 cmdline: "C:\Users\user\Desktop\oEQp0EklDb.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "xxxx1@surewaz.com", "Password": "3ENTf1r-?g81", "Server": "surewaz.com", "To": "xxxx@surewaz.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2738769258.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefa7:$a1: get_encryptedPassword 0xf2cf:$a2: get_encryptedUsername 0xed42:$a3: get_timePasswordChanged 0xee63:$a4: get_passwordField 0xefbd:$a5: set_encryptedPassword 0x10919:$a7: get_logins 0x105ca:$a8: GetOutlookPasswords 0x103bc:$a9: StartKeylogger 0x10869:$a10: KeyLoggerEventArgs 0x10419:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14131:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1362f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1393d:$a4: \Orbitum\User Data\Default\Login Data 0x14735:$a5: \Kometa\User Data\Default\Login Data
Process Memory Space: oEQp0EklDb.exe PID: 768	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: oEQp0EklDb.exe PID: 768	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: oEQp0EklDb.exe PID: 768	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: oEQp0EklDb.exe PID: 768	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1189d97:$a1: get_encryptedPassword 0x118a0b0:$a2: get_encryptedUsername 0x1189b46:$a3: get_timePasswordChanged 0x1189c67:$a4: get_passwordField 0x1189dad:$a5: set_encryptedPassword 0x118b6b0:$a7: get_logins 0x118b361:$a8: GetOutlookPasswords 0x118b153:$a9: StartKeylogger 0x118b600:$a10: KeyLoggerEventArgs 0x118b1b0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 2512	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2512	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2512	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2512	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x11bbd:$a1: get_encryptedPassword 0x11ed6:$a2: get_encryptedUsername 0x1196c:$a3: get_timePasswordChanged 0x11a8d:$a4: get_passwordField 0x11bd3:$a5: set_encryptedPassword 0x134d6:$a7: get_logins 0x13187:$a8: GetOutlookPasswords 0x12f79:$a9: StartKeylogger 0x13426:$a10: KeyLoggerEventArgs 0x12fd6:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.oEQp0EklDb.exe.1270000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.oEQp0EklDb.exe.1270000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oEQp0EklDb.exe.1270000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.oEQp0EklDb.exe.1270000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.oEQp0EklDb.exe.1270000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12331:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1182f:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b3d:$a4: \Orbitum\User Data\Default\Login Data 0x12935:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14131:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1362f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1393d:$a4: \Orbitum\User Data\Default\Login Data 0x14735:$a5: \Kometa\User Data\Default\Login Data
0.2.oEQp0EklDb.exe.1270000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.oEQp0EklDb.exe.1270000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oEQp0EklDb.exe.1270000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.oEQp0EklDb.exe.1270000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.oEQp0EklDb.exe.1270000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14131:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1362f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1393d:$a4: \Orbitum\User Data\Default\Login Data 0x14735:$a5: \Kometa\User Data\Default\Login Data
Click to see the 10 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:48:27.459248+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49704	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.oEQp0EklDb.exe.1270000.1.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "xxxx1@surewaz.com", "Password": "3ENTf1r-?g81", "Server": "surewaz.com", "To": "xxxx@surewaz.com", "Port": 587}

Multi AV Scanner detection for submitted file

Source: oEQp0EklDb.exe	Virustotal: Detection: 63%			Perma Link
Source: oEQp0EklDb.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: oEQp0EklDb.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: oEQp0EklDb.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49705 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: oEQp0EklDb.exe, 00000000.00000003.1523604940.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, oEQp0EklDb.exe, 00000000.00000003.1522786188.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: oEQp0EklDb.exe, 00000000.00000003.1523604940.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, oEQp0EklDb.exe, 00000000.00000003.1522786188.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0101445A
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0101C75C
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101C6D1 FindFirstFileW,FindClose,	0_2_0101C6D1
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0101EF95
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0101F0F2
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0101F3F3
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_010137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_010137EF
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_01013B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_01013B12
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0101BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 010E9731h	2_2_010E9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 010E9E5Ah	2_2_010E9A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 010E9E5Ah	2_2_010E9D87

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49704 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_010222EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_010222EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2738769258.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: oEQp0EklDb.exe, 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: oEQp0EklDb.exe, 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: oEQp0EklDb.exe, 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_01024164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01024164

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_01024164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01024164

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_01023F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_01023F66

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_0101001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0101001C

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_0103CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0103CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.oEQp0EklDb.exe.1270000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.oEQp0EklDb.exe.1270000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.oEQp0EklDb.exe.1270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.oEQp0EklDb.exe.1270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: oEQp0EklDb.exe PID: 768, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2512, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00FB3B3A
Source: oEQp0EklDb.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: oEQp0EklDb.exe, 00000000.00000000.1481776789.0000000001064000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_88f3a283-5
Source: oEQp0EklDb.exe, 00000000.00000000.1481776789.0000000001064000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_927c257e-0
Source: oEQp0EklDb.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_37310b82-a
Source: oEQp0EklDb.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_4ee087e0-4

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_0101A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0101A1EF

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_01008310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_01008310

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_010151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_010151BD

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FBE6A0	0_2_00FBE6A0
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FDD975	0_2_00FDD975
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FBFCE0	0_2_00FBFCE0
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FD21C5	0_2_00FD21C5
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FE62D2	0_2_00FE62D2
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_010303DA	0_2_010303DA
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FE242E	0_2_00FE242E
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FD25FA	0_2_00FD25FA
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FC66E1	0_2_00FC66E1
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0100E616	0_2_0100E616
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FE878F	0_2_00FE878F
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FE6844	0_2_00FE6844
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FC8808	0_2_00FC8808
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_01030857	0_2_01030857
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_01018889	0_2_01018889
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FDCB21	0_2_00FDCB21
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FE6DB6	0_2_00FE6DB6
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FC6F9E	0_2_00FC6F9E
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FC3030	0_2_00FC3030
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FDF1D9	0_2_00FDF1D9
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FD3187	0_2_00FD3187
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FB1287	0_2_00FB1287
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FD1484	0_2_00FD1484
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FC5520	0_2_00FC5520
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FD7696	0_2_00FD7696
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FC5760	0_2_00FC5760
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FD1978	0_2_00FD1978
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FE9AB5	0_2_00FE9AB5
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_01037DDB	0_2_01037DDB
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FDBDA6	0_2_00FDBDA6
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FD1D90	0_2_00FD1D90
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FC3FE0	0_2_00FC3FE0
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FBDF00	0_2_00FBDF00
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_013021D8	0_2_013021D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EC530	2_2_010EC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010E2DD1	2_2_010E2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010E9480	2_2_010E9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EC521	2_2_010EC521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010E946F	2_2_010E946F

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: String function: 00FB7DE1 appears 35 times
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: String function: 00FD0AE3 appears 70 times
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: String function: 00FD8900 appears 42 times

Source: oEQp0EklDb.exe, 00000000.00000003.1525057833.0000000003B33000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs oEQp0EklDb.exe
Source: oEQp0EklDb.exe, 00000000.00000003.1524234646.0000000003CDD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs oEQp0EklDb.exe
Source: oEQp0EklDb.exe, 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs oEQp0EklDb.exe

Source: oEQp0EklDb.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.oEQp0EklDb.exe.1270000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.oEQp0EklDb.exe.1270000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.oEQp0EklDb.exe.1270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.oEQp0EklDb.exe.1270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: oEQp0EklDb.exe PID: 768, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2512, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_0101A06A GetLastError,FormatMessageW,

0_2_0101A06A

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_010081CB AdjustTokenPrivileges,CloseHandle,		0_2_010081CB
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_010087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_010087E1

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_0101B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0101B333

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_0102EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0102EE0D

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_0101C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0101C397

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FB4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00FB4E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

File created: C:\Users\user\AppData\Local\Temp\aut17A.tmp

Jump to behavior

Source: oEQp0EklDb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2738769258.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2738769258.0000000002D73000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2738769258.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2739329383.0000000003C8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2738769258.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2738769258.0000000002D40000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: oEQp0EklDb.exe	Virustotal: Detection: 63%
Source: oEQp0EklDb.exe	ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\oEQp0EklDb.exe "C:\Users\user\Desktop\oEQp0EklDb.exe"
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\oEQp0EklDb.exe"
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\oEQp0EklDb.exe"	Jump to behavior

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: oEQp0EklDb.exe

Static file information: File size 1059840 > 1048576

Source: oEQp0EklDb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: oEQp0EklDb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: oEQp0EklDb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: oEQp0EklDb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: oEQp0EklDb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: oEQp0EklDb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: oEQp0EklDb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: oEQp0EklDb.exe, 00000000.00000003.1523604940.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, oEQp0EklDb.exe, 00000000.00000003.1522786188.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: oEQp0EklDb.exe, 00000000.00000003.1523604940.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, oEQp0EklDb.exe, 00000000.00000003.1522786188.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp

Source: oEQp0EklDb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: oEQp0EklDb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: oEQp0EklDb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: oEQp0EklDb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: oEQp0EklDb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FB4B37 LoadLibraryA,GetProcAddress,

0_2_00FB4B37

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FD8945 push ecx; ret	0_2_00FD8958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EABCD pushfd ; iretd	2_2_010EABD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EB3A8 push eax; iretd	2_2_010EB445

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00FB48D7
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_01035376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01035376

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FD3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00FD3187

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

API/Special instruction interceptor: Address: 1301DFC

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105772

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

API coverage: 4.7 %

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0101445A
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0101C75C
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101C6D1 FindFirstFileW,FindClose,	0_2_0101C6D1
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0101EF95
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0101F0F2
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0101F3F3
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_010137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_010137EF
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_01013B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_01013B12
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_0101BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0101BCBC

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FB49A0

Source: RegSvcs.exe, 00000002.00000002.2737754082.0000000000C77000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

API call chain: ExitProcess graph end node

graph_0-104399

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_01023F09 BlockInput,

0_2_01023F09

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FB3B3A

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FE5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00FE5A7C

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FB4B37 LoadLibraryA,GetProcAddress,

0_2_00FB4B37

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_01302068 mov eax, dword ptr fs:[00000030h]	0_2_01302068
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_013020C8 mov eax, dword ptr fs:[00000030h]	0_2_013020C8
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_01300A28 mov eax, dword ptr fs:[00000030h]	0_2_01300A28

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_0100810A GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_0100810A

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FDA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00FDA155
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_00FDA124 SetUnhandledExceptionFilter,		0_2_00FDA124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: ADF008

Jump to behavior

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_010087B1 LogonUserW,

0_2_010087B1

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FB3B3A

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00FB48D7

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_01014C27 mouse_event,

0_2_01014C27

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\oEQp0EklDb.exe"

Jump to behavior

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_01007CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_01007CAF

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_0100874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0100874B

Source: oEQp0EklDb.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: oEQp0EklDb.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FD862B cpuid

0_2_00FD862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FE4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FE4E87

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FF1E06 GetUserNameW,

0_2_00FF1E06

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FE3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00FE3F3A

Source: C:\Users\user\Desktop\oEQp0EklDb.exe

Code function: 0_2_00FB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FB49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.oEQp0EklDb.exe.1270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oEQp0EklDb.exe.1270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oEQp0EklDb.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2512, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.oEQp0EklDb.exe.1270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oEQp0EklDb.exe.1270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oEQp0EklDb.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2512, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: oEQp0EklDb.exe	Binary or memory string: WIN_81
Source: oEQp0EklDb.exe	Binary or memory string: WIN_XP
Source: oEQp0EklDb.exe	Binary or memory string: WIN_XPe
Source: oEQp0EklDb.exe	Binary or memory string: WIN_VISTA
Source: oEQp0EklDb.exe	Binary or memory string: WIN_7
Source: oEQp0EklDb.exe	Binary or memory string: WIN_8
Source: oEQp0EklDb.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.oEQp0EklDb.exe.1270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oEQp0EklDb.exe.1270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2738769258.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oEQp0EklDb.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2512, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.oEQp0EklDb.exe.1270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oEQp0EklDb.exe.1270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oEQp0EklDb.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2512, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.oEQp0EklDb.exe.1270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oEQp0EklDb.exe.1270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oEQp0EklDb.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2512, type: MEMORYSTR

Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_01026283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_01026283
Source: C:\Users\user\Desktop\oEQp0EklDb.exe	Code function: 0_2_01026747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01026747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Access Token Manipulation	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	212 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
oEQp0EklDb.exe	63%	Virustotal		Browse
oEQp0EklDb.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject
oEQp0EklDb.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	oEQp0EklDb.exe, 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000002.00000002.2738769258.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2738769258.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2738769258.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2738769258.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	oEQp0EklDb.exe, 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	oEQp0EklDb.exe, 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2738769258.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588137
Start date and time:	2025-01-10 21:47:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	oEQp0EklDb.exe renamed because original name is a hash value
Original Sample Name:	e5e0af864a6139819638bb346cc44506b80cc68cb67b1d6b3ff9ecd23638c37d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 273
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 2512 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
132.226.247.73	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	#U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
reallyfreegeoip.org	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	HGhGAjCVw5.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	104.21.80.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
UTMEMUS	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1

Process:	C:\Users\user\Desktop\oEQp0EklDb.exe
File Type:	data
Category:	dropped
Size (bytes):	73316
Entropy (8bit):	7.926198920713145
Encrypted:	false
SSDEEP:	1536:DDbp0RUImk7wZmzunc8S3uxnLlQQD40l7RVqFsoKoJ41vVG6ee:D/p0RUnk7wZmzunZ5xnLlQQD4kLXuqd1
MD5:	94DDB17E9DC981F3A29CB04774262C49
SHA1:	4CB3264DD7BD7749BD024FE6F2B2D54EDF335078
SHA-256:	999F747A86188A65EF6DF1E1861AEC097DBFBDEC4DC69235FF1C675EA83CDC62
SHA-512:	B9F3CEB4891976FC8F5DD333B6705870C71FA116AE7B525BB6E58F7D2D0947152ACD0402E52F934FBDB593EF844ECA3B02E797208D88EB30FE03DDB5EFD4CB53
Malicious:	false
Reputation:	low
Preview:	EA06..n....Sy.^.W..k.....2...JT.H...j}.B....J...H..fS0.....q...+..}^....-...{.u.Ve....k9.N&...Nm<.......;..nRi......r....\..b....D)3+.N.T.~{.P.\|....N.T..&..&e;.t.[.7.....^b.tEk5....0..`.9..WkeV..k@..S.....S.U..Z..aG.t.`./.......:r.j.F....c.u.p./..E........h.ZL...u...i:....9.b.0....z.>.H.W.nUz...B...@..&..tzSj=@.t.M..>..>........O...9z.^.[..'4....J...+.ND..v..+.......k=..".J..".JT.....A_...9r...{...g9....)u:..m_...j..tD...@..a.:,..D..t....p.rb..H......0.W"......:...B_F.S&.z..Q.G..z.v.s.P.5ZL.f.~S.VjENy.S.UY.RaW.u....wq..= "rk7......Q.GmUz..._.Ls...gX....J.".-..)...o0...:.o.]..fR...H..i.9...<..hS..V.W..j3.E_.8.~/.I....._-.J..o4.T..y=2aH..Q...J..,u8.QY.t#....SB..,u[..30....$.Y.U......E....o..'.}B.^..e....y.M......Y.M.....a..#.9..mG.Y+....aS.Te.......]..p.B...")....?i..5[.RaH..cW.>.J...9.....Th.x.>.W..n.EV.2....J......-..}.B...W..V.Z.Mo.......R)V..R.2...I.c>..VnR.U...~YoS.%..U.]...u.97.jh.P82eK.B.S:.6.7.Q).x.6.M.Q.y.V.T.Ck..e^oa......L..'

C:\Users\user\AppData\Local\Temp\totten

Download File

Process:	C:\Users\user\Desktop\oEQp0EklDb.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.914403878045233
Encrypted:	false
SSDEEP:	1536:vxfsIBfbD1XWJj7oI68eFISUZjur8VhesSJ1NSVQsJFmQL1Zbt7WzzFJU4+k6LUh:vHBn1c7JVjSURBhehJfSPJ1K1laVcRpB
MD5:	C7C741EBE20A03A87BCDB3CF4C76EEB5
SHA1:	8820523EDDEB0AE6144ACF4B00214981717822D8
SHA-256:	A83E16198952B972C6390046F473C4ED5DCFF3932F8052955F3F301CD870D2E2
SHA-512:	6B24BEBF84EF12F77FA55858C9BEFCA94D5149299F52A72A1394B0E9B45F472BF24C392CF1DB547419EBC068C930BAA69FFAD4F044C3E9D0DC19B4526E8A9D49
Malicious:	false
Reputation:	low
Preview:	...73WRWQYX0..I2.ROTJ1DH.6GVOJQB70WRWUYX0HUI23ROTJ1DHS6GVOJQ.70W\H.WX.A.h.2..u.Y-;sF59(80/.S6<9:-xR-u;G]r&:ju..s[(2d\O=.WRWUYX0..I2.SLT...S6GVOJQB.0US\T.X0,TI2;ROTJ1DV.7GVoJQB.1WRW.YX.HUI03RKTJ1DHS6AVOJQB70W.VUYZ0HUI23PO4.1DXS6WVOJQR70GRWUYX0XUI23ROTJ1DH..FV.JQB7.VR.PYX0HUI23ROTJ1DHS6GV.KQN70WRWUYX0HUI23ROTJ1DHS6GVOJQB70WRWUYX0HUI23ROTJ1DHS6gVOBQB70WRWUYX0@uI2{ROTJ1DHS6GVa>4:C0WRs7XX0hUI2WSOTH1DHS6GVOJQB70WrWU9vB;'23R.QJ1D.R6GPOJQ$60WRWUYX0HUI23.OT..6-?Y$VOFQB70.SWU[X0H9H23ROTJ1DHS6GV.JQ.70WRWUYX0HUI23ROT.0DHS6G.OJQ@75W..UY.HUJ23R.TJ7.S6.VOJQB70WRWUYX0HUI23ROTJ1DHS6GVOJQB70WRWUYX0.(.=..=9..HS6GVOKSA36_ZWUYX0HUIL3RO.J1D.S6GaOJQg70W?WUY\|0HU723R1TJ1 HS65VOJ0B70.RWU6X0H;I23,OTJ/F`L6G\elQ@..WR]Us.CiUI8.SOTNBfHS<.TOJU1.0WX.VYX4;qI29.KTJ57mS6M.JJQF.jWQ.C_X0S:q23XOW.$BHS-mpOHy{70]R}sY[.]SI2(xmTH.MHS2m.<WQB1..RW_-Q0HW.83RK~T3l.S6M\|m4BB74\|R}w'L0HQb2.p1AJ1@cS.e(YJQF.0}p)BYX4cUc4.0O&.=D8PY&VOLy.70]z.UY^0boIL=ROPH^.HS<a\|uJy.70QR..YX6H..2MaOTN.C6`6GRd\/s70S.Q-YX6;.I29w.gJ1@`.6G\O`.B.iWRQUq.0HS

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.913083554655307
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	oEQp0EklDb.exe
File size:	1'059'840 bytes
MD5:	44c8c2a9b68a69c6a1e4616f9595961c
SHA1:	8ab9910b1963f581f94733e4293a8e2ac14a4d77
SHA256:	e5e0af864a6139819638bb346cc44506b80cc68cb67b1d6b3ff9ecd23638c37d
SHA512:	02db0630d3b03a92d2c97143924169056b2523f2c81150dd7affa541cdbb994d23af7fde1826dd89ff1ad244fa1c48286042b3a775c89c5701c95d4ccd00f94f
SSDEEP:	24576:hu6J33O0c+JY5UZ+XC0kGso6FaSw4ymtZVSaLA/QgWY:zu0c++OCvkGs9FaSwMtTSac+Y
TLSH:	EA35AE22B3DD8360CB669133BF6A77016E7B7C250630F85B1F883D79AA72161162D763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	0c0c220a1b435127

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6758D7A0 [Wed Dec 11 00:06:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F4990B1A9BAh
jmp 00007F4990B0D784h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F4990B0D90Ah
cmp edi, eax
jc 00007F4990B0DC6Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F4990B0D909h
rep movsb
jmp 00007F4990B0DC1Ch
cmp ecx, 00000080h
jc 00007F4990B0DAD4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F4990B0D910h
bt dword ptr [004BE324h], 01h
jc 00007F4990B0DDE0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F4990B0DAADh
test edi, 00000003h
jne 00007F4990B0DABEh
test esi, 00000003h
jne 00007F4990B0DA9Dh
bt edi, 02h
jnc 00007F4990B0D90Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F4990B0D913h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F4990B0D965h
bt esi, 03h
jnc 00007F4990B0D9B8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x3a338	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x102000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x3a338	0x3a400	3e0e840279f24e3df729232acc877092	False	0.8042180793991416	data	7.294163837237389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x102000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc76a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc77d0	0x11260	Device independent bitmap graphic, 113 x 300 x 32, image size 67800	English	Great Britain	0.4470102505694761
RT_MENU	0xd8a30	0x50	data	English	Great Britain	0.9
RT_STRING	0xd8a80	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xd9014	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xd96a0	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xd9b30	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xda12c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xda788	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdabf0	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdad48	0x260d1	data			1.0003593037207184
RT_GROUP_ICON	0x100e1c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x100e30	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x100e44	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x100e58	0x14	data	English	Great Britain	1.25
RT_VERSION	0x100e6c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x100f48	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T21:48:27.459248+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49704	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:48:26.503221989 CET	49704	80	192.168.2.8	132.226.247.73
Jan 10, 2025 21:48:26.508131981 CET	80	49704	132.226.247.73	192.168.2.8
Jan 10, 2025 21:48:26.508193016 CET	49704	80	192.168.2.8	132.226.247.73
Jan 10, 2025 21:48:26.508526087 CET	49704	80	192.168.2.8	132.226.247.73
Jan 10, 2025 21:48:26.513267994 CET	80	49704	132.226.247.73	192.168.2.8
Jan 10, 2025 21:48:27.188359022 CET	80	49704	132.226.247.73	192.168.2.8
Jan 10, 2025 21:48:27.192843914 CET	49704	80	192.168.2.8	132.226.247.73
Jan 10, 2025 21:48:27.197741985 CET	80	49704	132.226.247.73	192.168.2.8
Jan 10, 2025 21:48:27.403930902 CET	80	49704	132.226.247.73	192.168.2.8
Jan 10, 2025 21:48:27.413713932 CET	49705	443	192.168.2.8	104.21.48.1
Jan 10, 2025 21:48:27.413772106 CET	443	49705	104.21.48.1	192.168.2.8
Jan 10, 2025 21:48:27.413873911 CET	49705	443	192.168.2.8	104.21.48.1
Jan 10, 2025 21:48:27.423460960 CET	49705	443	192.168.2.8	104.21.48.1
Jan 10, 2025 21:48:27.423486948 CET	443	49705	104.21.48.1	192.168.2.8
Jan 10, 2025 21:48:27.459248066 CET	49704	80	192.168.2.8	132.226.247.73
Jan 10, 2025 21:48:27.915971994 CET	443	49705	104.21.48.1	192.168.2.8
Jan 10, 2025 21:48:27.916057110 CET	49705	443	192.168.2.8	104.21.48.1
Jan 10, 2025 21:48:27.922620058 CET	49705	443	192.168.2.8	104.21.48.1
Jan 10, 2025 21:48:27.922641993 CET	443	49705	104.21.48.1	192.168.2.8
Jan 10, 2025 21:48:27.923232079 CET	443	49705	104.21.48.1	192.168.2.8
Jan 10, 2025 21:48:27.974862099 CET	49705	443	192.168.2.8	104.21.48.1
Jan 10, 2025 21:48:28.002681971 CET	49705	443	192.168.2.8	104.21.48.1
Jan 10, 2025 21:48:28.043330908 CET	443	49705	104.21.48.1	192.168.2.8
Jan 10, 2025 21:48:28.117357016 CET	443	49705	104.21.48.1	192.168.2.8
Jan 10, 2025 21:48:28.117443085 CET	443	49705	104.21.48.1	192.168.2.8
Jan 10, 2025 21:48:28.117495060 CET	49705	443	192.168.2.8	104.21.48.1
Jan 10, 2025 21:48:28.150389910 CET	49705	443	192.168.2.8	104.21.48.1
Jan 10, 2025 21:49:32.403780937 CET	80	49704	132.226.247.73	192.168.2.8
Jan 10, 2025 21:49:32.403842926 CET	49704	80	192.168.2.8	132.226.247.73
Jan 10, 2025 21:50:07.412950039 CET	49704	80	192.168.2.8	132.226.247.73
Jan 10, 2025 21:50:07.418689966 CET	80	49704	132.226.247.73	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:48:26.344194889 CET	51228	53	192.168.2.8	1.1.1.1
Jan 10, 2025 21:48:26.350807905 CET	53	51228	1.1.1.1	192.168.2.8
Jan 10, 2025 21:48:27.405802965 CET	49290	53	192.168.2.8	1.1.1.1
Jan 10, 2025 21:48:27.412939072 CET	53	49290	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 21:48:26.344194889 CET	192.168.2.8	1.1.1.1	0xbd96	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:27.405802965 CET	192.168.2.8	1.1.1.1	0xfde5	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 21:48:26.350807905 CET	1.1.1.1	192.168.2.8	0xbd96	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:48:26.350807905 CET	1.1.1.1	192.168.2.8	0xbd96	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:26.350807905 CET	1.1.1.1	192.168.2.8	0xbd96	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:26.350807905 CET	1.1.1.1	192.168.2.8	0xbd96	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:26.350807905 CET	1.1.1.1	192.168.2.8	0xbd96	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:26.350807905 CET	1.1.1.1	192.168.2.8	0xbd96	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:27.412939072 CET	1.1.1.1	192.168.2.8	0xfde5	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:27.412939072 CET	1.1.1.1	192.168.2.8	0xfde5	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:27.412939072 CET	1.1.1.1	192.168.2.8	0xfde5	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:27.412939072 CET	1.1.1.1	192.168.2.8	0xfde5	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:27.412939072 CET	1.1.1.1	192.168.2.8	0xfde5	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:27.412939072 CET	1.1.1.1	192.168.2.8	0xfde5	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:48:27.412939072 CET	1.1.1.1	192.168.2.8	0xfde5	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	132.226.247.73	80	2512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:48:26.508526087 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:48:27.188359022 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:48:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:48:27.192843914 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:48:27.403930902 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:48:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	104.21.48.1	443	2512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:48:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:48:28 UTC	863	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:48:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1856897 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1rQIS1Ge7WO37wBWLJRJxSqlFIdKuR%2FI4%2FulT5ra67fW7jlzcVaul%2Fa0Lv7vP%2BFXDNc6Ul3TrB8%2BFNyMf%2BSsFC3z%2BMMMlmrAFii6YH0WdPPY2v6ntbsSWbsGStqkM5Y3qXscUJTG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff872f5984c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1460&min_rtt=1435&rtt_var=590&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1778319&cwnd=214&unsent_bytes=0&cid=18569d33f818f717&ts=218&x=0"
2025-01-10 20:48:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	15:48:20
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\oEQp0EklDb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oEQp0EklDb.exe"
Imagebase:	0xfb0000
File size:	1'059'840 bytes
MD5 hash:	44C8C2A9B68A69C6A1E4616F9595961C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1532493906.0000000001270000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:48:24
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oEQp0EklDb.exe"
Imagebase:	0x810000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2738769258.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2737632443.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 00FB3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB3B68
IsDebuggerPresent.KERNEL32 ref: 00FB3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,010752F8,010752E0,?,?), ref: 00FB3BEB

Part of subcall function 00FB7BCC: _memmove.LIBCMT ref: 00FB7C06

Part of subcall function 00FC092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FB3C14,010752F8,?,?,?), ref: 00FC096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00FB3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,01067770,00000010), ref: 00FED281
SetCurrentDirectoryW.KERNEL32(?,010752F8,?,?,?), ref: 00FED2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01064260,010752F8,?,?,?), ref: 00FED33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00FED346

Part of subcall function 00FB3A46: GetSysColorBrush.USER32(0000000F), ref: 00FB3A50
Part of subcall function 00FB3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00FB3A5F
Part of subcall function 00FB3A46: LoadIconW.USER32(00000063), ref: 00FB3A76
Part of subcall function 00FB3A46: LoadIconW.USER32(000000A4), ref: 00FB3A88
Part of subcall function 00FB3A46: LoadIconW.USER32(000000A2), ref: 00FB3A9A
Part of subcall function 00FB3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FB3AC0
Part of subcall function 00FB3A46: RegisterClassExW.USER32(?), ref: 00FB3B16

Part of subcall function 00FB39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FB3A03
Part of subcall function 00FB39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FB3A24
Part of subcall function 00FB39D5: ShowWindow.USER32(00000000,?,?), ref: 00FB3A38
Part of subcall function 00FB39D5: ShowWindow.USER32(00000000,?,?), ref: 00FB3A41

Part of subcall function 00FB434A: _memset.LIBCMT ref: 00FB4370
Part of subcall function 00FB434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FB4415

Strings

This is a third-party compiled AutoIt script., xrefs: 00FED279
runas, xrefs: 00FED33A

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: c9f183f044a453fe84d2ffd15b40bc6242d48e0c89d82454f8950bc6b3311e29
Instruction ID: d90a4000c76ba75fcb129810559f8d930ce64dea09d53cecdc14143c76b50c39
Opcode Fuzzy Hash: c9f183f044a453fe84d2ffd15b40bc6242d48e0c89d82454f8950bc6b3311e29
Instruction Fuzzy Hash: 8E514571D08249AEDF21EBF6DC06EFD7BB8AF46710F004059F491B6152CA7A5A06EF21

Function 00FB49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FB49CD

Part of subcall function 00FB7BCC: _memmove.LIBCMT ref: 00FB7C06

GetCurrentProcess.KERNEL32(?,0103FAEC,00000000,00000000,?), ref: 00FB4A9A
IsWow64Process.KERNEL32(00000000), ref: 00FB4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00FB4AE7
FreeLibrary.KERNEL32(00000000), ref: 00FB4AF2
GetSystemInfo.KERNEL32(00000000), ref: 00FB4B23
GetSystemInfo.KERNEL32(00000000), ref: 00FB4B2F

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: cb4c1bea61aaa5c87f46d10f0ed51da2a71164abbd69ade7c998125e2984c5f0
Instruction ID: 94f00a9d107eacec3d9555ae92ba11ee3b1309a49dd3cf4ecafc599bd60c91b3
Opcode Fuzzy Hash: cb4c1bea61aaa5c87f46d10f0ed51da2a71164abbd69ade7c998125e2984c5f0
Instruction Fuzzy Hash: 39910631D897C1DEC731DB7A85502EAFFF9AF6A310B44495DD0C783A42D224B508EB5A

Function 00FB4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FB4D8E,?,?,00000000,00000000), ref: 00FB4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FB4D8E,?,?,00000000,00000000), ref: 00FB4EB0
LoadResource.KERNEL32(?,00000000,?,?,00FB4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FB4E2F), ref: 00FED937
SizeofResource.KERNEL32(?,00000000,?,?,00FB4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FB4E2F), ref: 00FED94C
LockResource.KERNEL32(00FB4D8E,?,?,00FB4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FB4E2F,00000000), ref: 00FED95F

Strings

SCRIPT, xrefs: 00FB4EA6

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 5b13fe8fd5da58b2cf853b3576f2325e2929f768be1710085ee5b4f2e42560a2
Instruction ID: 0d756cb4eff1486fb0d24dd03ade267b855adbca094200daa240fff34eb7a7cd
Opcode Fuzzy Hash: 5b13fe8fd5da58b2cf853b3576f2325e2929f768be1710085ee5b4f2e42560a2
Instruction Fuzzy Hash: 4B119A75A00701BFD7208B66EC48F677BBEFBC5B11F20426CF44686651DB62E8009A61

Function 00FBFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 96eb0f046697df0f0da427ec9ee74137a3eb1e6f03390aaf6adf18dc6a71de8a
Instruction ID: 0a3828410ac3dbdb571f456683fb61d4ec6b14c0fcdf2f8e29a955d937bddc6c
Opcode Fuzzy Hash: 96eb0f046697df0f0da427ec9ee74137a3eb1e6f03390aaf6adf18dc6a71de8a
Instruction Fuzzy Hash: 6A926A71A08342CFD720DF14C581B6AB7E1BF85314F14892DE98A8B361DB75EC46EB92

Function 0101445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00FEE398), ref: 0101446A
FindFirstFileW.KERNELBASE(?,?), ref: 0101447B
FindClose.KERNEL32(00000000), ref: 0101448B

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 82f96fb834647089dba9b0ff6cb64e8ac3be2d4ef74fcabd52b641cc8328118d
Instruction ID: 6dab0c91fc10702342e63b6ef4212deff52a55a33db2480e6ad790bece204aa4
Opcode Fuzzy Hash: 82f96fb834647089dba9b0ff6cb64e8ac3be2d4ef74fcabd52b641cc8328118d
Instruction Fuzzy Hash: 90E0D833810502A742206A38EC0D8EA779C9F05335F104745F8B5C20E4EF7C590087D6

Function 00FBE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00FF3E62

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 6e3540bb3d607db29ec90678d4c85abe2c988e787fc80814060343e3c55c09dd
Instruction ID: dd115c187b40330382f54abb8e6c12388a2269450a73133cf6be3160a7c43f51
Opcode Fuzzy Hash: 6e3540bb3d607db29ec90678d4c85abe2c988e787fc80814060343e3c55c09dd
Instruction Fuzzy Hash: E8A26975E00209CFCB24CF5AC880AEAB7B6BF58314F248069D946AB351D775ED46EF90

Function 00FC09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FC0A5B
timeGetTime.WINMM ref: 00FC0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FC0E53
Sleep.KERNEL32(0000000A), ref: 00FC0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00FC0EFA
DestroyWindow.USER32 ref: 00FC0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FC0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00FF4E83
TranslateMessage.USER32(?), ref: 00FF5C60
DispatchMessageW.USER32(?), ref: 00FF5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FF5C82

Strings

@GUI_WINHANDLE, xrefs: 00FF4F8F
@COM_EVENTOBJ, xrefs: 00FF54F0
@TRAY_ID, xrefs: 00FF578F
@GUI_CTRLHANDLE, xrefs: 00FF4FE4
@GUI_CTRLID, xrefs: 00FF4F3A

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: dbe56dc15e419569ca236d4a6cf1e628c75294d6453a9864c5fce6f8e030823c
Instruction ID: bed82af621c043e7499f0bb6858239b96b789cdbd7c12e8d581f51e08a4ae06b
Opcode Fuzzy Hash: dbe56dc15e419569ca236d4a6cf1e628c75294d6453a9864c5fce6f8e030823c
Instruction Fuzzy Hash: 50B24570A08706DFD724DF24C885FBAB7E4BF80714F14491DE68A972A1CB79E845EB42

Function 01019155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01018F5F: __time64.LIBCMT ref: 01018F69

Part of subcall function 00FB4EE5: _fseek.LIBCMT ref: 00FB4EFD

__wsplitpath.LIBCMT ref: 01019234

Part of subcall function 00FD40FB: __wsplitpath_helper.LIBCMT ref: 00FD413B

_wcscpy.LIBCMT ref: 01019247
_wcscat.LIBCMT ref: 0101925A
__wsplitpath.LIBCMT ref: 0101927F
_wcscat.LIBCMT ref: 01019295
_wcscat.LIBCMT ref: 010192A8

Part of subcall function 01018FA5: _memmove.LIBCMT ref: 01018FDE
Part of subcall function 01018FA5: _memmove.LIBCMT ref: 01018FED

_wcscmp.LIBCMT ref: 010191EF

Part of subcall function 01019734: _wcscmp.LIBCMT ref: 01019824
Part of subcall function 01019734: _wcscmp.LIBCMT ref: 01019837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 01019452
_wcsncpy.LIBCMT ref: 010194C5
DeleteFileW.KERNEL32(?,?), ref: 010194FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01019511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01019522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01019534

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 95cf4d680c1a87dfc6038593e6072484469ad8cdac716650feaec86af80d9607
Instruction ID: b0a58b8ee312486f457f6c00d4ab8791eca55124c0c7c2f64ccbfa4caf9b91ba
Opcode Fuzzy Hash: 95cf4d680c1a87dfc6038593e6072484469ad8cdac716650feaec86af80d9607
Instruction Fuzzy Hash: C9C15BB1D00219ABDF21DF95CC95EDEBBBDEF44304F0040AAE609E7245EB389A449F61

Function 00FB301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FB3074
RegisterClassExW.USER32(00000030), ref: 00FB309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB30AF
InitCommonControlsEx.COMCTL32(?), ref: 00FB30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FB30DC
LoadIconW.USER32(000000A9), ref: 00FB30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FB3101

Strings

AutoIt v3 GUI, xrefs: 00FB3090
TaskbarCreated, xrefs: 00FB30A4
+, xrefs: 00FB305D
0, xrefs: 00FB3056

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2c565a724b1a4db405fc624bffd9bceb94166401f83a34c1311d9b0ba16262fe
Instruction ID: 3b5f3829ab80e3786ff76dec1cc54f429646cfd28aae507ea765c9457e831838
Opcode Fuzzy Hash: 2c565a724b1a4db405fc624bffd9bceb94166401f83a34c1311d9b0ba16262fe
Instruction Fuzzy Hash: EB3116B1D4130AEFDB618FA4D889AD9BBF4FB09310F14451AE580E6294E7BA0585CF91

Function 00FB3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FB3074
RegisterClassExW.USER32(00000030), ref: 00FB309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB30AF
InitCommonControlsEx.COMCTL32(?), ref: 00FB30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FB30DC
LoadIconW.USER32(000000A9), ref: 00FB30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FB3101

Strings

AutoIt v3 GUI, xrefs: 00FB3090
TaskbarCreated, xrefs: 00FB30A4
+, xrefs: 00FB305D
0, xrefs: 00FB3056

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 196278ab226bc486c8a15a299155ea8c07ca1cf0a11797f064073e260520dd21
Instruction ID: 418c326c484d702b5bf2ae80f392dab8766d7833aa3927b55f994eafbcf21e49
Opcode Fuzzy Hash: 196278ab226bc486c8a15a299155ea8c07ca1cf0a11797f064073e260520dd21
Instruction Fuzzy Hash: BA21C5B1D01219AFDB60DFA4E989ADDBBF8FB08700F00411AF591F6294D7BA45448F92

Function 00FB708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010752F8,?,00FB37AE,?), ref: 00FB4724

Part of subcall function 00FD050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00FB7165), ref: 00FD052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FB71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FEE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FEE909
RegCloseKey.ADVAPI32(?), ref: 00FEE947
_wcscat.LIBCMT ref: 00FEE9A0

Strings

Include, xrefs: 00FEE8BF, 00FEE900
\, xrefs: 00FEE9C3
Software\AutoIt v3\AutoIt, xrefs: 00FB719E
\Include\, xrefs: 00FB7165

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: b51fdb439c72af79d85cdd8a919053f7bfab95c27ed7416f18d29e3c7fade886
Instruction ID: 2d4db5d83e1a9714ae235da7cd62a52c461897289015d11cdebf6e54fb55e8e3
Opcode Fuzzy Hash: b51fdb439c72af79d85cdd8a919053f7bfab95c27ed7416f18d29e3c7fade886
Instruction Fuzzy Hash: 8E71A171908B019ED354EF26E8819AFB7E8FF84310F40052EF486972A0DB3A9949DF52

Function 00FB3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FB3A50
LoadCursorW.USER32(00000000,00007F00), ref: 00FB3A5F
LoadIconW.USER32(00000063), ref: 00FB3A76
LoadIconW.USER32(000000A4), ref: 00FB3A88
LoadIconW.USER32(000000A2), ref: 00FB3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FB3AC0
RegisterClassExW.USER32(?), ref: 00FB3B16

Part of subcall function 00FB3041: GetSysColorBrush.USER32(0000000F), ref: 00FB3074
Part of subcall function 00FB3041: RegisterClassExW.USER32(00000030), ref: 00FB309E
Part of subcall function 00FB3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB30AF
Part of subcall function 00FB3041: InitCommonControlsEx.COMCTL32(?), ref: 00FB30CC
Part of subcall function 00FB3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FB30DC
Part of subcall function 00FB3041: LoadIconW.USER32(000000A9), ref: 00FB30F2
Part of subcall function 00FB3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FB3101

Strings

AutoIt v3, xrefs: 00FB3B05
#, xrefs: 00FB3AFB
0, xrefs: 00FB3AF4

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 702a00346ac2e6db12a8164eba96fa9bebe9deedf4c8f6ab56ad9f164be52fa8
Instruction ID: 537908fb27262abc8772a4b096ab9cdad14f8a6b7ea634692aa2de95e319d236
Opcode Fuzzy Hash: 702a00346ac2e6db12a8164eba96fa9bebe9deedf4c8f6ab56ad9f164be52fa8
Instruction Fuzzy Hash: 01216470D00308AFEB21DFA5EC09BDD7BB5FB09711F10051AF680BA295C7BA5A419FA0

Function 00FB3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00FB36D2
KillTimer.USER32(?,00000001), ref: 00FB36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FB371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FB372A
CreatePopupMenu.USER32 ref: 00FB373E
PostQuitMessage.USER32(00000000), ref: 00FB374D

Strings

TaskbarCreated, xrefs: 00FB3725

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 5cd2d30ef119e4fcec7f51244b52700a5cfdadee77423723cc05c25e88f7a20b
Instruction ID: ce155f52ccc84178d54d8efe1914c4d7e3707c3880430f2bd8e0c20643146727
Opcode Fuzzy Hash: 5cd2d30ef119e4fcec7f51244b52700a5cfdadee77423723cc05c25e88f7a20b
Instruction Fuzzy Hash: 804157B2E84506BBDB245F26DC09FF93759FB01310F640119F582E6295CF6AAE01BB62

Function 00FB3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00FB3822
/AutoIt3OutputDebug, xrefs: 00FB3892
CMDLINERAW, xrefs: 00FB37FB
/AutoIt3ExecuteLine, xrefs: 00FB38A7
/ErrorStdOut, xrefs: 00FB387D
/AutoIt3ExecuteScript, xrefs: 00FB38BC
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00FB37AE

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 04d301720388c1c560ba1dccde2a35a9374470c8c2f4bcce5eab093930b3619a
Instruction ID: f05277f75edd615c72354ed248b701f8c71ca91408678a6b98cc21e7b0eb3949
Opcode Fuzzy Hash: 04d301720388c1c560ba1dccde2a35a9374470c8c2f4bcce5eab093930b3619a
Instruction Fuzzy Hash: B5A18C72D0021D9ADF04EBA2CC91AEEB779BF55310F44001AF411B7191EF78AA09EFA0

Function 013011B8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01301289
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 013014AF

Memory Dump Source

Source File: 00000000.00000002.1532892118.00000000012FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fe000_oEQp0EklDb.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: 02617b398fc38ee33c5256b7bb1399dfe6583de981814359f9a0863fd47a2511
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: A0A10A74E00209EBDB15CFA8C894BEEBBB5FF48309F208199E611BB2D0D7759A41CB54

Function 00FB39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FB3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FB3A24
ShowWindow.USER32(00000000,?,?), ref: 00FB3A38
ShowWindow.USER32(00000000,?,?), ref: 00FB3A41

Strings

AutoIt v3, xrefs: 00FB39FB, 00FB3A00, 00FB3A01
edit, xrefs: 00FB3A1E

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a5beb00f45c4db97450c62aa013832628785c1aee9e6806d756aac7bf88f59eb
Instruction ID: b58751b0c18deeb8ad41724545838f3cd96d02bb2a48583abe3fdb81c0b80fb6
Opcode Fuzzy Hash: a5beb00f45c4db97450c62aa013832628785c1aee9e6806d756aac7bf88f59eb
Instruction Fuzzy Hash: 9DF0DA71D412907EEA315627AC49EAB2E7DE7CBF50B00411EBA40F6264C66A1852DBB1

Function 01300F68 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01300E58: Sleep.KERNELBASE(000001F4), ref: 01300E69

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 013010A2

Strings

JQB70WRWUYX0HUI23ROTJ1DHS6GVO, xrefs: 01301105, 01301108

Memory Dump Source

Source File: 00000000.00000002.1532892118.00000000012FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fe000_oEQp0EklDb.jbxd

Similarity

API ID: CreateFileSleep
String ID: JQB70WRWUYX0HUI23ROTJ1DHS6GVO
API String ID: 2694422964-1355107099
Opcode ID: 7364605319ebc43f357a6721363dfef25494aa1df2be7528be122a25dcbfba7a
Instruction ID: ba7c342a15e50e0c90fc21707a5d021e86a33c8908a560a937fdbb1f8a132aba
Opcode Fuzzy Hash: 7364605319ebc43f357a6721363dfef25494aa1df2be7528be122a25dcbfba7a
Instruction Fuzzy Hash: 91618270D14288DAEF16D7B8C858BEFBBB8AF15304F044199E6587B2C1C7B94B48CB65

Function 00FB407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FED3D7

Part of subcall function 00FB7BCC: _memmove.LIBCMT ref: 00FB7C06

_memset.LIBCMT ref: 00FB40FC
_wcscpy.LIBCMT ref: 00FB4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FB4160

Strings

Line: , xrefs: 00FED400

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: aebfd9b076cb8556239f8cffa3b75a3c545b0d7fb7ff6b28765c799e4d1a2db1
Instruction ID: dc698752fc67798c022b86c77eb34e55d7a0708b7c97fc4cf86de7e10c2d862f
Opcode Fuzzy Hash: aebfd9b076cb8556239f8cffa3b75a3c545b0d7fb7ff6b28765c799e4d1a2db1
Instruction Fuzzy Hash: 5831AD71808305AED331FB62DC46BDA77E8AB84310F10451EF5C992092EB78A649EF96

Function 00FD541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00FD547B
_memcpy_s.LIBCMT ref: 00FD54ED
__read_nolock.LIBCMT ref: 00FD554B
__filbuf.LIBCMT ref: 00FD556E
_memset.LIBCMT ref: 00FD55B2

Part of subcall function 00FD8B28: __getptd_noexit.LIBCMT ref: 00FD8B28

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: cbbfdc4962629dabdce46921351869752bb11a0675dc50afd71e73d267384062
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: CB51C371A00A059BCB25CEA9E85076E77A3AF41B34B2C862BE825963D0D7719D90AB41

Function 00FB686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00FB4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FB4E0F

_free.LIBCMT ref: 00FEE263
_free.LIBCMT ref: 00FEE2AA

Part of subcall function 00FB6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FB6BAD

Strings

Bad directive syntax error, xrefs: 00FEE292
>>>AUTOIT SCRIPT<<<, xrefs: 00FEE039

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: b6cacc202d88116d2d3aa2d348f7d30d6af287ab5ab79172a6b7b95c59189dd7
Instruction ID: 586798342d3c252da6c85d595420c0141f04240fd3c8b339bb1b76626c728cb8
Opcode Fuzzy Hash: b6cacc202d88116d2d3aa2d348f7d30d6af287ab5ab79172a6b7b95c59189dd7
Instruction Fuzzy Hash: 9A918E71D0025A9FCF04EFA6DC819EDB7B8FF18310F14442AE915AB2A1DB78A945EF50

Function 00FB35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FB35A1,SwapMouseButtons,00000004,?), ref: 00FB35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FB35A1,SwapMouseButtons,00000004,?,?,?,?,00FB2754), ref: 00FB35F5
RegCloseKey.KERNELBASE(00000000,?,?,00FB35A1,SwapMouseButtons,00000004,?,?,?,?,00FB2754), ref: 00FB3617

Strings

Control Panel\Mouse, xrefs: 00FB35D2

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9a835222e6241222ad2a4eed7f0b69426e8b7342db70bd3b4c9de509b7aa3867
Instruction ID: b42b82d67974d81e152ac2626bc02fbad9c921aed13ac28652f8df1853747a7c
Opcode Fuzzy Hash: 9a835222e6241222ad2a4eed7f0b69426e8b7342db70bd3b4c9de509b7aa3867
Instruction Fuzzy Hash: EA115AB5950208BFDB209F69DC84EEEB7BDEF04750F005459F805D7210D2719F40AB60

Function 012FFE58 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01300685
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 013006A9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 013006CB

Memory Dump Source

Source File: 00000000.00000002.1532892118.00000000012FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fe000_oEQp0EklDb.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: 4f97013445e99db926f189dca3efd2336246ff9536666094f4a0c68c34261b46
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: 24620D30A14258DBEB24CFA4C850BDEB776EF58304F1091A9E10DEB2D0E7799E81CB59

Function 0101955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00FB4EE5: _fseek.LIBCMT ref: 00FB4EFD

Part of subcall function 01019734: _wcscmp.LIBCMT ref: 01019824
Part of subcall function 01019734: _wcscmp.LIBCMT ref: 01019837

_free.LIBCMT ref: 010196A2
_free.LIBCMT ref: 010196A9
_free.LIBCMT ref: 01019714

Part of subcall function 00FD2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FD9A24), ref: 00FD2D69
Part of subcall function 00FD2D55: GetLastError.KERNEL32(00000000,?,00FD9A24), ref: 00FD2D7B

_free.LIBCMT ref: 0101971C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 7dd68a50df805913eb00c34a27d6ded36937f3f948ec9ed53f85418c27706a1d
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 0D514CB1904218ABDF259F65CC81AAEBBBAFF48304F14449EB649A3341DB755A80CF58

Function 00FD470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FD47A0
__flush.LIBCMT ref: 00FD47C0
__write.LIBCMT ref: 00FD47F3
__flsbuf.LIBCMT ref: 00FD4821

Part of subcall function 00FD8B28: __getptd_noexit.LIBCMT ref: 00FD8B28

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 5e4b0590ffcc26f8d9fd5893de215b0b41723a50db8d282a097b21f4c00d3f7e
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 4E41A275E007469BDF189E69C8849AE77A7AF413A0B2C813FE81987780DB74ED41BB40

Function 00FB44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB44CF

Part of subcall function 00FB407C: _memset.LIBCMT ref: 00FB40FC
Part of subcall function 00FB407C: _wcscpy.LIBCMT ref: 00FB4150
Part of subcall function 00FB407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FB4160

KillTimer.USER32(?,00000001,?,?), ref: 00FB4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FB4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FED4B9

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 2d2a086783bd864f153ddbbb48e7fb2c73b430d6cf061c0f51a7f9825ccd15ec
Instruction ID: 17e55a9cbe0d889b55b877e3c7e6fd376804798d6a7b38c51f7ef8cc41a97235
Opcode Fuzzy Hash: 2d2a086783bd864f153ddbbb48e7fb2c73b430d6cf061c0f51a7f9825ccd15ec
Instruction Fuzzy Hash: 8B210771D047849FE732DB258845BE6BBECAF11314F08008EE6CE56182C7793984EB42

Function 00FB7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FEEA39
GetOpenFileNameW.COMDLG32(?), ref: 00FEEA83

Part of subcall function 00FB4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB4743,?,?,00FB37AE,?), ref: 00FB4770

Part of subcall function 00FD0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD07B0

Strings

X, xrefs: 00FEEA51

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: d2190db0befadae88b1177056f6021f5f33f1a5d354d8f585da00a4ee762c008
Instruction ID: 20e7ded5592068abd5a2a976eaabc67564c11aca3aaf2200968940202e38401c
Opcode Fuzzy Hash: d2190db0befadae88b1177056f6021f5f33f1a5d354d8f585da00a4ee762c008
Instruction Fuzzy Hash: 4121C331A002889BCB519F95DC45BEE7BFDAF49714F00805AE448AB241DBB85989DFA1

Function 01018D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 01018DAC
__fread_nolock.LIBCMT ref: 01018DC1

Strings

EA06, xrefs: 01018DF3

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 0e9f7a4595a688f0e6ff4f5076bb052448250eced99414964074e8834af56915
Instruction ID: 41741d9ff20af904abbb303389addfa7dce614b8f05d0963ed081258786ab3ff
Opcode Fuzzy Hash: 0e9f7a4595a688f0e6ff4f5076bb052448250eced99414964074e8834af56915
Instruction Fuzzy Hash: DB01F9718042187EDB18DAA8CC16EEE7BF8DB11701F04419FF592D2281E579E6048B60

Function 010198E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 010198F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0101990F

Strings

aut, xrefs: 01019909

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d5d66a71996f518eeca36ae9f83a84389d272411e90285b9ab7e2f630af8f995
Instruction ID: f458d1ac02c8f505f057c6b8c40a47df939ed399918cd112a34f27f8db1793a6
Opcode Fuzzy Hash: d5d66a71996f518eeca36ae9f83a84389d272411e90285b9ab7e2f630af8f995
Instruction Fuzzy Hash: 62D05E7994030EABDB609AA0EC0EF9AB73CE704700F0042A1BA9495091EAB595988B92

Function 0102CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ca5a64ba278f5ba42d704b4148f445a2cd2d50733535305e4c0c237d370b2b
Instruction ID: be349a02245d6f14a1ba1144b544f15cda667c78685dff37ee777112085b85a1
Opcode Fuzzy Hash: 06ca5a64ba278f5ba42d704b4148f445a2cd2d50733535305e4c0c237d370b2b
Instruction Fuzzy Hash: 08F16570A083119FDB14DF28C980A6EBBE5FF89314F44896EF8998B251D735E905CF82

Function 00FBF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FD0193
Part of subcall function 00FD0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FD019B
Part of subcall function 00FD0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FD01A6
Part of subcall function 00FD0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FD01B1
Part of subcall function 00FD0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FD01B9
Part of subcall function 00FD0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD01C1

Part of subcall function 00FC60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FBF930), ref: 00FC6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FBF9CD
OleInitialize.OLE32(00000000), ref: 00FBFA4A
CloseHandle.KERNEL32(00000000), ref: 00FF45C8

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 27ac54b16e559cae624e20e8c52ca3400d700ec10e72543f9262c43fb306655b
Instruction ID: 349c023f0962e966b52f94d234b448fb3206ebfe9aee0d93ea59fa3b376d430c
Opcode Fuzzy Hash: 27ac54b16e559cae624e20e8c52ca3400d700ec10e72543f9262c43fb306655b
Instruction Fuzzy Hash: 2981CDB0E017408FD3A4EF39ED456D9BBE5FB8830AB50852AD0C9EB259EB7A4404CF15

Function 00FB434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FB4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FB4432

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 5fb60dd18ed70ef832c5db71288c0f17ccc810a49046119ea6e4ab09709422ae
Instruction ID: feb4e132cbe34b51f8157c6fc1a9ef8e02f4bb6dd7d77091f2a90f9fa12c5793
Opcode Fuzzy Hash: 5fb60dd18ed70ef832c5db71288c0f17ccc810a49046119ea6e4ab09709422ae
Instruction Fuzzy Hash: D0318EB0904301CFD721DF25D9846DBBBE8FB59318F04092EF5DA92282E776B944DB92

Function 00FD571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00FD5733

Part of subcall function 00FDA16B: __NMSG_WRITE.LIBCMT ref: 00FDA192
Part of subcall function 00FDA16B: __NMSG_WRITE.LIBCMT ref: 00FDA19C

__NMSG_WRITE.LIBCMT ref: 00FD573A

Part of subcall function 00FDA1C8: GetModuleFileNameW.KERNEL32(00000000,010733BA,00000104,?,00000001,00000000), ref: 00FDA25A
Part of subcall function 00FDA1C8: ___crtMessageBoxW.LIBCMT ref: 00FDA308

Part of subcall function 00FD309F: ___crtCorExitProcess.LIBCMT ref: 00FD30A5
Part of subcall function 00FD309F: ExitProcess.KERNEL32 ref: 00FD30AE

Part of subcall function 00FD8B28: __getptd_noexit.LIBCMT ref: 00FD8B28

RtlAllocateHeap.NTDLL(012B0000,00000000,00000001,00000000,?,?,?,00FD0DD3,?), ref: 00FD575F

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: ec6d8ed9ca12d2d439824d8291c0bc7557e466dc9c2a9061356f430e7b3d7b0a
Instruction ID: 93a1c0ca23c1c83c65d979a8d8909180b031f4079d8f4325bde957bd250d9fda
Opcode Fuzzy Hash: ec6d8ed9ca12d2d439824d8291c0bc7557e466dc9c2a9061356f430e7b3d7b0a
Instruction Fuzzy Hash: CE01F532A00B16DAE7212735EC42B6E774A9B82B71F3C0027F505AA381DE788C01BB61

Function 010198A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,01019548,?,?,?,?,?,00000004), ref: 010198BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,01019548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 010198D1
CloseHandle.KERNEL32(00000000,?,01019548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 010198D8

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 40a2f379a7d0b73c7b6dcd19048f331f39128b7fd9758dca674b712df1e60dc3
Instruction ID: a3b99083ddd70d28196682be7172e3360b2cfde24474d6c6511344ff42d17060
Opcode Fuzzy Hash: 40a2f379a7d0b73c7b6dcd19048f331f39128b7fd9758dca674b712df1e60dc3
Instruction Fuzzy Hash: 50E08632540215B7E7311A94EC09FDA7F5DAB06764F108210FB94690D0C7B625119799

Function 01018D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01018D1B

Part of subcall function 00FD2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FD9A24), ref: 00FD2D69
Part of subcall function 00FD2D55: GetLastError.KERNEL32(00000000,?,00FD9A24), ref: 00FD2D7B

_free.LIBCMT ref: 01018D2C
_free.LIBCMT ref: 01018D3E

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 18e4dce609c2af327a6958699c5f1a669831dbba71460f55ff6a8a3155d301f2
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 6FE0C2A160170042DBA1B57CAC40A8323DE4F68352748484FB94DD724ACE6CF4429064

Function 00FBA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00FEFC01

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 8a9b54f301d327176c6f629c8f2e61e3f0d8513c202d9e9e496943e72e070b93
Instruction ID: bba0f2db95f2961656185c581cf93730c239f30ac3024c05c3c1d69a26b7b7d8
Opcode Fuzzy Hash: 8a9b54f301d327176c6f629c8f2e61e3f0d8513c202d9e9e496943e72e070b93
Instruction Fuzzy Hash: 84225871908241DFD724DF15C490BAABBE1BF84310F18896DE89A8B361DB75EC45EF82

Function 00FB4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FB4CBA

Strings

EA06, xrefs: 00FED8CC

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: e2e947d6c165f0338cfddf424d4073da6b8c7799b97416f878739d3787ec66b7
Instruction ID: 4e9311c629c6b3baa80b4fbfc16e16fc866bb474af4b0b70993d71ef4d812c64
Opcode Fuzzy Hash: e2e947d6c165f0338cfddf424d4073da6b8c7799b97416f878739d3787ec66b7
Instruction Fuzzy Hash: C0415922E0415867CF219F56CE517FE7FA29B49310F284475E882DB283D624BD44BBA1

Function 00FB47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00FB4834

Part of subcall function 00FD336C: __lock.LIBCMT ref: 00FD3372
Part of subcall function 00FD336C: DecodePointer.KERNEL32(00000001,?,00FB4849,01007C74), ref: 00FD337E
Part of subcall function 00FD336C: EncodePointer.KERNEL32(?,?,00FB4849,01007C74), ref: 00FD3389

Part of subcall function 00FB48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FB4915
Part of subcall function 00FB48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FB492A

Part of subcall function 00FB3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB3B68
Part of subcall function 00FB3B3A: IsDebuggerPresent.KERNEL32 ref: 00FB3B7A
Part of subcall function 00FB3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,010752F8,010752E0,?,?), ref: 00FB3BEB
Part of subcall function 00FB3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00FB3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FB4874

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 3beb077c74f02723dca725499de2963bfe7cf5814d70ef89b9a9ee10e1494d53
Instruction ID: 1736294c46e2bf25b7985b6f2cb553bb1cc74f2893c1488c009d174944f5eedd
Opcode Fuzzy Hash: 3beb077c74f02723dca725499de2963bfe7cf5814d70ef89b9a9ee10e1494d53
Instruction Fuzzy Hash: 9D11AE718083419FD720DF2ADC0598ABBE8FB89750F00491EF181932A1DBBA9505CF82

Function 00FD0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FD571C: __FF_MSGBANNER.LIBCMT ref: 00FD5733
Part of subcall function 00FD571C: __NMSG_WRITE.LIBCMT ref: 00FD573A
Part of subcall function 00FD571C: RtlAllocateHeap.NTDLL(012B0000,00000000,00000001,00000000,?,?,?,00FD0DD3,?), ref: 00FD575F

std::exception::exception.LIBCMT ref: 00FD0DEC
__CxxThrowException@8.LIBCMT ref: 00FD0E01

Part of subcall function 00FD859B: RaiseException.KERNEL32(?,?,?,01069E78,00000000,?,?,?,?,00FD0E06,?,01069E78,?,00000001), ref: 00FD85F0

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: de66627c86e2f15f8c1f1becbe2c1e5ec3a505f9758271c9a8f0ecba89cb3127
Instruction ID: 34b8791ee130299864b0aa550d1f93d68f2898dfa76feaa0fadbe63aea3b00ad
Opcode Fuzzy Hash: de66627c86e2f15f8c1f1becbe2c1e5ec3a505f9758271c9a8f0ecba89cb3127
Instruction Fuzzy Hash: F3F0A47190031E66CB14BAA4EC41ADE77AE9F01361F18042BF94496741DF749A91E6E1

Function 00FD55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD562C
__lock_file.LIBCMT ref: 00FD564D

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: b12e4f3fc7f29f07d518d9fc9179198ee5ebc414cf6b371fdca1607a6291bae8
Instruction ID: 1bf8a8754efd75004548d2fb86a73ae1d5b1ea3332b24a524504a1d4bee03448
Opcode Fuzzy Hash: b12e4f3fc7f29f07d518d9fc9179198ee5ebc414cf6b371fdca1607a6291bae8
Instruction Fuzzy Hash: 0A01B572C00604ABCF11AF658C0249E7B63AF51761F4C4117B4245A391DB39C512FF91

Function 00FD53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FD8B28: __getptd_noexit.LIBCMT ref: 00FD8B28

__lock_file.LIBCMT ref: 00FD53EB

Part of subcall function 00FD6C11: __lock.LIBCMT ref: 00FD6C34

__fclose_nolock.LIBCMT ref: 00FD53F6

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: e7295362256552569e17ded2d897e7c050b50c507185a204bad0a92a17e04964
Instruction ID: 43221918c404a442ff076ccd8ca1bdd7ca14959b279f5141e485d6857f8661cc
Opcode Fuzzy Hash: e7295362256552569e17ded2d897e7c050b50c507185a204bad0a92a17e04964
Instruction Fuzzy Hash: A4F09C71900A049AD7107B659C0179D77A36F41775F2C4107A464AB3C1CBBC49427B52

Function 012FFE55 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01300685
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 013006A9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 013006CB

Memory Dump Source

Source File: 00000000.00000002.1532892118.00000000012FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fe000_oEQp0EklDb.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: d2c1c01a1e71d55ffd872a78fdd20d32aae47821505c32c5c39be6b14e28ae14
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: 0E12DF20E14658C6EB24DF64D8507DEB272EF68300F1091E9910DEB7A5E77A4F81CB5A

Function 00FD0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00FD0CB7

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c15b23156ccdfa89b2b0bc54d4994516a9894d179b9879085276d73979772a0c
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B031B271A101069BC718DF59C484B69F7A6FB59310F6887A6E80ACB355DB31EDC1EBC0

Function 00FEFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00FEFCB7

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: dda522029fdcea30d7ff9f962b4877016888c31fb500d77046a9f404b0c027c6
Instruction ID: 16d0a400a403d3d8385e4529fbe6f8980123c959b55b4cd51b5505b74a7252cf
Opcode Fuzzy Hash: dda522029fdcea30d7ff9f962b4877016888c31fb500d77046a9f404b0c027c6
Instruction Fuzzy Hash: E24116749083418FDB24CF25C844B6ABBE1BF49314F0988ACE9998B362C776E845DF52

Function 00FD06FE Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986838c8522aae9993819694b4f434794342992652ded1c03e0171e56e3e1933
Instruction ID: d002604d11fc2a3ed0e8174a07e1813063aac860501004a5311121dcadc79866
Opcode Fuzzy Hash: 986838c8522aae9993819694b4f434794342992652ded1c03e0171e56e3e1933
Instruction Fuzzy Hash: 5321F63240F3C25FC7228B349C469D7BFA5DB82224B1881EFE8E48ED93DD21444B9796

Function 00FB4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00FB4BEF

Part of subcall function 00FD525B: __wfsopen.LIBCMT ref: 00FD5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FB4E0F

Part of subcall function 00FB4B6A: FreeLibrary.KERNEL32(00000000), ref: 00FB4BA4

Part of subcall function 00FB4C70: _memmove.LIBCMT ref: 00FB4CBA

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 73ff4ae8cec7ec77cfcb6516f166e06fe93d45550806dd16436ef2441b7215d1
Instruction ID: db4a2b21f03d8221a154769b287401b8722c4bedcb0c8f389e4f23b756d2b593
Opcode Fuzzy Hash: 73ff4ae8cec7ec77cfcb6516f166e06fe93d45550806dd16436ef2441b7215d1
Instruction Fuzzy Hash: 67119432600206ABCF15AF72CD16FED77A9AF84750F108829F541A7182DA79AA05BF51

Function 00FEFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00FEFD91

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: afdb119bd66df1eb2f8132fafd15966adc229458f609d7ae138a23e1a3076a7e
Instruction ID: eb097596bb8a6ab240a0a431fd4b22f66cf4babdc98db7b1d3b427c763a8ee48
Opcode Fuzzy Hash: afdb119bd66df1eb2f8132fafd15966adc229458f609d7ae138a23e1a3076a7e
Instruction Fuzzy Hash: E02115B4908341DFCB24DF65C844B5ABBE1BF88314F05896CE98A57722D735E809EF92

Function 00FD4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00FD48A6

Part of subcall function 00FD8B28: __getptd_noexit.LIBCMT ref: 00FD8B28

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 18eb5431260bc891985ae797ef6faff11105f365b07d587abbf701191616f665
Instruction ID: 35c60980036f96529933611dcc54038d2d6f39752a739c5b0099892bf39935f7
Opcode Fuzzy Hash: 18eb5431260bc891985ae797ef6faff11105f365b07d587abbf701191616f665
Instruction Fuzzy Hash: 21F0A431D01645ABDF11AFA4CC0679E36A3AF003B5F1D4416B4149A391CB7C9951FB51

Function 00FB4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FB4E7E

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6f75860bb1ea31057a2294a81e992c7ab4dda36e8eacddc99c5b1a29db1c61cc
Instruction ID: bc4f9b089853bee7b0dc7d1b9414f54a3916c7158cebf3f4b39e2159b536179d
Opcode Fuzzy Hash: 6f75860bb1ea31057a2294a81e992c7ab4dda36e8eacddc99c5b1a29db1c61cc
Instruction Fuzzy Hash: D6F03971901712CFCB349F66E994892BBE5BF143393248A3EE1E682612C772E840EF40

Function 00FD0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD07B0

Part of subcall function 00FB7BCC: _memmove.LIBCMT ref: 00FB7C06

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: b7e65185592dba0af008d7d23b4c157565ac41668d5bfb6978acbd96eb52f176
Instruction ID: fee9f4d9aae05f15e10a54b36fcd1017837b82e3ece4a8dfdd1cdddfb0f0f9fc
Opcode Fuzzy Hash: b7e65185592dba0af008d7d23b4c157565ac41668d5bfb6978acbd96eb52f176
Instruction Fuzzy Hash: A2E0863690422957C720A5699C05FEA779DDBC86A0F0441B5FC08D7249D9659C908A91

Function 01018E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 01018EC1

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: bf2d6b5753a1a372ad74b0c279f5ee83b5351e55d6b9c6dada29a52ca516f331
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 47E092B0104B005BD7398A28D800BA377E1AB05304F04095EF2EA83242EB6778418759

Function 00FD525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00FD5266

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: c8be3de1554a4a6fa9611ad4581a5440f5b9f0c6dbd26cb4649e60b253fec549
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: C6B0927644020C77CE012A82EC02A493B1A9B42B65F448021FB0C18262E677A668AA89

Function 01300E58 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01300E69

Memory Dump Source

Source File: 00000000.00000002.1532892118.00000000012FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fe000_oEQp0EklDb.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: c82d874c8bd4903148b12d8058bfe8eadc35c3b27268e16b90eff404a3ac278e
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: D1E0E67494010EDFDB00DFB4D54969E7BF4EF04301F100261FD05E2280D6309D50CA62

Non-executed Functions

Function 0103CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0103CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0103CB95
GetWindowLongW.USER32(?,000000F0), ref: 0103CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0103CC00
SendMessageW.USER32 ref: 0103CC29
_wcsncpy.LIBCMT ref: 0103CC95
GetKeyState.USER32(00000011), ref: 0103CCB6
GetKeyState.USER32(00000009), ref: 0103CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0103CCD9
GetKeyState.USER32(00000010), ref: 0103CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0103CD0C
SendMessageW.USER32 ref: 0103CD33
SendMessageW.USER32(?,00001030,?,0103B348), ref: 0103CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0103CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0103CE60
SetCapture.USER32(?), ref: 0103CE69
ClientToScreen.USER32(?,?), ref: 0103CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0103CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0103CEF5
ReleaseCapture.USER32 ref: 0103CF00
GetCursorPos.USER32(?), ref: 0103CF3A
ScreenToClient.USER32(?,?), ref: 0103CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0103CFA3
SendMessageW.USER32 ref: 0103CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0103D00E
SendMessageW.USER32 ref: 0103D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0103D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0103D06D
GetCursorPos.USER32(?), ref: 0103D08D
ScreenToClient.USER32(?,?), ref: 0103D09A
GetParent.USER32(?), ref: 0103D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0103D123
SendMessageW.USER32 ref: 0103D154
ClientToScreen.USER32(?,?), ref: 0103D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0103D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0103D20C
SendMessageW.USER32 ref: 0103D22F
ClientToScreen.USER32(?,?), ref: 0103D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0103D2B5

Part of subcall function 00FB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FB25EC

GetWindowLongW.USER32(?,000000F0), ref: 0103D351

Strings

F, xrefs: 0103D235
@GUI_DRAGID, xrefs: 0103CE9C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: d337dc2d268d830cbf1341bb4849f3228e31b7fceaf7bfdabf84c8f0ab65d0c3
Instruction ID: b85eee00f5393ec3f5b88c97481a40fd443a2dd180012616ad7c05c4ed110eb6
Opcode Fuzzy Hash: d337dc2d268d830cbf1341bb4849f3228e31b7fceaf7bfdabf84c8f0ab65d0c3
Instruction Fuzzy Hash: F242BE74604241AFE725CF28C944EAABBE9FF8D350F04095AF6D5E72A1C732D850EB52

Function 01037DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 010384D0

Strings

%d/%02d/%02d, xrefs: 01038209

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 7e5e48cd280f683094e6d02706f929e8b4a0605eed8e25a7ea664ccc7597cd69
Instruction ID: b473b91d70b9a08113729750cedba285ec52a7710b5d3da3fc8da04b2cb220e7
Opcode Fuzzy Hash: 7e5e48cd280f683094e6d02706f929e8b4a0605eed8e25a7ea664ccc7597cd69
Instruction Fuzzy Hash: 0412C271500205ABEB259F28CC49FAF7BFCEF89310F14829EF595EA2A1DB749945CB10

Function 00FC6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FC71C3
_memset.LIBCMT ref: 00FC7539
_memmove.LIBCMT ref: 00FC76AC

Strings

DEFINE, xrefs: 01002103
\b(?=\w), xrefs: 01003769
[:>:]], xrefs: 00FC7492
Q\E, xrefs: 00FC7FCB
[:<:]], xrefs: 00FC7479
\b(?<=\w), xrefs: 01003773

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: d5eb3288c66980236eaf31f9142f9c36b3e258e5e6473d865b993774b86a4d87
Instruction ID: 2ae83f516b53b259deae171f195c99f97bc10b0ab301789b196dd54f18dc9172
Opcode Fuzzy Hash: d5eb3288c66980236eaf31f9142f9c36b3e258e5e6473d865b993774b86a4d87
Instruction Fuzzy Hash: CE93A375E04216DFEB26DF58C981BADB7F1FF48310F24816AE985AB2C1E7709981DB40

Function 00FB48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00FB48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FED665
IsIconic.USER32(?), ref: 00FED66E
ShowWindow.USER32(?,00000009), ref: 00FED67B
SetForegroundWindow.USER32(?), ref: 00FED685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FED69B
GetCurrentThreadId.KERNEL32 ref: 00FED6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FED6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FED6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FED6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00FED6CF
SetForegroundWindow.USER32(?), ref: 00FED6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FED6E7
keybd_event.USER32(00000012,00000000), ref: 00FED6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FED6FC
keybd_event.USER32(00000012,00000000), ref: 00FED701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FED70A
keybd_event.USER32(00000012,00000000), ref: 00FED70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FED719
keybd_event.USER32(00000012,00000000), ref: 00FED71E
SetForegroundWindow.USER32(?), ref: 00FED721
AttachThreadInput.USER32(?,?,00000000), ref: 00FED748

Strings

Shell_TrayWnd, xrefs: 00FED660

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: dc6d323d8396656560a7a0412442af3b219d5a05919600b3fcdcd8d42cf05e74
Instruction ID: 252ae23359ca0621494bb3c00bfdfe3b083185c939083585bf07dc46fb4cfec1
Opcode Fuzzy Hash: dc6d323d8396656560a7a0412442af3b219d5a05919600b3fcdcd8d42cf05e74
Instruction Fuzzy Hash: C2315071E40358BBEB316B629C89F7F7E6CEB44B60F104025FA44EA1D1C6B55D01BBA1

Function 01008310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 010087E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0100882B
Part of subcall function 010087E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01008858
Part of subcall function 010087E1: GetLastError.KERNEL32 ref: 01008865

_memset.LIBCMT ref: 01008353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 010083A5
CloseHandle.KERNEL32(?), ref: 010083B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010083CD
GetProcessWindowStation.USER32 ref: 010083E6
SetProcessWindowStation.USER32(00000000), ref: 010083F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0100840A

Part of subcall function 010081CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01008309), ref: 010081E0
Part of subcall function 010081CB: CloseHandle.KERNEL32(?,?,01008309), ref: 010081F2

Strings

winsta0, xrefs: 010083C8
, xrefs: 01008362
default, xrefs: 01008405

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: dfed4294fccd24c7cb773e91550d20d7f65f78df194c6bd7944cc76ad47e2122
Instruction ID: fd9bf0bab7889685b3cec5baaa71cb35b472caf06071705a6271d62aaf8fac49
Opcode Fuzzy Hash: dfed4294fccd24c7cb773e91550d20d7f65f78df194c6bd7944cc76ad47e2122
Instruction Fuzzy Hash: D4817071C00209AFEF52DFA8CC44AEE7BB9FF08304F14815AFA94A6194D7368A54DB21

Function 0101C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0101C78D
FindClose.KERNEL32(00000000), ref: 0101C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0101C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0101C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0101C844
__swprintf.LIBCMT ref: 0101C890
__swprintf.LIBCMT ref: 0101C8D3

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

__swprintf.LIBCMT ref: 0101C927

Part of subcall function 00FD3698: __woutput_l.LIBCMT ref: 00FD36F1

__swprintf.LIBCMT ref: 0101C975

Part of subcall function 00FD3698: __flsbuf.LIBCMT ref: 00FD3713
Part of subcall function 00FD3698: __flsbuf.LIBCMT ref: 00FD372B

__swprintf.LIBCMT ref: 0101C9C4
__swprintf.LIBCMT ref: 0101CA13
__swprintf.LIBCMT ref: 0101CA62

Strings

%4d, xrefs: 0101C8CD
%02d, xrefs: 0101C91B, 0101C925, 0101C973, 0101C9C2, 0101CA11, 0101CA60
%4d%02d%02d%02d%02d%02d, xrefs: 0101C88A

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 024e95aab4db65852a76d2e50eb23427ed840479483ae5bd30d4e5700d0a6716
Instruction ID: bb99a67de8959760cdd53930ac4bec94c9a67ca750b7e20ceae256952ec2cb7d
Opcode Fuzzy Hash: 024e95aab4db65852a76d2e50eb23427ed840479483ae5bd30d4e5700d0a6716
Instruction Fuzzy Hash: DAA14EB1408305ABD750EFA5CD85DAFB7ECFF94700F40091EF68586191EA79DA08DB62

Function 0101EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0101EFB6
_wcscmp.LIBCMT ref: 0101EFCB
_wcscmp.LIBCMT ref: 0101EFE2
GetFileAttributesW.KERNEL32(?), ref: 0101EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0101F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0101F026
FindClose.KERNEL32(00000000), ref: 0101F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0101F04D
_wcscmp.LIBCMT ref: 0101F074
_wcscmp.LIBCMT ref: 0101F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0101F09D
SetCurrentDirectoryW.KERNEL32(01068920), ref: 0101F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0101F0C5
FindClose.KERNEL32(00000000), ref: 0101F0D2
FindClose.KERNEL32(00000000), ref: 0101F0E4

Strings

*.*, xrefs: 0101F048

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 4f4c55e7e012caea7a2173d66d365c269d0480b156e59b947cc4b530de8c9162
Instruction ID: a27dbbcaeb035c60ed72e5589f1029c4d055abb23b10195fb3ca104109a5acf1
Opcode Fuzzy Hash: 4f4c55e7e012caea7a2173d66d365c269d0480b156e59b947cc4b530de8c9162
Instruction Fuzzy Hash: A331083290020B7ADB25DFB4EC58ADE77EC9F44260F044196F984D3054DB79DA44CB62

Function 01030857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01030953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0103F910,00000000,?,00000000,?,?), ref: 010309C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01030A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01030A92
RegCloseKey.ADVAPI32(?), ref: 01030DB2
RegCloseKey.ADVAPI32(00000000), ref: 01030DBF

Strings

REG_DWORD, xrefs: 01030C83
REG_BINARY, xrefs: 01030D4D
REG_MULTI_SZ, xrefs: 01030B7A
REG_EXPAND_SZ, xrefs: 01030A2F
REG_QWORD, xrefs: 01030D00
REG_SZ, xrefs: 01030AD0

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: f262cc3520cbbd45a095e6b5896595a2445f3c38120433228cdaeddd09b12156
Instruction ID: 02c4b6799ed619acaac370702f494835dfc0af9fe40efcd636fc6d373442c7eb
Opcode Fuzzy Hash: f262cc3520cbbd45a095e6b5896595a2445f3c38120433228cdaeddd09b12156
Instruction Fuzzy Hash: 460257756046019FDB54EF29C885E6AB7E9FF89310F04885DF98A9B362CB74ED01CB81

Function 0101F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0101F113
_wcscmp.LIBCMT ref: 0101F128
_wcscmp.LIBCMT ref: 0101F13F

Part of subcall function 01014385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 010143A0

FindNextFileW.KERNEL32(00000000,?), ref: 0101F16E
FindClose.KERNEL32(00000000), ref: 0101F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0101F195
_wcscmp.LIBCMT ref: 0101F1BC
_wcscmp.LIBCMT ref: 0101F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0101F1E5
SetCurrentDirectoryW.KERNEL32(01068920), ref: 0101F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0101F20D
FindClose.KERNEL32(00000000), ref: 0101F21A
FindClose.KERNEL32(00000000), ref: 0101F22C

Strings

*.*, xrefs: 0101F190

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 2882f9299cba928b323b46a2553ab2c0438ebf72a0306d049d02cdc4d994ac1c
Instruction ID: 1269fe49bc3b29c2b1caed832b3ab550364db05b155efa7eb1a505ca557b2ba1
Opcode Fuzzy Hash: 2882f9299cba928b323b46a2553ab2c0438ebf72a0306d049d02cdc4d994ac1c
Instruction Fuzzy Hash: 5531483690020B7ADB20EEB8EC58EDE77AC9F45260F144196F980E3094DB39DA48CB65

Function 0101A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0101A20F
__swprintf.LIBCMT ref: 0101A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0101A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0101A293
_memset.LIBCMT ref: 0101A2B2
_wcsncpy.LIBCMT ref: 0101A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0101A323
CloseHandle.KERNEL32(00000000), ref: 0101A32E
RemoveDirectoryW.KERNEL32(?), ref: 0101A337
CloseHandle.KERNEL32(00000000), ref: 0101A341

Strings

\??\%s, xrefs: 0101A22B
:, xrefs: 0101A252
\, xrefs: 0101A247

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 0d9684462a2df5dd57376532c228ac8087d4c0d4c742ecbad07ef0ae417c188e
Instruction ID: 7a9660d994a26ac232871e8f94a25595d12dc7d66544a098566dd7d96865cfa7
Opcode Fuzzy Hash: 0d9684462a2df5dd57376532c228ac8087d4c0d4c742ecbad07ef0ae417c188e
Instruction Fuzzy Hash: EC31F471A0024AABDB21DFA4DC49FEF37BCEF89700F1040A6FA48D2155E77992448B25

Function 00FC66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

BSR_ANYCRLF), xrefs: 0100131E
UTF16), xrefs: 010010CF
LIMIT_MATCH=, xrefs: 01001170
UCP), xrefs: 0100110D
CR), xrefs: 01001287
UTF), xrefs: 010010FA
ANY), xrefs: 010012DE
NO_START_OPT), xrefs: 0100114F
ANYCRLF), xrefs: 010012FB
NO_AUTO_POSSESS), xrefs: 0100112E
LIMIT_RECURSION=, xrefs: 010011FC
CRLF), xrefs: 010012C1
LF), xrefs: 010012A4
BSR_UNICODE), xrefs: 01001338

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 8e957f8d1480ca2ec6ffbc10abea7eb78c66ef1b9d42ea93c81eb7a9c097bf48
Instruction ID: bd5aa9e980b798af6473c17c93106ac72aef840185f0eb7fa9a86ff82c817c3b
Opcode Fuzzy Hash: 8e957f8d1480ca2ec6ffbc10abea7eb78c66ef1b9d42ea93c81eb7a9c097bf48
Instruction Fuzzy Hash: A6729271E0421ADBEB15CF58C981BAEB7F5FF48310F1481AAE849EB291DB34D941DB90

Function 0101001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01010097
SetKeyboardState.USER32(?), ref: 01010102
GetAsyncKeyState.USER32(000000A0), ref: 01010122
GetKeyState.USER32(000000A0), ref: 01010139
GetAsyncKeyState.USER32(000000A1), ref: 01010168
GetKeyState.USER32(000000A1), ref: 01010179
GetAsyncKeyState.USER32(00000011), ref: 010101A5
GetKeyState.USER32(00000011), ref: 010101B3
GetAsyncKeyState.USER32(00000012), ref: 010101DC
GetKeyState.USER32(00000012), ref: 010101EA
GetAsyncKeyState.USER32(0000005B), ref: 01010213
GetKeyState.USER32(0000005B), ref: 01010221

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e9574f415c041cecfbf426f3827c39034407340d07104e5d1ea1c1e8cedcdf03
Instruction ID: 18fd8fc90b2cdc5be18c74a1644653161889ccfe3df503cb035209925f361c7c
Opcode Fuzzy Hash: e9574f415c041cecfbf426f3827c39034407340d07104e5d1ea1c1e8cedcdf03
Instruction Fuzzy Hash: 0F51D93090478959FB76DBB488147EABFF49F01280F0885DAE6C1565CFDAAC96CCC762

Function 010303DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01030E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0102FDAD,?,?), ref: 01030E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010304AC

Part of subcall function 00FB9837: __itow.LIBCMT ref: 00FB9862
Part of subcall function 00FB9837: __swprintf.LIBCMT ref: 00FB98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0103054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 010305E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01030822
RegCloseKey.ADVAPI32(00000000), ref: 0103082F

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 14d41d156872e9eb034d28528fdfac4c2b72aa19fc7ce64841b6fa2318efd563
Instruction ID: c20a7b79a86f3ae39154de833cbef459f6be6a7a62d8cf610130f029b605f0e6
Opcode Fuzzy Hash: 14d41d156872e9eb034d28528fdfac4c2b72aa19fc7ce64841b6fa2318efd563
Instruction Fuzzy Hash: A1E18F30604201AFCB14DF29C895E6ABBE9FF89310F04896DF58ADB265DB35E905CF52

Function 01024164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0102418B
EmptyClipboard.USER32 ref: 01024191
GlobalAlloc.KERNEL32(00000002,?), ref: 010241A6
CloseClipboard.USER32 ref: 01024245

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2d917346a5afc644e163ba346ee6d22b7b7f43a785530bdadad85c22446e734f
Instruction ID: 9114c2fd712071029603c5c2fa7e936fe5f021db380c2a61ee2000b2bd5fc9a5
Opcode Fuzzy Hash: 2d917346a5afc644e163ba346ee6d22b7b7f43a785530bdadad85c22446e734f
Instruction Fuzzy Hash: 8A21A3357002119FDB21AF25DC09B6D7BACEF05711F10801AF9C6DB2A5DB79E801DB55

Function 010137EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB4743,?,?,00FB37AE,?), ref: 00FB4770

Part of subcall function 01014A31: GetFileAttributesW.KERNEL32(?,0101370B), ref: 01014A32

FindFirstFileW.KERNEL32(?,?), ref: 010138A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0101394B
MoveFileW.KERNEL32(?,?), ref: 0101395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0101397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0101399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 010139B9

Strings

\*.*, xrefs: 0101384E, 01013857, 0101386C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: ac0dc4e0e2b9cba021a5f1e3a30f1231d362fffd233301d82735bdd7ef551687
Instruction ID: d1b7586df90f4bf0e6ff417da0f5df8ad50251bfaf971ed283081aa5563bb8e0
Opcode Fuzzy Hash: ac0dc4e0e2b9cba021a5f1e3a30f1231d362fffd233301d82735bdd7ef551687
Instruction Fuzzy Hash: B351A03180014D9ACF15FBA5DE929EDB7B9AF10310F6000A9E481BB199EF296F0DDF61

Function 0101F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0101F440
Sleep.KERNEL32(0000000A), ref: 0101F470
_wcscmp.LIBCMT ref: 0101F484
_wcscmp.LIBCMT ref: 0101F49F
FindNextFileW.KERNEL32(?,?), ref: 0101F53D
FindClose.KERNEL32(00000000), ref: 0101F553

Strings

*.*, xrefs: 0101F425

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 88660f22bbbe8cc49febbc7beaad155215116c8cffe15b98592152940ca82f6b
Instruction ID: 017d3a373d4dc83a6e2019a6ed084ef15ac835ce999f59c7dbfb5e5092a66229
Opcode Fuzzy Hash: 88660f22bbbe8cc49febbc7beaad155215116c8cffe15b98592152940ca82f6b
Instruction Fuzzy Hash: D241917190020B9FDF54EF68DC44AEEBBB8FF04350F14409AE995A3291EB399A49CF51

Function 00FC5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FC58A5
_memmove.LIBCMT ref: 00FC58F5
_memmove.LIBCMT ref: 00FC595B

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: afe01f00875c08d360028c3efab2bb127d4cd43f63f34d12b8c2b4edb7957a15
Instruction ID: 2e40261c3567026ee78388a20cfc5c231f166b99295003596ed212f11c9ca9f6
Opcode Fuzzy Hash: afe01f00875c08d360028c3efab2bb127d4cd43f63f34d12b8c2b4edb7957a15
Instruction Fuzzy Hash: FF12D070A0060ADFDF04DFA5C982BEEB7F6FF48340F104569E446A7294EB3AA950DB50

Function 01013B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB4743,?,?,00FB37AE,?), ref: 00FB4770

Part of subcall function 01014A31: GetFileAttributesW.KERNEL32(?,0101370B), ref: 01014A32

FindFirstFileW.KERNEL32(?,?), ref: 01013B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 01013BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 01013BEA
FindClose.KERNEL32(00000000), ref: 01013C01
FindClose.KERNEL32(00000000), ref: 01013C0A

Strings

\*.*, xrefs: 01013B5B

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c99d05f36e917c2d93aba9ebc4273876288e7eceb99586df5b6eccb99d04895b
Instruction ID: d2da06fb876e95c150f292f236cbca79ce6915f4fa8c2ea753302a5083d8f285
Opcode Fuzzy Hash: c99d05f36e917c2d93aba9ebc4273876288e7eceb99586df5b6eccb99d04895b
Instruction Fuzzy Hash: 343189310083859BC205FF29DC918EFBBE8BE91214F444E1DF4D586196EB29DA08DBA3

Function 010151BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 010087E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0100882B
Part of subcall function 010087E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01008858
Part of subcall function 010087E1: GetLastError.KERNEL32 ref: 01008865

ExitWindowsEx.USER32(?,00000000), ref: 010151F9

Strings

SeShutdownPrivilege, xrefs: 010151C9
, xrefs: 010151E7
@, xrefs: 010151EC

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 9e2b76e3d67185e129e6fd0a9d1b171193e368eff04975e88771e95861a645df
Instruction ID: 165097c12fcc90648f80a8e8934be378e746de8b12c91686113b3b20e8127d51
Opcode Fuzzy Hash: 9e2b76e3d67185e129e6fd0a9d1b171193e368eff04975e88771e95861a645df
Instruction Fuzzy Hash: 6001FC32B912126BF779516C9C8AFFB769CFB4B650F100455F9C3DA0C9D65D5C008590

Function 01026283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 010262DC
WSAGetLastError.WSOCK32(00000000), ref: 010262EB
bind.WSOCK32(00000000,?,00000010), ref: 01026307
listen.WSOCK32(00000000,00000005), ref: 01026316
WSAGetLastError.WSOCK32(00000000), ref: 01026330
closesocket.WSOCK32(00000000), ref: 01026344

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 18de244c0f9524af7aac8d58771d36928b28f489282184534b2172b5e26746bc
Instruction ID: 19371452557b3358d078c97d7de8c5c0a1f8a8d77e5abb4a583281b0610f5b34
Opcode Fuzzy Hash: 18de244c0f9524af7aac8d58771d36928b28f489282184534b2172b5e26746bc
Instruction Fuzzy Hash: 2021D031600212AFCB10EF68C845AAEB7F9EF49720F148158ED96A73D1CB75AD05DB52

Function 00FC5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00FD0DB6: std::exception::exception.LIBCMT ref: 00FD0DEC
Part of subcall function 00FD0DB6: __CxxThrowException@8.LIBCMT ref: 00FD0E01

_memmove.LIBCMT ref: 01000258
_memmove.LIBCMT ref: 0100036D
_memmove.LIBCMT ref: 01000414

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: e52384effb65433e7a34f4772304ac3c0b2cc627abd71916534aaad2fba579b7
Instruction ID: 362d914d1152d8b767b7c14254340ead634d76549961f941778474ed63a68a65
Opcode Fuzzy Hash: e52384effb65433e7a34f4772304ac3c0b2cc627abd71916534aaad2fba579b7
Instruction Fuzzy Hash: 0002BF70A0020ADBDF05DF64D982BAE7BB5EF84340F1480A9F846DB395EB35E950DB91

Function 00FB1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FB19FA
GetSysColor.USER32(0000000F), ref: 00FB1A4E
SetBkColor.GDI32(?,00000000), ref: 00FB1A61

Part of subcall function 00FB1290: DefDlgProcW.USER32(?,00000020,?), ref: 00FB12D8

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: e9eff68edeb2d9bf4ec53643943f9a8facba3e9b6579b7590708167e877b6c16
Instruction ID: 838bb774bc59894b12896ba34361aeaaa50d16aedc10fbe05d0e4d9d9a4a7863
Opcode Fuzzy Hash: e9eff68edeb2d9bf4ec53643943f9a8facba3e9b6579b7590708167e877b6c16
Instruction Fuzzy Hash: D2A16D72502586BAE638AA2B5C7CFFF355DFB82361B94011AF542E1181CA1DAD01FFB1

Function 01026747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01027D8B: inet_addr.WSOCK32(00000000), ref: 01027DB6

socket.WSOCK32(00000002,00000002,00000011), ref: 0102679E
WSAGetLastError.WSOCK32(00000000), ref: 010267C7
bind.WSOCK32(00000000,?,00000010), ref: 01026800
WSAGetLastError.WSOCK32(00000000), ref: 0102680D
closesocket.WSOCK32(00000000), ref: 01026821

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: fe15841f1f2629a7fbed9c363b611a163f88b226efb3a7e47435e0228d792b0d
Instruction ID: 2e2475175fda0481eb17a83246cc8e3429dc846540eacf6ff7925fd10566cec5
Opcode Fuzzy Hash: fe15841f1f2629a7fbed9c363b611a163f88b226efb3a7e47435e0228d792b0d
Instruction Fuzzy Hash: AE411571A002106FDB10BF258C82FAE77E8EF49710F44845CFA45AB3C2CAB99D019B91

Function 01035376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 010353C5
IsWindowEnabled.USER32 ref: 010353D3
GetForegroundWindow.USER32(?,?,00000001), ref: 010353E0
IsIconic.USER32 ref: 010353EE
IsZoomed.USER32 ref: 010353FC

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ca01a93d46925f259376030fea3eb67b1363c2f0993f28423fca7436fe00ada3
Instruction ID: 2232bdb3e330c85f2b330a363e86459cafd6584ff0087b2cc0697fdb55a3fe13
Opcode Fuzzy Hash: ca01a93d46925f259376030fea3eb67b1363c2f0993f28423fca7436fe00ada3
Instruction Fuzzy Hash: 2111C4317005126FEB215F2ADC44AAEBBEDFF85761F408029F9C5D3251CBB5D9018AA1

Function 0100810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01008121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0100812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0100813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01008141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01008157

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: cee6d02a6a790566077d38be34d7cf6dbdeda368868dfd54a8ebcc0a665a950b
Instruction ID: 48eaa0e91ca55620c0d6d7f1e486f1c6e6142fb2298c4168c904f569e3a16d3f
Opcode Fuzzy Hash: cee6d02a6a790566077d38be34d7cf6dbdeda368868dfd54a8ebcc0a665a950b
Instruction Fuzzy Hash: 38F0C270A00305BFFB621FA9EC88EA73BACFF4A654F004016F9C5C2190DB66D814DB61

Function 0101C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0101C432
CoCreateInstance.OLE32(01042D6C,00000000,00000001,01042BDC,?), ref: 0101C44A

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

CoUninitialize.OLE32 ref: 0101C6B7

Strings

.lnk, xrefs: 0101C3C6, 0101C3EE, 0101C3F8

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: b47813fdeaf15a4260282747b1b82a131b2d8e6c7dd38afb0f7f0a12eb89b08a
Instruction ID: 61fce228246b9968b1c14cf3e38565ae6657e4833b25c83ceaf859b6e7a259cf
Opcode Fuzzy Hash: b47813fdeaf15a4260282747b1b82a131b2d8e6c7dd38afb0f7f0a12eb89b08a
Instruction Fuzzy Hash: 32A12A71208205AFD700EF55CC81EABB7ECEF99354F00491DF2959B1A1DBB5EA09CB52

Function 00FB4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FB4AD0), ref: 00FB4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FB4B57

Strings

GetNativeSystemInfo, xrefs: 00FB4B51
kernel32.dll, xrefs: 00FB4B40

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: c897fa85a009de81fad3150b0474216441bcdfccb53c6e3b0356715b8fb47d77
Instruction ID: 9e83e8f5d5509095cac862b4d9347181671a7a5055823c46fdfd773f21f39b75
Opcode Fuzzy Hash: c897fa85a009de81fad3150b0474216441bcdfccb53c6e3b0356715b8fb47d77
Instruction Fuzzy Hash: 61D01274E10713CFDB209F33E928B46B6D8AF86251B11C82D94C5D6110D774E880CB55

Function 00FC3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 537a2fa451dce0392e13df0bfefe2eb28097b790420f20f5cede97228d98f295
Instruction ID: b0ecdaba71d911125715d1ef952d68f76198664881a204b295b38e43781dbc50
Opcode Fuzzy Hash: 537a2fa451dce0392e13df0bfefe2eb28097b790420f20f5cede97228d98f295
Instruction Fuzzy Hash: 2D22D072A083029FC724DF24C981FAFB7E5AF84750F04891DF58A97291DB75E904EB92

Function 0102EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0102EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0102EE4B

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

Process32NextW.KERNEL32(00000000,?), ref: 0102EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0102EF1A

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: c9eef224bd714102fdaba854d93f69c54d6b0670cdf938c8b2a130e1331ac328
Instruction ID: e41c7c1597e8182b4cee46ef53b95ab68d8af42de8fdd86481e780fe5b231f6f
Opcode Fuzzy Hash: c9eef224bd714102fdaba854d93f69c54d6b0670cdf938c8b2a130e1331ac328
Instruction Fuzzy Hash: F2519F71508311AFD320EF25DC81EABBBE8EF88750F50491DF595972A1EB74E908CB92

Function 0100E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0100E628

Strings

|, xrefs: 0100E658
(, xrefs: 0100E66E

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: fdbded51f20bbc56946db8963457df95282526c11d0ebd09c350cc754c91fdf2
Instruction ID: e9d1357e04ea901dbc236e24b014a207441d445addd96365d4278df73cf0eb7b
Opcode Fuzzy Hash: fdbded51f20bbc56946db8963457df95282526c11d0ebd09c350cc754c91fdf2
Instruction Fuzzy Hash: 3A322675A007059FE729CF19D48096AB7F1FF48320F15C8AEE99ADB3A1DB70A941CB40

Function 010222EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0102180A,00000000), ref: 010223E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01022418

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 42b6b1f99bb882f7802ef9cb4da6289985cb0d36fdab1681eb4c86357c829523
Instruction ID: a2d62e6b68e6e6222d18aacb20cf639d3a36ffd111558247651ff59345b445c7
Opcode Fuzzy Hash: 42b6b1f99bb882f7802ef9cb4da6289985cb0d36fdab1681eb4c86357c829523
Instruction Fuzzy Hash: 0841D371904219BFEB21DED9DC81FBFBBFDEB40714F0080AAF681A6241DB719E419660

Function 0101B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0101B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0101B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0101B3EA

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 8222557f462cc88b8b48f1b1f22f8e77203cdc7807fae6dbbc8085771132c17a
Instruction ID: c30f9d8092c977fb4c640e66b8a056b19c53fee0e9e669c6b2831a98cc03b269
Opcode Fuzzy Hash: 8222557f462cc88b8b48f1b1f22f8e77203cdc7807fae6dbbc8085771132c17a
Instruction Fuzzy Hash: 4D215C35A00108EFCB00EFA5D880AEEBBB8FF49314F0480AAE945AB355CB35E915DF51

Function 010087E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FD0DB6: std::exception::exception.LIBCMT ref: 00FD0DEC
Part of subcall function 00FD0DB6: __CxxThrowException@8.LIBCMT ref: 00FD0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0100882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01008858
GetLastError.KERNEL32 ref: 01008865

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: beb594f12b984a272d4e7e88c8ace6b32a8cf43b0f05f7f747dfdd77632ba611
Instruction ID: ff1b16ba2ce7c0bad9e2dd62cd56f340d9db0123d2a81c27f1a3d16cd241a6b4
Opcode Fuzzy Hash: beb594f12b984a272d4e7e88c8ace6b32a8cf43b0f05f7f747dfdd77632ba611
Instruction Fuzzy Hash: 0C119DB2804205AFE728DFA4EC85D6BB7FDFB04310B14C52FF49583241EA34A8008B60

Function 0100874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01008774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0100878B
FreeSid.ADVAPI32(?), ref: 0100879B

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 96c47708eb1fa5443ab5a6137a9148b0b8c9712000c1f80f9a04d0e17a62561d
Instruction ID: 2f16b3f5ea5f733014968a87cd804cc176ca7ed428e7cc5b3ee976a4bcfc8ff7
Opcode Fuzzy Hash: 96c47708eb1fa5443ab5a6137a9148b0b8c9712000c1f80f9a04d0e17a62561d
Instruction Fuzzy Hash: CCF04F75D1130DBFDF04DFF4DD89AADBBBCFF08201F0044A9A505E2180D6755A148B51

Function 0101C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0101C6FB
FindClose.KERNEL32(00000000), ref: 0101C72B

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d72d8034171d5841d4fa9c345e59ba68a0bdd9811ddb16ac9739016d9d918a85
Instruction ID: 5009af355e89fa326d021bba3800ee587a38944ad627f8d9dadb50dbdb815292
Opcode Fuzzy Hash: d72d8034171d5841d4fa9c345e59ba68a0bdd9811ddb16ac9739016d9d918a85
Instruction Fuzzy Hash: 7F11AD726042019FDB10EF29D885A6AF7E9FF85320F00851EF9A9C7290DB74E801CF81

Function 0101A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,01029468,?,0103FB84,?), ref: 0101A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,01029468,?,0103FB84,?), ref: 0101A0A9

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 37c4c918c31350dabddd8690cdf4cd88d37c0eb13c00848825d2335e707a62b1
Instruction ID: 1d401aa4afa63b9f14148c02add6a18bf50b75dd5534e99bcbaa247d575b26a0
Opcode Fuzzy Hash: 37c4c918c31350dabddd8690cdf4cd88d37c0eb13c00848825d2335e707a62b1
Instruction Fuzzy Hash: 22F0823560532DEBDB21AEA5CC48FEE776CBF08361F008155F949D7185D6749940CBA1

Function 010081CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01008309), ref: 010081E0
CloseHandle.KERNEL32(?,?,01008309), ref: 010081F2

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7ef6465cf5c0b3a535ffd1be716f79f70c6b4266e6f68624a7432390dd641c10
Instruction ID: 2d19519f8361e3e2487d050a8465542a6836222c3ef5384651663e9735e882f0
Opcode Fuzzy Hash: 7ef6465cf5c0b3a535ffd1be716f79f70c6b4266e6f68624a7432390dd641c10
Instruction Fuzzy Hash: F2E0BF71410511AEE7252B74EC05E777BEEEF04210B14885AB99584474DB665C91EB10

Function 00FDA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FD8D57,?,?,?,00000001), ref: 00FDA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FDA163

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6ee60dc78479c66fb31e9d67486c6114509427a938d23cf4a4ddec0e828a614b
Instruction ID: 910a67c1ed4702fdc1299d7f7fb85715af691eeba3571fe2a02daa7a4a5aa02b
Opcode Fuzzy Hash: 6ee60dc78479c66fb31e9d67486c6114509427a938d23cf4a4ddec0e828a614b
Instruction Fuzzy Hash: 2FB0923145420AABCA102B91E809B8A3F6CEB45AA2F408010F64D85054CBE754508B92

Function 00FDF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5faa9d4f6fcef598726002b9f50658c617e4daa119ba608f1b0524c8ed027731
Instruction ID: 2c1e7b6cc4952c33472fc996c3d8536c232700c5c8f16d5291d23fe4886c2aa5
Opcode Fuzzy Hash: 5faa9d4f6fcef598726002b9f50658c617e4daa119ba608f1b0524c8ed027731
Instruction Fuzzy Hash: 91325576D29F014ED7239534C972335A249AFB73D4F18C737F81AB5A9AEB2AC4835201

Function 00FE242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2491a5163dc8d85bbf3049c00523b0f7065a8786de7eb69b2990cc907622dcb
Instruction ID: 91b61fd8ee97109e2c014c2cd392af723518562e999499bda7e3bcc9812e80ca
Opcode Fuzzy Hash: c2491a5163dc8d85bbf3049c00523b0f7065a8786de7eb69b2990cc907622dcb
Instruction Fuzzy Hash: EBB1FE74E6AF408ED22396398971336B64CAFBB2C6B51D71BFC6771D16FB2681834240

Function 01018889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0101889B

Part of subcall function 00FD520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01018F6E,00000000,?,?,?,?,0101911F,00000000,?), ref: 00FD5213
Part of subcall function 00FD520A: __aulldiv.LIBCMT ref: 00FD5233

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 282628ad500aff963b3f88140fe78c38f8da5b639a1cb0c4e171bad2e5b59bd7
Instruction ID: f3c2850a5165f03b24eff3823c31b5473ebb0be0870311d1c603487066ae49d4
Opcode Fuzzy Hash: 282628ad500aff963b3f88140fe78c38f8da5b639a1cb0c4e171bad2e5b59bd7
Instruction Fuzzy Hash: 6F21E432A355108BD329CF29D440B52B3E1EFA5311F288E6DD4F6CB2C4CA39B905DB54

Function 01014C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 01014C4A

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: f3335136ab727e866474ec0ccdae75c6c4594694d88ecddb9c2a318b9cbcd15d
Instruction ID: 3b31ca7acd6be3c5c68881712845a813101807784b040312be076f15c32e11cb
Opcode Fuzzy Hash: f3335136ab727e866474ec0ccdae75c6c4594694d88ecddb9c2a318b9cbcd15d
Instruction Fuzzy Hash: 7BD017A116420E68F8EC0B249A2FF7A15C9F300792FC881896281CA0E9EA8858404131

Function 010087B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,01008389), ref: 010087D1

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 624c09b0783eb00a9836213dc5724cdb86da994297a4eac2107d77cf3182f3ec
Instruction ID: 2845407d9db0b3e409ba59a2f82432e17ef5742b7f0bef3124fa1e67cedd19a1
Opcode Fuzzy Hash: 624c09b0783eb00a9836213dc5724cdb86da994297a4eac2107d77cf3182f3ec
Instruction Fuzzy Hash: 16D05E3226450EABEF018EA8DC01EAE3B69EB04B01F408111FE15C5090C776D835AF60

Function 00FDA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FDA12A

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0f906fef6510d2ad785d9f7a095612f8f0a6a1baa7975b1acea722e79e221bad
Instruction ID: b38d0f33fc710034158459209b1c57c3138aa0f88e1a3fe001782467ac026eb1
Opcode Fuzzy Hash: 0f906fef6510d2ad785d9f7a095612f8f0a6a1baa7975b1acea722e79e221bad
Instruction Fuzzy Hash: 24A0243000010DF7CF001F41FC044457F5CD7011D0700C010F40C41011C7F3541047C1

Function 00FC8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c9ebd2a68b593d47b97da1c661903411cff0e0fa55b2c7e2159d1db1f51879
Instruction ID: 76fa0bc107e280f60e602fd6f39eed61cdee0338f1704c1125f2c04f9ee88d97
Opcode Fuzzy Hash: a0c9ebd2a68b593d47b97da1c661903411cff0e0fa55b2c7e2159d1db1f51879
Instruction Fuzzy Hash: 9A2236309041579BEF398A18C995B7CB7E1FF41394F28806ED582C79D2DB389D92EB41

Function 00FD21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 9fcbab0511311cec018ffc6258d5dd0b767293ebd8c3c6c728fb244dfbbabc34
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 28C184326051930ADB6D4739843453EFAA36EA27B131E075FD8B2CB3D5EF20C925E660

Function 00FD25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: adfe98766d62436a3e101aa872c3e29059fe9cb8c7bcd15555f035675be3deec
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 9FC1533360519309DB6D4639847413EBAA36EA27B131E076FD4B2DB3D5EF20C925F660

Function 00FD1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: d7baae20b63e4191baeace25f1bd64f1e6635891c5a86efb26850ede8597ace0
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 39C1713260919319DF2D4739847417EBAA36EA27B131E076FD4B2CB3D5EF20C965E620

Function 013021D8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532892118.00000000012FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fe000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: fb1ff13a7be992cd310174c744ebdf30a3d0a00033c567143d9976ef917dcd07
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: C241C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80

Function 01302068 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532892118.00000000012FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fe000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 8a8b51b9b3683037a46bba916dc449d3ee8b64f0bc1f2292799308c305ccc22d
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: A601A478A10209EFCB45DF98C5909AEF7F6FF48314F208599D809A7745D731AE41DB80

Function 013020C8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532892118.00000000012FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fe000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: e4ec8d030d9abff9559389acf9fed35d43a1f5b29953fd82a24331e8a6813117
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: C601A478A00209EFCB49DF99C5909AEF7F6FF48314F208699E909A7745D730AE51DB80

Function 01300A28 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532892118.00000000012FE000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fe000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 01027806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0102785B
DeleteObject.GDI32(00000000), ref: 0102786D
DestroyWindow.USER32 ref: 0102787B
GetDesktopWindow.USER32 ref: 01027895
GetWindowRect.USER32(00000000), ref: 0102789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 010279DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 010279ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027A35
GetClientRect.USER32(00000000,?), ref: 01027A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01027A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027ABB
GlobalLock.KERNEL32(00000000), ref: 01027AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027AD3
GlobalUnlock.KERNEL32(00000000), ref: 01027ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027AE3
GlobalFree.KERNEL32(00000000), ref: 01027AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01042CAC,00000000), ref: 01027B16
GlobalFree.KERNEL32(00000000), ref: 01027B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01027B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01027B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01027D7A

Strings

DISPLAY, xrefs: 01027BDD
, xrefs: 01027D00
AutoIt v3, xrefs: 01027A2D
static, xrefs: 01027A75, 01027BCC

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 1759ea3881c8e5930c8bd0980e84d727e32c0a1a64d4bd2c141577a3d9c55e48
Instruction ID: 5751182ceca86d0a3f6146c358dbb056fbc1c91d52cc3d1a4ddf830c71ef653b
Opcode Fuzzy Hash: 1759ea3881c8e5930c8bd0980e84d727e32c0a1a64d4bd2c141577a3d9c55e48
Instruction Fuzzy Hash: BB027D71A00215EFDB14DFA8DC89EAE7BB9FB49310F148159F945AB2A0C775AD01CB60

Function 0103356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0103F910), ref: 01033627
IsWindowVisible.USER32(?), ref: 0103364B

Strings

EDITPASTE, xrefs: 0103395F
ISVISIBLE, xrefs: 01033637
SELECTSTRING, xrefs: 01033806
HIDEDROPDOWN, xrefs: 01033700
DELSTRING, xrefs: 01033749
CHECK, xrefs: 0103386D
GETLINECOUNT, xrefs: 010338C6
GETCURRENTLINE, xrefs: 010338ED
TABRIGHT, xrefs: 0103369D
GETCURRENTSELECTION, xrefs: 010337E3
UNCHECK, xrefs: 01033883
ISENABLED, xrefs: 0103366B
TABLEFT, xrefs: 01033687
GETSELECTED, xrefs: 010338A3
FINDSTRING, xrefs: 01033776
SHOWDROPDOWN, xrefs: 010336E0
SETCURRENTSELECTION, xrefs: 010337B6
CURRENTTAB, xrefs: 010336BD
ADDSTRING, xrefs: 01033716
GETLINE, xrefs: 0103399B
SENDCOMMANDID, xrefs: 010339DA
ISCHECKED, xrefs: 01033839
GETCURRENTCOL, xrefs: 01033928

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 60eebde45f81d467507eadb1f7ea405172c5f1436aadb2ee65af917c1d431d83
Instruction ID: 4b34900ffb91cb2bf34fde5d94bb577c813a54396aa5ab0a706c1d6c31de38b9
Opcode Fuzzy Hash: 60eebde45f81d467507eadb1f7ea405172c5f1436aadb2ee65af917c1d431d83
Instruction Fuzzy Hash: 0AD192306083019FDA14EF14C891AAE7BEABF95354F048459F9C65F7E2CB39E90ADB41

Function 0103A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0103A630
GetSysColorBrush.USER32(0000000F), ref: 0103A661
GetSysColor.USER32(0000000F), ref: 0103A66D
SetBkColor.GDI32(?,000000FF), ref: 0103A687
SelectObject.GDI32(?,00000000), ref: 0103A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0103A6C1
GetSysColor.USER32(00000010), ref: 0103A6C9
CreateSolidBrush.GDI32(00000000), ref: 0103A6D0
FrameRect.USER32(?,?,00000000), ref: 0103A6DF
DeleteObject.GDI32(00000000), ref: 0103A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0103A731
FillRect.USER32(?,?,00000000), ref: 0103A763
GetWindowLongW.USER32(?,000000F0), ref: 0103A78E

Part of subcall function 0103A8CA: GetSysColor.USER32(00000012), ref: 0103A903
Part of subcall function 0103A8CA: SetTextColor.GDI32(?,?), ref: 0103A907
Part of subcall function 0103A8CA: GetSysColorBrush.USER32(0000000F), ref: 0103A91D
Part of subcall function 0103A8CA: GetSysColor.USER32(0000000F), ref: 0103A928
Part of subcall function 0103A8CA: GetSysColor.USER32(00000011), ref: 0103A945
Part of subcall function 0103A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0103A953
Part of subcall function 0103A8CA: SelectObject.GDI32(?,00000000), ref: 0103A964
Part of subcall function 0103A8CA: SetBkColor.GDI32(?,00000000), ref: 0103A96D
Part of subcall function 0103A8CA: SelectObject.GDI32(?,?), ref: 0103A97A
Part of subcall function 0103A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0103A999
Part of subcall function 0103A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0103A9B0
Part of subcall function 0103A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0103A9C5
Part of subcall function 0103A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0103A9ED

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: ae8954e6fce8a40e4251da483bdcb560c7aa62b5cef65387ed00b2c1feb4ced6
Instruction ID: e222b7c0ba6d42b86b85631792f04fe183f1789f725fdd4dfcaafb3e89bde423
Opcode Fuzzy Hash: ae8954e6fce8a40e4251da483bdcb560c7aa62b5cef65387ed00b2c1feb4ced6
Instruction Fuzzy Hash: 97917C72908302FFD7219F64DC48A5BBBADFB89321F000A19F6E2D61D0D776D9448B52

Function 00FB2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00FB2CA2
DeleteObject.GDI32(00000000), ref: 00FB2CE8
DeleteObject.GDI32(00000000), ref: 00FB2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00FB2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00FB2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00FEC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FEC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FEC89D

Part of subcall function 00FB1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FB2036,?,00000000,?,?,?,?,00FB16CB,00000000,?), ref: 00FB1B9A

SendMessageW.USER32(?,00001053), ref: 00FEC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FEC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FEC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FEC912

Strings

0, xrefs: 00FEC731

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 48f20197ac122100a1ca15ee689f593e6589417eb365a9934286da0ba9a03945
Instruction ID: 84ae57f73485cf3a083c2a24ac94b0f8cd31ae59577425c15893b22911e5dde2
Opcode Fuzzy Hash: 48f20197ac122100a1ca15ee689f593e6589417eb365a9934286da0ba9a03945
Instruction Fuzzy Hash: F912AF70A00242DFDB65CF26C884BA9BBE5FF45320F544569F999CB262C731E842EF91

Function 010274AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 010274DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0102759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010275DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 010275ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01027633
GetClientRect.USER32(00000000,?), ref: 0102763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01027683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01027692
GetStockObject.GDI32(00000011), ref: 010276A2
SelectObject.GDI32(00000000,00000000), ref: 010276A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010276B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010276BF
DeleteDC.GDI32(00000000), ref: 010276C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010276F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0102770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01027746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0102775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0102776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0102779B
GetStockObject.GDI32(00000011), ref: 010277A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 010277B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 010277BB

Strings

DISPLAY, xrefs: 01027688
AutoIt v3, xrefs: 0102762B
msctls_progress32, xrefs: 0102773C
static, xrefs: 0102767D, 01027795

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 8b4943be271c521fa0e91c77e39621ffc73f2c0f9637bc91e54a1ff61ac54071
Instruction ID: 514ad9b864fe0104abc78ef358b4c27aec486c7fef4d4e285e0ad8037354638c
Opcode Fuzzy Hash: 8b4943be271c521fa0e91c77e39621ffc73f2c0f9637bc91e54a1ff61ac54071
Instruction Fuzzy Hash: 18A160B1A00215BFEB24DBA5DC4AFAEBBBDEB05710F008114FA54A72D0C7B5AD01CB60

Function 0101AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0101AD1E
GetDriveTypeW.KERNEL32(?,0103FAC0,?,\\.\,0103F910), ref: 0101ADFB
SetErrorMode.KERNEL32(00000000,0103FAC0,?,\\.\,0103F910), ref: 0101AF59

Strings

Removable, xrefs: 0101AE4D
SSA, xrefs: 0101AEE2
ATAPI, xrefs: 0101AECD
\\.\, xrefs: 0101AD70
Fixed, xrefs: 0101AE43
SSD, xrefs: 0101AE86
SCSI, xrefs: 0101AEC6
CDROM, xrefs: 0101AE2F
Network, xrefs: 0101AE39
PhysicalDrive, xrefs: 0101ADA7
Unknown, xrefs: 0101AE1B, 0101AEBF
ATA, xrefs: 0101AED4
SATA, xrefs: 0101AF0C
Fibre, xrefs: 0101AEE9
Virtual, xrefs: 0101AF21
MMC, xrefs: 0101AF1A
USB, xrefs: 0101AEF0
RAID, xrefs: 0101AEF7
1394, xrefs: 0101AEDB
iSCSI, xrefs: 0101AEFE
FileBackedVirtual, xrefs: 0101AF28
SAS, xrefs: 0101AF05
RAMDisk, xrefs: 0101AE25

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7fdfa6097e40a40a8a461fb4633d61d22634baf0ab705b5cfde2d4ea15efad1c
Instruction ID: 1166b55f4d95373dc2f51b396167a20c4030badc3b218d8253417174615b88cc
Opcode Fuzzy Hash: 7fdfa6097e40a40a8a461fb4633d61d22634baf0ab705b5cfde2d4ea15efad1c
Instruction Fuzzy Hash: 5151D3F074A345EBCB10EB96C992DBD77E8EB48600B10805FE8C7AB2D8C679D905DB41

Function 00FB68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FB6931
__wcsnicmp.LIBCMT ref: 00FB6949
__wcsnicmp.LIBCMT ref: 00FB6961
__wcsnicmp.LIBCMT ref: 00FB6979
__wcsnicmp.LIBCMT ref: 00FB6991
__wcsnicmp.LIBCMT ref: 00FB69A9
__wcsnicmp.LIBCMT ref: 00FB69C1
__wcsnicmp.LIBCMT ref: 00FB69D5
__wcsnicmp.LIBCMT ref: 00FB6A16
__wcsnicmp.LIBCMT ref: 00FB6A2A
__wcsnicmp.LIBCMT ref: 00FB6A3E
__wcsnicmp.LIBCMT ref: 00FB6A52

Strings

#comments-start, xrefs: 00FB69BB, 00FB6A10
#notrayicon, xrefs: 00FB6943
#cs, xrefs: 00FB69CF, 00FB6A24
#requireadmin, xrefs: 00FB695B
#comments-end, xrefs: 00FB6A38
#ce, xrefs: 00FB6A4C
Bad directive syntax error, xrefs: 00FEE31A
#pragma compile, xrefs: 00FB692B
Cannot parse #include, xrefs: 00FEE3F0
#OnAutoItStartRegister, xrefs: 00FB6973
Unterminated group of comments, xrefs: 00FEE403
#include, xrefs: 00FB69A3
#include-once, xrefs: 00FB698B

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 7920b1ee7a49764ae146422a7362918f768957ab1f2bcda174c14a34e7ad4423
Instruction ID: e09797074a728e6e12aabb45cbbbb7bb6d14ce7a6aeb39bc01738820a6fd8f4a
Opcode Fuzzy Hash: 7920b1ee7a49764ae146422a7362918f768957ab1f2bcda174c14a34e7ad4423
Instruction Fuzzy Hash: CB8118B1A00205ABCF20AB63EC42FFE376DAF15710F044025F945EA192EB68DE55FA61

Function 01039A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 01039AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 01039B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 01039BA7

Strings

0, xrefs: 01039BE4

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 40218f6b8c05e868bd26025d654e2f5648797b127365c3d53b083749fa3f88eb
Instruction ID: fe2d65e8e42f5260965b27a76ebf47480c10dba075c800d3dba21e340fc0712c
Opcode Fuzzy Hash: 40218f6b8c05e868bd26025d654e2f5648797b127365c3d53b083749fa3f88eb
Instruction Fuzzy Hash: 1D02E130604301AFEB658F29C849BABBFE9FF89308F04455CF6D5962A1C7B5D844CB52

Function 0103A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0103A903
SetTextColor.GDI32(?,?), ref: 0103A907
GetSysColorBrush.USER32(0000000F), ref: 0103A91D
GetSysColor.USER32(0000000F), ref: 0103A928
CreateSolidBrush.GDI32(?), ref: 0103A92D
GetSysColor.USER32(00000011), ref: 0103A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0103A953
SelectObject.GDI32(?,00000000), ref: 0103A964
SetBkColor.GDI32(?,00000000), ref: 0103A96D
SelectObject.GDI32(?,?), ref: 0103A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0103A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0103A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0103A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0103A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0103AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0103AA32
DrawFocusRect.USER32(?,?), ref: 0103AA3D
GetSysColor.USER32(00000011), ref: 0103AA4B
SetTextColor.GDI32(?,00000000), ref: 0103AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0103AA67
SelectObject.GDI32(?,0103A5FA), ref: 0103AA7E
DeleteObject.GDI32(?), ref: 0103AA89
SelectObject.GDI32(?,?), ref: 0103AA8F
DeleteObject.GDI32(?), ref: 0103AA94
SetTextColor.GDI32(?,?), ref: 0103AA9A
SetBkColor.GDI32(?,?), ref: 0103AAA4

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ed5a2323dfedc556bd674a4156322f9eab13d5f8027519f6d6a3194204b801bb
Instruction ID: 72886f9ff2d8f4ab357d5e39be6049bb5ee88de2bdda9412be36f3bb977ac443
Opcode Fuzzy Hash: ed5a2323dfedc556bd674a4156322f9eab13d5f8027519f6d6a3194204b801bb
Instruction Fuzzy Hash: B1516E71D00209FFDB119FA8DC48EAE7BBDEB48320F114516FA91AB291D7769940DB50

Function 010389D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01038AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01038AD2
CharNextW.USER32(0000014E), ref: 01038B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01038B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01038B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01038B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01038B86
SetWindowTextW.USER32(?,0000014E), ref: 01038BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01038BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 01038C1F
_memset.LIBCMT ref: 01038C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01038C8D
_memset.LIBCMT ref: 01038CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 01038D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 01038D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 01038E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 01038E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01038E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01038EB4
DrawMenuBar.USER32(?), ref: 01038EC3
SetWindowTextW.USER32(?,0000014E), ref: 01038EEB

Strings

0, xrefs: 01038E55

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: c2ebde48c60f0b9693b2882e2eca39c780b959b5e98a5a6eaf19c879ee485830
Instruction ID: e77232d73dfe9bcf504856a0e82ca0fd4fadefc124eb19e5e732b5115007794f
Opcode Fuzzy Hash: c2ebde48c60f0b9693b2882e2eca39c780b959b5e98a5a6eaf19c879ee485830
Instruction Fuzzy Hash: 8DE19370900209AFEF209F65CC84EEE7BBDFF49710F008296FA95AA291D7758581DF61

Function 0103488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 010349CA
GetDesktopWindow.USER32 ref: 010349DF
GetWindowRect.USER32(00000000), ref: 010349E6
GetWindowLongW.USER32(?,000000F0), ref: 01034A48
DestroyWindow.USER32(?), ref: 01034A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01034A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01034ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01034AE1
SendMessageW.USER32(?,00000421,?,?), ref: 01034AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01034B09
IsWindowVisible.USER32(?), ref: 01034B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01034B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01034B58
GetWindowRect.USER32(?,?), ref: 01034B70
MonitorFromPoint.USER32(?,?,00000002), ref: 01034B96
GetMonitorInfoW.USER32(00000000,?), ref: 01034BB0
CopyRect.USER32(?,?), ref: 01034BC7
SendMessageW.USER32(?,00000412,00000000), ref: 01034C32

Strings

0, xrefs: 01034975
(, xrefs: 01034BA3
tooltips_class32, xrefs: 01034A96

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: bab603f2c7502cd7e448a3f8b9c5a69c469431d1aa75fab312ef1bf49391fe9b
Instruction ID: cdbb3f370e617a0c3acab4eb120666ea339010a2b85ff20002532fe4b84711e7
Opcode Fuzzy Hash: bab603f2c7502cd7e448a3f8b9c5a69c469431d1aa75fab312ef1bf49391fe9b
Instruction Fuzzy Hash: 61B19A70608341AFDB44DF69C844B6ABBE8FF88314F00891DF6D99B291D775E805CB96

Function 0101449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 010144AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 010144D2
_wcscpy.LIBCMT ref: 01014500
_wcscmp.LIBCMT ref: 0101450B
_wcscat.LIBCMT ref: 01014521
_wcsstr.LIBCMT ref: 0101452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01014548
_wcscat.LIBCMT ref: 01014591
_wcscat.LIBCMT ref: 01014598
_wcsncpy.LIBCMT ref: 010145C3

Strings

StringFileInfo\, xrefs: 0101451B
%u.%u.%u.%u, xrefs: 01014626
DefaultLangCodepage, xrefs: 010145AB
\VarFileInfo\Translation, xrefs: 01014540
04090000, xrefs: 0101457E

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 16c13ecabe26da0b0c4f305a73a6b0d11ef1303bcec23caa7106b8645e4beddd
Instruction ID: aa6679ed63f09d68b162ab0044e61f97622970195701f57d8b5879dc5cfe7c98
Opcode Fuzzy Hash: 16c13ecabe26da0b0c4f305a73a6b0d11ef1303bcec23caa7106b8645e4beddd
Instruction Fuzzy Hash: 46413771A002027BDB11AB758C07FBF77ADEF45310F08055BF944E6292EF3D9A01A6A6

Function 00FB27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FB28BC
GetSystemMetrics.USER32(00000007), ref: 00FB28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FB28EF
GetSystemMetrics.USER32(00000008), ref: 00FB28F7
GetSystemMetrics.USER32(00000004), ref: 00FB291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FB2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FB2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FB297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FB2990
GetClientRect.USER32(00000000,000000FF), ref: 00FB29AE
GetStockObject.GDI32(00000011), ref: 00FB29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB29D5

Part of subcall function 00FB2344: GetCursorPos.USER32(?), ref: 00FB2357
Part of subcall function 00FB2344: ScreenToClient.USER32(010757B0,?), ref: 00FB2374
Part of subcall function 00FB2344: GetAsyncKeyState.USER32(00000001), ref: 00FB2399
Part of subcall function 00FB2344: GetAsyncKeyState.USER32(00000002), ref: 00FB23A7

SetTimer.USER32(00000000,00000000,00000028,00FB1256), ref: 00FB29FC

Strings

AutoIt v3 GUI, xrefs: 00FB2974

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 085c9dfe8aee75b0d8872687aaf44b19a8c56a9b551bf97b0d97a09f3c85ef6d
Instruction ID: 6d8d0595a6e95f59cc617698e16bc05984d839821f1fdab45308f2aa70669f0f
Opcode Fuzzy Hash: 085c9dfe8aee75b0d8872687aaf44b19a8c56a9b551bf97b0d97a09f3c85ef6d
Instruction Fuzzy Hash: 33B17971A0020AEFDB24DFA9DC45BEA7BB8FB08310F104129FA55E6294CB78E801DF51

Function 0100A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0100A47A
__swprintf.LIBCMT ref: 0100A51B
_wcscmp.LIBCMT ref: 0100A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0100A583
_wcscmp.LIBCMT ref: 0100A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0100A5F6
GetDlgCtrlID.USER32(?), ref: 0100A648
GetWindowRect.USER32(?,?), ref: 0100A67E
GetParent.USER32(?), ref: 0100A69C
ScreenToClient.USER32(00000000), ref: 0100A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0100A71D
_wcscmp.LIBCMT ref: 0100A731
GetWindowTextW.USER32(?,?,00000400), ref: 0100A757
_wcscmp.LIBCMT ref: 0100A76B

Part of subcall function 00FD362C: _iswctype.LIBCMT ref: 00FD3634

Strings

%s%u, xrefs: 0100A515

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 5e9e1027b0775086f625159a3be81a828225473301b82667ecb0bb7678113233
Instruction ID: 9bbef5e0d0d282d6c5f21e3114c9a5203200ca397f7f945f28e5714223f88b6c
Opcode Fuzzy Hash: 5e9e1027b0775086f625159a3be81a828225473301b82667ecb0bb7678113233
Instruction Fuzzy Hash: C0A1A031304706EBE716DE64C884FAABBE8FB88354F008519EADAC3191DB34E555CB92

Function 0100AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0100AF18
_wcscmp.LIBCMT ref: 0100AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0100AF51
CharUpperBuffW.USER32(?,00000000), ref: 0100AF6E
_wcscmp.LIBCMT ref: 0100AF8C
_wcsstr.LIBCMT ref: 0100AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0100AFD5
_wcscmp.LIBCMT ref: 0100AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0100B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0100B055
_wcscmp.LIBCMT ref: 0100B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0100B08D
GetWindowRect.USER32(00000004,?), ref: 0100B0F6

Strings

@, xrefs: 0100AEF9
ThumbnailClass, xrefs: 0100AFE0, 0100B060

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 1e03587cf19012bbd91cb4e54fd8999d8c493d9b6b5011e3f6b76e1a5ab7baa9
Instruction ID: ceaf6d390267541a2bdb7043a9c21b66f0cc445364d2b9274628c29a12c30230
Opcode Fuzzy Hash: 1e03587cf19012bbd91cb4e54fd8999d8c493d9b6b5011e3f6b76e1a5ab7baa9
Instruction Fuzzy Hash: 8081A1711083069BEB12DF18C881FBA7BD8EF44314F0484AAFEC59A0D6DB34D945CB61

Function 0100ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0100AC33

Strings

[CLASS:, xrefs: 0100AC83
LAST, xrefs: 0100ABF8
HANDLE=, xrefs: 0100AC2C
REGEXP=, xrefs: 0100AC48
ALL, xrefs: 0100ACC7
[HANDLE:, xrefs: 0100AC3F
CLASSNAME=, xrefs: 0100AC70
[LAST, xrefs: 0100ACE0
ACTIVE, xrefs: 0100AC0E
[REGEXPTITLE:, xrefs: 0100AC5B
[ACTIVE, xrefs: 0100AC20
[ALL, xrefs: 0100ACD9

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 11e85945ee1f4bf410c3fa2a99ead4d967ef43728e9cfc863c96d564d8cf2de8
Instruction ID: 38a33fe3657bd5eace094e290fbdd3f3e15c171e5ddcd6322e695cc1c9cac50a
Opcode Fuzzy Hash: 11e85945ee1f4bf410c3fa2a99ead4d967ef43728e9cfc863c96d564d8cf2de8
Instruction Fuzzy Hash: 8E31F230A44309EBEB15FBA2DE03EEE77A8AF50754F200029F482760D5EF596F04DA91

Function 01024FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 01025013
LoadCursorW.USER32(00000000,00007F00), ref: 0102501E
LoadCursorW.USER32(00000000,00007F03), ref: 01025029
LoadCursorW.USER32(00000000,00007F8B), ref: 01025034
LoadCursorW.USER32(00000000,00007F01), ref: 0102503F
LoadCursorW.USER32(00000000,00007F81), ref: 0102504A
LoadCursorW.USER32(00000000,00007F88), ref: 01025055
LoadCursorW.USER32(00000000,00007F80), ref: 01025060
LoadCursorW.USER32(00000000,00007F86), ref: 0102506B
LoadCursorW.USER32(00000000,00007F83), ref: 01025076
LoadCursorW.USER32(00000000,00007F85), ref: 01025081
LoadCursorW.USER32(00000000,00007F82), ref: 0102508C
LoadCursorW.USER32(00000000,00007F84), ref: 01025097
LoadCursorW.USER32(00000000,00007F04), ref: 010250A2
LoadCursorW.USER32(00000000,00007F02), ref: 010250AD
LoadCursorW.USER32(00000000,00007F89), ref: 010250B8
GetCursorInfo.USER32(?), ref: 010250C8

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 330eb502b071131f10d96ba130c86f3ea9cc39a2285da2ed80ab983fea11cd3e
Instruction ID: b450b7ff2bf898e9676ba3f8703d02095530c0df867969a4c8a3738bfec878aa
Opcode Fuzzy Hash: 330eb502b071131f10d96ba130c86f3ea9cc39a2285da2ed80ab983fea11cd3e
Instruction Fuzzy Hash: 7D3115B1D0831A6ADF609FB68C8989EBFF8FF04750F50452AE54CE7280DA78A5008F95

Function 0103A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0103A259
DestroyWindow.USER32(?,?), ref: 0103A2D3

Part of subcall function 00FB7BCC: _memmove.LIBCMT ref: 00FB7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0103A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0103A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0103A382
DestroyWindow.USER32(00000000), ref: 0103A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FB0000,00000000), ref: 0103A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0103A3F4
GetDesktopWindow.USER32 ref: 0103A40D
GetWindowRect.USER32(00000000), ref: 0103A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0103A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0103A444

Part of subcall function 00FB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FB25EC

Strings

0, xrefs: 0103A26F
tooltips_class32, xrefs: 0103A346, 0103A3D4

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: c0d977f4ba3a93f7e88ac30567f8dd5706ab7aaedf48da22bebba7eec73c4f4c
Instruction ID: 8cfede475416bcab14a0e2096290e2aed2d7771c0b60de03c4efd9a57f74ffb9
Opcode Fuzzy Hash: c0d977f4ba3a93f7e88ac30567f8dd5706ab7aaedf48da22bebba7eec73c4f4c
Instruction Fuzzy Hash: B0718A70640205AFE761CF28CC49FAA7BE9FBC8300F08455DF9C5972A0CB79A902DB52

Function 0103C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623

DragQueryPoint.SHELL32(?,?), ref: 0103C627

Part of subcall function 0103AB37: ClientToScreen.USER32(?,?), ref: 0103AB60
Part of subcall function 0103AB37: GetWindowRect.USER32(?,?), ref: 0103ABD6
Part of subcall function 0103AB37: PtInRect.USER32(?,?,0103C014), ref: 0103ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0103C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0103C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0103C6BE
_wcscat.LIBCMT ref: 0103C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0103C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0103C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0103C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0103C757
DragFinish.SHELL32(?), ref: 0103C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0103C851

Strings

@GUI_DROPID, xrefs: 0103C77E
@GUI_DRAGFILE, xrefs: 0103C800
@GUI_DRAGID, xrefs: 0103C7C9

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 338c4bd1036e675f34454c82fb0ca99d394186f1c2b8cf9ac7ff5588d2459402
Instruction ID: 54f8a74166e244533b4684b42ad4fcd42751566f5ab74cde0204ceff92172b34
Opcode Fuzzy Hash: 338c4bd1036e675f34454c82fb0ca99d394186f1c2b8cf9ac7ff5588d2459402
Instruction Fuzzy Hash: CC61A771508301AFCB01EF65CC85DABBBECEF88750F00091EF691A21A1DB75AA09DB52

Function 01017D1A Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 01017D5F
VariantCopy.OLEAUT32(00000000,?), ref: 01017D68
VariantClear.OLEAUT32(00000000), ref: 01017D74
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 01017E62
__swprintf.LIBCMT ref: 01017E92
VarR8FromDec.OLEAUT32(?,?), ref: 01017EBE
VariantInit.OLEAUT32(?), ref: 01017F6F
SysFreeString.OLEAUT32(00000016), ref: 01018003
VariantClear.OLEAUT32(?), ref: 0101805D
VariantClear.OLEAUT32(?), ref: 0101806C
VariantInit.OLEAUT32(00000000), ref: 010180AA

Strings

Default, xrefs: 01017F1F
%4d%02d%02d%02d%02d%02d, xrefs: 01017E8C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 274b44f005aa532d9d8b5f85c478957f1df8296cc87f472543b4539b4686e009
Instruction ID: 573d056ebaeeccdafc2608ef12b13b1ee4c661f5d53e922d275f93d1e6d7b133
Opcode Fuzzy Hash: 274b44f005aa532d9d8b5f85c478957f1df8296cc87f472543b4539b4686e009
Instruction Fuzzy Hash: D3D1D47160060AEBDB20AF65C844BBEBBF5BF05300F54845AE5859B28CDF7DE944CBA1

Function 01034392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01034424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0103446F

Strings

UNCHECK, xrefs: 0103464B
EXPAND, xrefs: 01034521
GETSELECTED, xrefs: 0103457F
EXISTS, xrefs: 010344D8
GETTEXT, xrefs: 010345C2
GETTOTALCOUNT, xrefs: 01034456
COLLAPSE, xrefs: 010344B5
CHECK, xrefs: 0103448F
ISCHECKED, xrefs: 010345F2
SELECT, xrefs: 01034620
GETITEMCOUNT, xrefs: 01034551

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 935b930ce68b5507f5b972b9be94cfa64963c28946a0b791c7c902dc159de887
Instruction ID: 2531b76f04d99e14ae4176e3d40737797712e671e4ffea91c5711d2e60c13011
Opcode Fuzzy Hash: 935b930ce68b5507f5b972b9be94cfa64963c28946a0b791c7c902dc159de887
Instruction Fuzzy Hash: 0C919E702043019FCB04EF14C851AAEB7E5AF95354F04885DF9D69B7A2CB79ED09DB81

Function 0103B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0103B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,010391C2), ref: 0103B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0103B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0103B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0103B9C3
FreeLibrary.KERNEL32(?), ref: 0103B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0103B9DF
DestroyIcon.USER32(?,?,?,?,?,010391C2), ref: 0103B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0103BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0103BA17

Part of subcall function 00FD2EFD: __wcsicmp_l.LIBCMT ref: 00FD2F86

Strings

.icl, xrefs: 0103B82A
.exe, xrefs: 0103B84A
.dll, xrefs: 0103B86D

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 6eb71c5213af52bec48e7f3e9437914e136df904d5624515ca7d56e977063d7c
Instruction ID: f1c95a787d01304b746e0cd3f96a45acceffbb8eb3cc30c9e5008e74883e9b36
Opcode Fuzzy Hash: 6eb71c5213af52bec48e7f3e9437914e136df904d5624515ca7d56e977063d7c
Instruction Fuzzy Hash: 4361E071900209BEEB14DF69CC41FBE7BACFB48714F10424AF955D61C1DBB99A80DBA0

Function 0101A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00FB9837: __itow.LIBCMT ref: 00FB9862
Part of subcall function 00FB9837: __swprintf.LIBCMT ref: 00FB98AC

CharLowerBuffW.USER32(?,?), ref: 0101A3CB
GetDriveTypeW.KERNEL32 ref: 0101A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0101A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0101A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0101A4C5

Part of subcall function 00FB7BCC: _memmove.LIBCMT ref: 00FB7C06

Strings

type cdaudio alias cd wait, xrefs: 0101A443
wait, xrefs: 0101A482
set cd door , xrefs: 0101A466
close, xrefs: 0101A3D1
open , xrefs: 0101A427
close cd wait, xrefs: 0101A4B0
open, xrefs: 0101A3F2
closed, xrefs: 0101A3DF, 0101A3E8

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 402ee879ea088e226095aaa7eb5c22bcdf374ba9ca4f8f171a165d0835d558e2
Instruction ID: 5025c8ad90b64f77db3dd10dfc5f58f230445934fd1a495edfffb17eb5606ef0
Opcode Fuzzy Hash: 402ee879ea088e226095aaa7eb5c22bcdf374ba9ca4f8f171a165d0835d558e2
Instruction Fuzzy Hash: 365139716083059FC700EF25CC919AAB7E8EF88718F04885DF89A97261DB39ED09DF52

Function 0100F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00FEE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0100F8DF
LoadStringW.USER32(00000000,?,00FEE029,00000001), ref: 0100F8E8

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

GetModuleHandleW.KERNEL32(00000000,01075310,?,00000FFF,?,?,00FEE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0100F90A
LoadStringW.USER32(00000000,?,00FEE029,00000001), ref: 0100F90D
__swprintf.LIBCMT ref: 0100F95D
__swprintf.LIBCMT ref: 0100F96E
_wprintf.LIBCMT ref: 0100FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0100FA2E

Strings

Line %d (File "%s"):, xrefs: 0100F957
^ ERROR, xrefs: 0100F9C3
Line %d:, xrefs: 0100F968
%s (%d) : ==> %s: %s %s, xrefs: 0100FA12
Error: , xrefs: 0100F9E5

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 8172d174a099c127e79285852b300ff2d4af11ef5c7d30d26d1f1ce2119d66e5
Instruction ID: 517bf1066102d5aef812a912f4879358f647db70fdd9aacc0320f6705df4e13a
Opcode Fuzzy Hash: 8172d174a099c127e79285852b300ff2d4af11ef5c7d30d26d1f1ce2119d66e5
Instruction Fuzzy Hash: 2B416F7280420AABDF15FBE1DD86DEE7B7CAF58300F100065B505B6095EA396F49EF61

Function 0103BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,01039207,?,?), ref: 0103BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,01039207,?,?,00000000,?), ref: 0103BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,01039207,?,?,00000000,?), ref: 0103BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,01039207,?,?,00000000,?), ref: 0103BA85
GlobalLock.KERNEL32(00000000), ref: 0103BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,01039207,?,?,00000000,?), ref: 0103BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0103BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,01039207,?,?,00000000,?), ref: 0103BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,01039207,?,?,00000000,?), ref: 0103BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,01042CAC,?), ref: 0103BAD7
GlobalFree.KERNEL32(00000000), ref: 0103BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0103BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0103BB36
DeleteObject.GDI32(00000000), ref: 0103BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0103BB74

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b4482f9f9bc32cf378882157d1917099dac53e503dee95a918a2daab8234d956
Instruction ID: 8d3d8554df995a8dc12c9c9f9e00ae9f040e8f61f93dd54988fbc793a7f3de71
Opcode Fuzzy Hash: b4482f9f9bc32cf378882157d1917099dac53e503dee95a918a2daab8234d956
Instruction Fuzzy Hash: E7416B75A00209EFDB219F69DC88EAABBFCFF89715F104058F989D7254CB759A01CB21

Function 0101D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0101DA10
_wcscat.LIBCMT ref: 0101DA28
_wcscat.LIBCMT ref: 0101DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0101DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0101DA63
GetFileAttributesW.KERNEL32(?), ref: 0101DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0101DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0101DAA7

Strings

*.*, xrefs: 0101DAE6

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 2a9752f2291d956d39c36555e1a959005cdec7c2f633b072d6e06035e8d1c75d
Instruction ID: d0bb552d551b43e0e86fb91a21e03a4cf19e23618f7feab4e5c185981d75002a
Opcode Fuzzy Hash: 2a9752f2291d956d39c36555e1a959005cdec7c2f633b072d6e06035e8d1c75d
Instruction Fuzzy Hash: 7B81D6715083419FCB64DFA8C8489AEB7EABF85314F08486EF9C9C7215D738E944CB52

Function 0103C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0103C1FC
GetFocus.USER32 ref: 0103C20C
GetDlgCtrlID.USER32(00000000), ref: 0103C217
_memset.LIBCMT ref: 0103C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0103C36D
GetMenuItemCount.USER32(?), ref: 0103C38D
GetMenuItemID.USER32(?,00000000), ref: 0103C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0103C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0103C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0103C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0103C489

Strings

0, xrefs: 0103C33A

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 4ea62b8b580414d43aa679753fd120336136df4aac7ed3e6e71c268d4a008e54
Instruction ID: 235661f7c1e5bb2274f5b41a95d1c83cfeb691dfeccc0bd33f355fda46b74e58
Opcode Fuzzy Hash: 4ea62b8b580414d43aa679753fd120336136df4aac7ed3e6e71c268d4a008e54
Instruction Fuzzy Hash: FF817D706083019FE761DF28C984AAABBE9FBC8714F00495EFAD5E7291CB71D901CB52

Function 0102731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0102738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0102739B
CreateCompatibleDC.GDI32(?), ref: 010273A7
SelectObject.GDI32(00000000,?), ref: 010273B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01027408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01027444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01027468
SelectObject.GDI32(00000006,?), ref: 01027470
DeleteObject.GDI32(?), ref: 01027479
DeleteDC.GDI32(00000006), ref: 01027480
ReleaseDC.USER32(00000000,?), ref: 0102748B

Strings

(, xrefs: 01027410

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b28612e5268cb8e57ec76c6c6d3dd238995d33cdf2bf91d73a851b7eb9e7e7f0
Instruction ID: 7ed9b91a120838996bfeb060f6c766b7962b4de308560fc381b93da6fb0f4416
Opcode Fuzzy Hash: b28612e5268cb8e57ec76c6c6d3dd238995d33cdf2bf91d73a851b7eb9e7e7f0
Instruction Fuzzy Hash: C0514A7590031AEFDB25CFA8C885EAEBBF9EF48310F14851EFA9997210C735A940CB50

Function 00FB6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00FD0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FB6B0C,?,00008000), ref: 00FD0973

Part of subcall function 00FB4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB4743,?,?,00FB37AE,?), ref: 00FB4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FB6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB6CFA

Part of subcall function 00FB586D: _wcscpy.LIBCMT ref: 00FB58A5

Part of subcall function 00FD363D: _iswctype.LIBCMT ref: 00FD3645

Strings

Bad directive syntax error, xrefs: 00FEE79D
AU3!, xrefs: 00FB6B61
>>>AUTOIT SCRIPT<<<, xrefs: 00FEE496
Error opening the file, xrefs: 00FEE43D, 00FEE4B8
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00FEE421
Unterminated string, xrefs: 00FEE7E4
EA06, xrefs: 00FEE452

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 3e584c25fc8b7da053085c49bd31c3751ffcc21317def9bf4ef7b8d6cf76fa10
Instruction ID: 3c1ad4258977c348c61f1a6d9aa49aab17f49621fb822584107618cc61577f43
Opcode Fuzzy Hash: 3e584c25fc8b7da053085c49bd31c3751ffcc21317def9bf4ef7b8d6cf76fa10
Instruction Fuzzy Hash: 4902AC715083419FC724EF22C881AAFBBE5AF98314F14491EF4D9972A1DB38D949EF42

Function 01012D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01012D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 01012DDD
GetMenuItemCount.USER32(01075890), ref: 01012E66
DeleteMenu.USER32(01075890,00000005,00000000,000000F5,?,?), ref: 01012EF6
DeleteMenu.USER32(01075890,00000004,00000000), ref: 01012EFE
DeleteMenu.USER32(01075890,00000006,00000000), ref: 01012F06
DeleteMenu.USER32(01075890,00000003,00000000), ref: 01012F0E
GetMenuItemCount.USER32(01075890), ref: 01012F16
SetMenuItemInfoW.USER32(01075890,00000004,00000000,00000030), ref: 01012F4C
GetCursorPos.USER32(?), ref: 01012F56
SetForegroundWindow.USER32(00000000), ref: 01012F5F
TrackPopupMenuEx.USER32(01075890,00000000,?,00000000,00000000,00000000), ref: 01012F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 01012F7E

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: b8172d4839949006d5c3ae31a5ff8130133d775ee95fea58b6e51eb24cb278dc
Instruction ID: 4f7b96c9d4e33beaa4a64b2a9b71b3e1b5ac95b216ed15e1ca044cf63fc1b2df
Opcode Fuzzy Hash: b8172d4839949006d5c3ae31a5ff8130133d775ee95fea58b6e51eb24cb278dc
Instruction Fuzzy Hash: 7B71E670640206BFFB219F58DC44FEABFA8FF04754F24025AF695AA1D4C7B96820CB95

Function 010077DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7BCC: _memmove.LIBCMT ref: 00FB7C06

_memset.LIBCMT ref: 0100786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010078A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010078BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010078D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01007902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0100792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01007935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0100793A

Strings

SOFTWARE\Classes\, xrefs: 0100780C
\IPC$, xrefs: 01007882
\CLSID, xrefs: 01007822

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 8c2c80c16f1a1c827198c7e3035e34378f290800bea474ef5ee692189dead472
Instruction ID: 975d713db59294eea8a788ed4d56e8b8cc25b2cc8be2b218bf14a3dc04b4b591
Opcode Fuzzy Hash: 8c2c80c16f1a1c827198c7e3035e34378f290800bea474ef5ee692189dead472
Instruction Fuzzy Hash: 5E413872C10229ABDF21EBA5DC85DEEB7B8BF44700F044069F945A31A5DB399A04DF90

Function 01030E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0102FDAD,?,?), ref: 01030E31

Strings

HKCU, xrefs: 01030F21
HKEY_USERS, xrefs: 01030F32
HKCC, xrefs: 01030EFF
HKEY_LOCAL_MACHINE, xrefs: 01030E9A
HKLM, xrefs: 01030EAF
HKEY_CURRENT_CONFIG, xrefs: 01030EEE
HKEY_CURRENT_USER, xrefs: 01030F10
HKEY_CLASSES_ROOT, xrefs: 01030EC4
HKCR, xrefs: 01030ED9
HKU, xrefs: 01030F43

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 1f82c852d88e3e313d32f40a9b430cb2d39accce40fb8ad862b96ed375b9fe56
Instruction ID: b687d116f0abf043e6e0ef9dafdf9473de0be979e0c6b20771a99b3f14f6eb30
Opcode Fuzzy Hash: 1f82c852d88e3e313d32f40a9b430cb2d39accce40fb8ad862b96ed375b9fe56
Instruction Fuzzy Hash: 9D416C3120124A8FCF01EF14DC55AEF37A9BF81344F084445FC951BA9ADB3A9919DBA0

Function 0100F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FEE2A0,00000010,?,Bad directive syntax error,0103F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0100F7C2
LoadStringW.USER32(00000000,?,00FEE2A0,00000010), ref: 0100F7C9

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

_wprintf.LIBCMT ref: 0100F7FC
__swprintf.LIBCMT ref: 0100F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0100F88D

Strings

Line %d (File "%s"):, xrefs: 0100F833
%s (%d) : ==> %s.: %s %s, xrefs: 0100F7F7
Line %d:, xrefs: 0100F818
Error: , xrefs: 0100F85B
., xrefs: 0100F873

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 24c3a8ccc473dc82e29bcedee429bf47d727f8faa941b051e7bc5f9053704f31
Instruction ID: 8c2a9e7f6b05b4679c2fe6c1e102bf1d4bed4ddf9ca6962749ae32facef1f726
Opcode Fuzzy Hash: 24c3a8ccc473dc82e29bcedee429bf47d727f8faa941b051e7bc5f9053704f31
Instruction Fuzzy Hash: 0221823190031EEBCF12EF91CC4AEED7779BF18300F04445AF545660A2DA759618EF51

Function 010152C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00FB7BCC: _memmove.LIBCMT ref: 00FB7C06

Part of subcall function 00FB7924: _memmove.LIBCMT ref: 00FB79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 01015330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 01015346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01015357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 01015369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0101537A

Strings

close PlayMe, xrefs: 01015341, 0101536E
play PlayMe wait, xrefs: 01015364
open , xrefs: 010152DF
alias PlayMe, xrefs: 01015309
play PlayMe, xrefs: 01015375
status PlayMe mode, xrefs: 0101532B

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 8696e46d26369041cfa24493d126c544361dcd9b531d8d797d1be97b96f3d5d4
Instruction ID: 67a270c6676c0afd449673effce94d16bebb023472b3aca77e9e65ab4084b227
Opcode Fuzzy Hash: 8696e46d26369041cfa24493d126c544361dcd9b531d8d797d1be97b96f3d5d4
Instruction Fuzzy Hash: 8411B270A5032979D760B767DC4ADFF7BBCFBD6B00F00445EB441AA0D5EAA84904C9A0

Function 010146B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 010146D2
gethostname.WSOCK32(?,00000100), ref: 010146EC
gethostbyname.WSOCK32(?), ref: 010146F9
_wcscpy.LIBCMT ref: 01014721
_memmove.LIBCMT ref: 01014734
inet_ntoa.WSOCK32(?), ref: 0101473F
_strcat.LIBCMT ref: 0101474D
_wcscpy.LIBCMT ref: 01014764
WSACleanup.WSOCK32 ref: 01014772
_wcscpy.LIBCMT ref: 01014780

Strings

0.0.0.0, xrefs: 0101471B

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 8aa8fe958468cde5d72f1ce3ea32b1879ec18f8ca74bbfe3db0e556c1b85ac75
Instruction ID: ab851cfe6e31e34d0a032f6cab15986acf8dd5e66b152c1506133a71975e8764
Opcode Fuzzy Hash: 8aa8fe958468cde5d72f1ce3ea32b1879ec18f8ca74bbfe3db0e556c1b85ac75
Instruction Fuzzy Hash: 87113231900116ABCB24AB34DC4AEEE77BCEB02311F0401AAF485D6161EF798A818BA1

Function 01014F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 01014F7A

Part of subcall function 00FD049F: timeGetTime.WINMM(?,76C1B400,00FC0E7B), ref: 00FD04A3

Sleep.KERNEL32(0000000A), ref: 01014FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 01014FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 01014FEC
SetActiveWindow.USER32 ref: 0101500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 01015019
SendMessageW.USER32(00000010,00000000,00000000), ref: 01015038
Sleep.KERNEL32(000000FA), ref: 01015043
IsWindow.USER32 ref: 0101504F
EndDialog.USER32(00000000), ref: 01015060

Strings

BUTTON, xrefs: 01014FDE

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 4c5b584aac34e6697d1cb71f88391f71d37f9c8d96a7c8d1e403d1ca16f13e7e
Instruction ID: 8a721125f26a0c1d065c3ae84616f3b0f741e9b152c4e064f52c6098e3f3dea0
Opcode Fuzzy Hash: 4c5b584aac34e6697d1cb71f88391f71d37f9c8d96a7c8d1e403d1ca16f13e7e
Instruction Fuzzy Hash: 9B21A770A00606AFF7315F74ED88B663BADEB4A745F041018F1C29529CDB7F4D149762

Function 0101D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9837: __itow.LIBCMT ref: 00FB9862
Part of subcall function 00FB9837: __swprintf.LIBCMT ref: 00FB98AC

CoInitialize.OLE32(00000000), ref: 0101D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0101D67D
SHGetDesktopFolder.SHELL32(?), ref: 0101D691
CoCreateInstance.OLE32(01042D7C,00000000,00000001,01068C1C,?), ref: 0101D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0101D74C
CoTaskMemFree.OLE32(?,?), ref: 0101D7A4
_memset.LIBCMT ref: 0101D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0101D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0101D840
CoTaskMemFree.OLE32(00000000), ref: 0101D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0101D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0101D880

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 6a7e4988d0e5cf7808b69107400eece0a79bcfed1165b75acca238bdf0025683
Instruction ID: 20eaabff651663027e5bfb0fdb82f4ea2b857cfaa2da56ed50b3b71cf6fa7da9
Opcode Fuzzy Hash: 6a7e4988d0e5cf7808b69107400eece0a79bcfed1165b75acca238bdf0025683
Instruction Fuzzy Hash: 7BB10975A00109AFDB04DFA9C888DAEBBB9FF48314F048499E949EB265DB35ED41CB50

Function 0100C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0100C283
GetWindowRect.USER32(00000000,?), ref: 0100C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0100C2F3
GetDlgItem.USER32(?,00000002), ref: 0100C2FE
GetWindowRect.USER32(00000000,?), ref: 0100C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0100C364
GetDlgItem.USER32(?,000003E9), ref: 0100C372
GetWindowRect.USER32(00000000,?), ref: 0100C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0100C3C6
GetDlgItem.USER32(?,000003EA), ref: 0100C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0100C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0100C3FE

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: c5c975945c30309b611b6b658a36bf384995802a29e971cc721a208b8de3380a
Instruction ID: 00b859940ab9c14542c621476bd4cf1ab63572ed95eb47274004e95b95f06a89
Opcode Fuzzy Hash: c5c975945c30309b611b6b658a36bf384995802a29e971cc721a208b8de3380a
Instruction Fuzzy Hash: 70514171B00205ABEB18CFBDDD85A6EBBB9FB88310F14816DF655D62D4D77599008B10

Function 00FB201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FB2036,?,00000000,?,?,?,?,00FB16CB,00000000,?), ref: 00FB1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00FB20D3
KillTimer.USER32(-00000001,?,?,?,?,00FB16CB,00000000,?,?,00FB1AE2,?,?), ref: 00FB216E
DestroyAcceleratorTable.USER32(00000000), ref: 00FEBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FB16CB,00000000,?,?,00FB1AE2,?,?), ref: 00FEBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FB16CB,00000000,?,?,00FB1AE2,?,?), ref: 00FEBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FB16CB,00000000,?,?,00FB1AE2,?,?), ref: 00FEBD0A
DeleteObject.GDI32(00000000), ref: 00FEBD1C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d078ff46a84a70e65137117bc7aa3417ad463a137350f7f4f9cf22ef3190fcac
Instruction ID: 3cc3a9de39691dfa794f0dfbcf12bf7de5007d14fa0a9b005dd67d0aca9ed948
Opcode Fuzzy Hash: d078ff46a84a70e65137117bc7aa3417ad463a137350f7f4f9cf22ef3190fcac
Instruction Fuzzy Hash: E861AF31D00601DFCB75AF1ADD48BAAB7F1FF40322F10851DE482AA964C77AA881EF41

Function 00FB21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00FB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FB25EC

GetSysColor.USER32(0000000F), ref: 00FB21D3

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 50d189a9a9705fbf8ce3114446b6bff4090d4bd107e178cc1f6d33d7e86470b5
Instruction ID: c4f1b09d0f40cafc6faea7920bc6a295ee101c7722f67b76956c3d973ab86010
Opcode Fuzzy Hash: 50d189a9a9705fbf8ce3114446b6bff4090d4bd107e178cc1f6d33d7e86470b5
Instruction Fuzzy Hash: 3241C331800145AFEB615F29EC88BF93B65EB06331F184265FEA5CA1E5C7368C42EF21

Function 0101A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0103F910), ref: 0101A90B
GetDriveTypeW.KERNEL32(00000061,010689A0,00000061), ref: 0101A9D5
_wcscpy.LIBCMT ref: 0101A9FF

Strings

unknown, xrefs: 0101A996
fixed, xrefs: 0101A953
removable, xrefs: 0101A93D
cdrom, xrefs: 0101A927
network, xrefs: 0101A969
ramdisk, xrefs: 0101A97F
all, xrefs: 0101A911

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 3bf92d4e334c3d55670ab5d7de0454daf6e9242250f777e2a59adeab7a7d0637
Instruction ID: 10ca1e68095c0bfb5bd80423dbd56a45dce4589da175cb2a6666790fac0f621e
Opcode Fuzzy Hash: 3bf92d4e334c3d55670ab5d7de0454daf6e9242250f777e2a59adeab7a7d0637
Instruction Fuzzy Hash: 2C51CF352083419BC300EF15CC91AAFB7EAFF84304F48481EF5D5572A6DB79D949CA52

Function 00FB9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00FB9862
__swprintf.LIBCMT ref: 00FB98AC
__i64tow.LIBCMT ref: 00FEF5E6

Strings

0x%p, xrefs: 00FEF5C8
False, xrefs: 00FEF5AE
%.15g, xrefs: 00FB98A6
True, xrefs: 00FEF5A7

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 275315e4a53490ccf5177d6d4390817e62c353021a7ada60d7d02178d521dabe
Instruction ID: 94abd51173c49bf62865d1b67708f840564afb53a1be22cfddf202e9e5787a70
Opcode Fuzzy Hash: 275315e4a53490ccf5177d6d4390817e62c353021a7ada60d7d02178d521dabe
Instruction Fuzzy Hash: 09411332A04305AFDB24DF36DC42FBA73E9EF45310F28446FE649CA291EA75D905AB10

Function 01037152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0103716A
CreateMenu.USER32 ref: 01037185
SetMenu.USER32(?,00000000), ref: 01037194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01037221
IsMenu.USER32(?), ref: 01037237
CreatePopupMenu.USER32 ref: 01037241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0103726E
DrawMenuBar.USER32 ref: 01037276

Strings

F, xrefs: 01037262
0, xrefs: 01037160

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: ddea48b48d6e16a1d1e995ef943e0b06b296cfad4fa2e44a2d1c771b4fefb8e6
Instruction ID: fb0cd7b6c347e33897609b55563b2addae07329a98a588fc8f80b2bce2068f71
Opcode Fuzzy Hash: ddea48b48d6e16a1d1e995ef943e0b06b296cfad4fa2e44a2d1c771b4fefb8e6
Instruction Fuzzy Hash: D84138B5A01209EFDB60DF68D844F9ABBF9FF48310F140069FA85A7351D736A910CB91

Function 010374BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0103755E
CreateCompatibleDC.GDI32(00000000), ref: 01037565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01037578
SelectObject.GDI32(00000000,00000000), ref: 01037580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0103758B
DeleteDC.GDI32(00000000), ref: 01037594
GetWindowLongW.USER32(?,000000EC), ref: 0103759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 010375B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 010375BE

Strings

static, xrefs: 010374F6

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 78f11ea43fb8edc3642e0606f8889edb2bcf0a096fc83ae631c7dff648c3544d
Instruction ID: a74950a8600d150bda469ccbb225ab99876c630b36d2c7ccd08d4592e613d98f
Opcode Fuzzy Hash: 78f11ea43fb8edc3642e0606f8889edb2bcf0a096fc83ae631c7dff648c3544d
Instruction Fuzzy Hash: 1C318D72501216BBDF269F68DC08FDA3BADFF49361F110214FA95A60E0CB76D811DBA1

Function 00FD6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD6E3E

Part of subcall function 00FD8B28: __getptd_noexit.LIBCMT ref: 00FD8B28

__gmtime64_s.LIBCMT ref: 00FD6ED7
__gmtime64_s.LIBCMT ref: 00FD6F0D
__gmtime64_s.LIBCMT ref: 00FD6F2A
__allrem.LIBCMT ref: 00FD6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD6F9C
__allrem.LIBCMT ref: 00FD6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD6FD1
__allrem.LIBCMT ref: 00FD6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD7006
__invoke_watson.LIBCMT ref: 00FD7077

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 4aacd1368bbdd848b185573c25d4fe9ab84f9f27990852fea8503dfe4126d611
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 50712576E00B16ABD714AF69DC45B5AB7AAAF04724F18422BF414DB3C1F774E900AB90

Function 01012527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01012542
GetMenuItemInfoW.USER32(01075890,000000FF,00000000,00000030), ref: 010125A3
SetMenuItemInfoW.USER32(01075890,00000004,00000000,00000030), ref: 010125D9
Sleep.KERNEL32(000001F4), ref: 010125EB
GetMenuItemCount.USER32(?), ref: 0101262F
GetMenuItemID.USER32(?,00000000), ref: 0101264B
GetMenuItemID.USER32(?,-00000001), ref: 01012675
GetMenuItemID.USER32(?,?), ref: 010126BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01012700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01012714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01012735

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: c365fd044a6e3c5a12fc5891f8c64cc056265f4a861a8c54be01e930d3d9606e
Instruction ID: 3779c9049a3160df79e4f9d9d38e218835699a10684d343263185a35d4082143
Opcode Fuzzy Hash: c365fd044a6e3c5a12fc5891f8c64cc056265f4a861a8c54be01e930d3d9606e
Instruction Fuzzy Hash: 9D61947090024AAFDB21DF68D984DFF7BB8FB45344F240459F581A3299D73AA905DB21

Function 01036F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01036FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01036FA8
GetWindowLongW.USER32(?,000000F0), ref: 01036FCC
_memset.LIBCMT ref: 01036FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01036FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01037067

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: aec7dadb88b0cf0e8c6600f805bd0755b3dff9e860b3de193d113b9905436c6c
Instruction ID: e931ac45fd0209cf5bc918309311b5be104a12d45f2418e2d877ec89f3ee9bd1
Opcode Fuzzy Hash: aec7dadb88b0cf0e8c6600f805bd0755b3dff9e860b3de193d113b9905436c6c
Instruction Fuzzy Hash: DA617D75900208EFDB11DFA8CC81EEEB7F9EB49710F140199FA54EB291C775A941DB90

Function 01006B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 01006BBF
SafeArrayAllocData.OLEAUT32(?), ref: 01006C18
VariantInit.OLEAUT32(?), ref: 01006C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 01006C4A
VariantCopy.OLEAUT32(?,?), ref: 01006C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 01006CB1
VariantClear.OLEAUT32(?), ref: 01006CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 01006CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01006CDC
VariantClear.OLEAUT32(?), ref: 01006CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01006CF9

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 8ec6ffea4ec4163c204eec06b83b3ec440532e9c8aa30d6ee2f823524afca383
Instruction ID: a0a26e5f884d1514aff0353c0097c315ea54a15f21fec00d12266b864c15d66b
Opcode Fuzzy Hash: 8ec6ffea4ec4163c204eec06b83b3ec440532e9c8aa30d6ee2f823524afca383
Instruction Fuzzy Hash: DD418171E0011EAFDF11DFA8D844DEDBBBAEF08340F008069E995A7251CB36A955CF91

Function 0100FD09 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0100FD31
GetAsyncKeyState.USER32(000000A0), ref: 0100FDB2
GetKeyState.USER32(000000A0), ref: 0100FDCD
GetAsyncKeyState.USER32(000000A1), ref: 0100FDE7
GetKeyState.USER32(000000A1), ref: 0100FDFC
GetAsyncKeyState.USER32(00000011), ref: 0100FE14
GetKeyState.USER32(00000011), ref: 0100FE26
GetAsyncKeyState.USER32(00000012), ref: 0100FE3E
GetKeyState.USER32(00000012), ref: 0100FE50
GetAsyncKeyState.USER32(0000005B), ref: 0100FE68
GetKeyState.USER32(0000005B), ref: 0100FE7A

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a8d470fe0847489f61052fee5f59230b6e2ed9bcc20545e0208ae72d0f025afa
Instruction ID: 4ad33fb6e016c0107905527452f405a8ee9bafec72406ddc4f98eba32d386884
Opcode Fuzzy Hash: a8d470fe0847489f61052fee5f59230b6e2ed9bcc20545e0208ae72d0f025afa
Instruction Fuzzy Hash: 6641DB349047CB6FFFB3AA6884143A5BEE56F01740F0840DAD6D5471C3EBE999C497A2

Function 010283BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9837: __itow.LIBCMT ref: 00FB9862
Part of subcall function 00FB9837: __swprintf.LIBCMT ref: 00FB98AC

CoInitialize.OLE32 ref: 01028403
CoUninitialize.OLE32 ref: 0102840E
CoCreateInstance.OLE32(?,00000000,00000017,01042BEC,?), ref: 0102846E
IIDFromString.OLE32(?,?), ref: 010284E1
VariantInit.OLEAUT32(?), ref: 0102857B
VariantClear.OLEAUT32(?), ref: 010285DC

Strings

NULL Pointer assignment, xrefs: 010284B3
Failed to create object, xrefs: 01028479, 0102852F
Invalid parameter, xrefs: 010284FA

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: a0fa8f5f0e7c389e39a6c93408b902d6468eb0ebd8652b4fa39cb7dbfa10e434
Instruction ID: b2a6ce3ed9035b6a4d0a1b93e9f30b31931413d6ac1325ed77247d434266369e
Opcode Fuzzy Hash: a0fa8f5f0e7c389e39a6c93408b902d6468eb0ebd8652b4fa39cb7dbfa10e434
Instruction Fuzzy Hash: AF61AC746083229FD711DF15C848BAEBBE8AF49754F04844EFAC59B291CB74E944CB92

Function 01025732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 01025793
inet_addr.WSOCK32(?), ref: 010257D8
gethostbyname.WSOCK32(?), ref: 010257E4
IcmpCreateFile.IPHLPAPI ref: 010257F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01025862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01025878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 010258ED
WSACleanup.WSOCK32 ref: 010258F3

Strings

Ping, xrefs: 01025816

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4e15e1be44400410b45f350fcae9e9b1fd42efd3e438557783216588ae5ba2b0
Instruction ID: d7954f701446651c9f29c2d592f7de74eaf055a1a0c1f5b7488be985a7c06d46
Opcode Fuzzy Hash: 4e15e1be44400410b45f350fcae9e9b1fd42efd3e438557783216588ae5ba2b0
Instruction Fuzzy Hash: 7951D0316043119FDB20DF25DC49BAA7BE4EF49720F04456AF996EB291DBB4E800DF46

Function 0101B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0101B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0101B546
GetLastError.KERNEL32 ref: 0101B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0101B5BD

Strings

READONLY, xrefs: 0101B588
UNKNOWN, xrefs: 0101B575
READY, xrefs: 0101B596
NOTREADY, xrefs: 0101B57C
INVALID, xrefs: 0101B58F

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: db7997d38dcafa4f2630940230b6914390e4506fa886ad623d47e86c64694edd
Instruction ID: a24c9501c7bf910b4260d2ccff8340151ff49ea482dc56a270bfc2aaa1b818a1
Opcode Fuzzy Hash: db7997d38dcafa4f2630940230b6914390e4506fa886ad623d47e86c64694edd
Instruction Fuzzy Hash: 2531B235A00205DFDB10EF69C845FEEBBB8FF45310F04815AE641DB295DB799A02CB51

Function 01008F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

Part of subcall function 0100AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0100AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 01009014
GetDlgCtrlID.USER32 ref: 0100901F
GetParent.USER32 ref: 0100903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0100903E
GetDlgCtrlID.USER32(?), ref: 01009047
GetParent.USER32(?), ref: 01009063
SendMessageW.USER32(00000000,?,?,00000111), ref: 01009066

Strings

ListBox, xrefs: 01008FD1
ComboBox, xrefs: 01008F9C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 0e340054c0f27b87a1ccc4a55e88f7690c12a4668fb866d33973d91fdc0b3306
Instruction ID: e9144c5227d0faa34fe0acbd02138be01f0d9f57392758af375700275bfeb20e
Opcode Fuzzy Hash: 0e340054c0f27b87a1ccc4a55e88f7690c12a4668fb866d33973d91fdc0b3306
Instruction Fuzzy Hash: 7F21A370E00205BFEF15ABA5CC85EFEBB69EB49310F000159F5A1572E1DB795415DB20

Function 0100907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

Part of subcall function 0100AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0100AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 010090FD
GetDlgCtrlID.USER32 ref: 01009108
GetParent.USER32 ref: 01009124
SendMessageW.USER32(00000000,?,00000111,?), ref: 01009127
GetDlgCtrlID.USER32(?), ref: 01009130
GetParent.USER32(?), ref: 0100914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0100914F

Strings

ListBox, xrefs: 010090BC
ComboBox, xrefs: 01009087

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 2140df690c2db89dbbb5b76c0165739fc0b9d168c7f9cc6f02abf150c9223e6f
Instruction ID: d6a8e7729c5ccd2ddfd6a61280799dfc572bc5584cc8c52472c9d76e77d490a5
Opcode Fuzzy Hash: 2140df690c2db89dbbb5b76c0165739fc0b9d168c7f9cc6f02abf150c9223e6f
Instruction Fuzzy Hash: 6421C474A00205BBEF11ABA5CC85EFEBBA8EF48300F000059F595972A6DB794419EB20

Function 01009163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0100916F
GetClassNameW.USER32(00000000,?,00000100), ref: 01009184
_wcscmp.LIBCMT ref: 01009196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 01009211

Strings

list, xrefs: 010091F3
largeicons, xrefs: 010091A5
details, xrefs: 010091BF
smallicons, xrefs: 010091D9
SHELLDLL_DefView, xrefs: 01009190

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: bf31f9b28442e383d703dd257a39e68b67fe9529e42e9afa73ae4ea35bd274da
Instruction ID: ef4a90edba4302607c55c639e59d41e94271d77cd2a79d1b209f54dbd52c66be
Opcode Fuzzy Hash: bf31f9b28442e383d703dd257a39e68b67fe9529e42e9afa73ae4ea35bd274da
Instruction Fuzzy Hash: 0B115936288307BAFA272528EC0ADA737DC9B14328F10011BF984E40D3FE6665115AA0

Function 010288AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 010288D7
CoInitialize.OLE32(00000000), ref: 01028904
CoUninitialize.OLE32 ref: 0102890E
GetRunningObjectTable.OLE32(00000000,?), ref: 01028A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 01028B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01042C0C), ref: 01028B6F
CoGetObject.OLE32(?,00000000,01042C0C,?), ref: 01028B92
SetErrorMode.KERNEL32(00000000), ref: 01028BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01028C25
VariantClear.OLEAUT32(?), ref: 01028C35

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 5f3b0f486fac51cc088c8e985bddafe996516f2c6d710b29f9d264f76a1cb739
Instruction ID: 4f578c5ee4cd353bf40512f8f18456507671fc3a2c4ea38602263d39fdc4913e
Opcode Fuzzy Hash: 5f3b0f486fac51cc088c8e985bddafe996516f2c6d710b29f9d264f76a1cb739
Instruction Fuzzy Hash: 76C156B5608316AFD700DF68C88496BBBE9FF89348F00895DF9899B250DB71ED05CB52

Function 01017990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 01017A6C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 91d04219436d0a4b0e94c9cd5e32380c51a60ae94bd96e7aa7955fd9a61903ff
Instruction ID: 2136caeab49c778c0dbd4c1816893c648fa6c1eb6fa97534c5180b422a7535f7
Opcode Fuzzy Hash: 91d04219436d0a4b0e94c9cd5e32380c51a60ae94bd96e7aa7955fd9a61903ff
Instruction Fuzzy Hash: BEB1807190020A9FDB11DFA8C884BBEBBF5FF49321F144469E681E7245DB78E941CB91

Function 010111CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 010111F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,01010268,?,00000001), ref: 01011204
GetWindowThreadProcessId.USER32(00000000), ref: 0101120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01010268,?,00000001), ref: 0101121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0101122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01010268,?,00000001), ref: 01011245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01010268,?,00000001), ref: 01011257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,01010268,?,00000001), ref: 0101129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01010268,?,00000001), ref: 010112B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01010268,?,00000001), ref: 010112BC

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c7e34f734ae6538a148b7fd8e5dfb0cc9e7a7636d15017f089f286f8ce904740
Instruction ID: 3fd92ac9db763fbbda11cdd0f258ea38256afd8f4327b913732a586e63c89b58
Opcode Fuzzy Hash: c7e34f734ae6538a148b7fd8e5dfb0cc9e7a7636d15017f089f286f8ce904740
Instruction Fuzzy Hash: AC31F2B5A00604BFEB359F78D848FA937EDEB48311F004145FE81D6189D37E99408B51

Function 00FBFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FBFAA6
OleUninitialize.OLE32(?,00000000), ref: 00FBFB45
UnregisterHotKey.USER32(?), ref: 00FBFC9C
DestroyWindow.USER32(?), ref: 00FF45D6
FreeLibrary.KERNEL32(?), ref: 00FF463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FF4668

Strings

close all, xrefs: 00FBFAA1

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f2148d1ceac90eaba2b65e5192d26655ff9a5c4c02e87aa62660c13726750c19
Instruction ID: 19e469331cf144e871acb1727b970b9bc09822bd7d22fb0cae559fb58a5f691a
Opcode Fuzzy Hash: f2148d1ceac90eaba2b65e5192d26655ff9a5c4c02e87aa62660c13726750c19
Instruction Fuzzy Hash: B7A19C71B012168FCB28EF11C994BBAF764BF05710F5442ADE90AAB261DB34ED16EF50

Function 0100A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0100A439), ref: 0100A377

Strings

CLASSNN, xrefs: 0100A119
INSTANCE, xrefs: 0100A285
TEXT, xrefs: 0100A2AE
NAME, xrefs: 0100A1A9
CLASS, xrefs: 0100A0F6
REGEXPCLASS, xrefs: 0100A13C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 2711bbd5c3804dce1ea48bcf274f963d52fa0a9f5d1e33c7405ee3db6720c9ab
Instruction ID: c8adcc31d85443feb4cc8a64100d8cc33ab966bd92363f1081831685e58b3f93
Opcode Fuzzy Hash: 2711bbd5c3804dce1ea48bcf274f963d52fa0a9f5d1e33c7405ee3db6720c9ab
Instruction Fuzzy Hash: DB91E930700706EBEB49EFA4C841BEEFBB9BF04300F448159E589A7281DF356599DBA0

Function 00FB2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00FB2EAE

Part of subcall function 00FB1DB3: GetClientRect.USER32(?,?), ref: 00FB1DDC
Part of subcall function 00FB1DB3: GetWindowRect.USER32(?,?), ref: 00FB1E1D
Part of subcall function 00FB1DB3: ScreenToClient.USER32(?,?), ref: 00FB1E45

GetDC.USER32 ref: 00FECD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FECD45
SelectObject.GDI32(00000000,00000000), ref: 00FECD53
SelectObject.GDI32(00000000,00000000), ref: 00FECD68
ReleaseDC.USER32(?,00000000), ref: 00FECD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FECDFB

Strings

U, xrefs: 00FECCD0

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ca1ba120c8a2f1f3dd6ff7cd8b072b1c1789ae8755352124dca33fddedd64544
Instruction ID: c31cc1969a5513f3e59a9bbc19afddea2877e69d1c463728ecffefb1673a4d2a
Opcode Fuzzy Hash: ca1ba120c8a2f1f3dd6ff7cd8b072b1c1789ae8755352124dca33fddedd64544
Instruction Fuzzy Hash: F0719231900245DFCF318F66CC84AEA7BB5FF48360F14426AFDA55A265C7368852EFA1

Function 01021A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01021A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01021A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 01021ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01021AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01021AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 01021B10
InternetCloseHandle.WININET(00000000), ref: 01021B57

Part of subcall function 01022483: GetLastError.KERNEL32(?,?,01021817,00000000,00000000,00000001), ref: 01022498
Part of subcall function 01022483: SetEvent.KERNEL32(?,?,01021817,00000000,00000000,00000001), ref: 010224AD

Strings

, xrefs: 01021B01

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 7fc475876eecdad053b8be8f0ab4c6b247513235bc8aa18b90b90c9c0e611dce
Instruction ID: 1f60ff66ec7bc547198d55b1c275e1458bcbbc2346381644b0dac7edfa8438f1
Opcode Fuzzy Hash: 7fc475876eecdad053b8be8f0ab4c6b247513235bc8aa18b90b90c9c0e611dce
Instruction Fuzzy Hash: 1C4180B1900229BFEB129F54CC89FFF7BACFF08354F004156FA859A145E7759A448BA1

Function 01028C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0103F910), ref: 01028D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0103F910), ref: 01028D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 01028ED6
SysFreeString.OLEAUT32(?), ref: 01028F00

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 93d51bf422c71f2592137e01763d7916d96ed17e8c4b2f1e53f6b429508faee7
Instruction ID: cb837f434360187e647c7f699d691d146ab093ea191b2196b2f801cebf9010f8
Opcode Fuzzy Hash: 93d51bf422c71f2592137e01763d7916d96ed17e8c4b2f1e53f6b429508faee7
Instruction Fuzzy Hash: C6F17A35A00229AFDF44DF98C884EEEBBB9FF45314F108099FA45AB251DB35AE45CB50

Function 0102F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0102F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0102F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0102F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0102F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0102F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0102FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0102FA7C
CloseHandle.KERNEL32(?), ref: 0102FAAB
CloseHandle.KERNEL32(?), ref: 0102FB22

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 54f7282b140a031877d2e3c732027cfc39a56cb0633a46b27c78d8dfee9e2ff1
Instruction ID: 7b4f046b8f6bc62a51f44e4bdf150b4d198ec67c3add6f806ef57bd88ea442c6
Opcode Fuzzy Hash: 54f7282b140a031877d2e3c732027cfc39a56cb0633a46b27c78d8dfee9e2ff1
Instruction Fuzzy Hash: 8DE1CD316082129FD714EF28C881B6ABBF1BF85354F08895EF9C58B2A2CB75DC45DB52

Function 01014CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0101466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01013697,?), ref: 0101468B

Part of subcall function 0101466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01013697,?), ref: 010146A4

Part of subcall function 01014A31: GetFileAttributesW.KERNEL32(?,0101370B), ref: 01014A32

lstrcmpiW.KERNEL32(?,?), ref: 01014D40
_wcscmp.LIBCMT ref: 01014D5A
MoveFileW.KERNEL32(?,?), ref: 01014D75

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 94416be7d90a92747cd6f67b9b76b1c6c26ff82c5f7d84df909961a30619b236
Instruction ID: b8628a91e944c78af076ceff81bdf0d8b01f92394ae66f1da808fbeea23ecb63
Opcode Fuzzy Hash: 94416be7d90a92747cd6f67b9b76b1c6c26ff82c5f7d84df909961a30619b236
Instruction Fuzzy Hash: 1B5160B24083459BC664EB64DC809DFB7ECAF84350F44092EA2C5C3161EF79A288CB66

Function 01038645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 010386FF

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 81e26e616c0bac97555dff800c45dfb0b6d859e99016fb63ec2855e9bdd88f62
Instruction ID: 599fecb4c2db253095f646b94cf3b2a034fdb24f729e21c636052a28f71d8544
Opcode Fuzzy Hash: 81e26e616c0bac97555dff800c45dfb0b6d859e99016fb63ec2855e9bdd88f62
Instruction Fuzzy Hash: 8551E330A00205BEEB619B29DC84F9D3BADBB89750F108393FAD0E61A1D776E590DB41

Function 00FB2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FEC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FEC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FEC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FEC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FEC370
DestroyIcon.USER32(00000000), ref: 00FEC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FEC39C
DestroyIcon.USER32(?), ref: 00FEC3AB

Part of subcall function 0103A4AF: DeleteObject.GDI32(00000000), ref: 0103A4E8

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: e03729c58e3709515f5549ddb7c0183f8ef6cb405eb07f0658a1e4ad9d275969
Instruction ID: bb75519cc8770c9d5c54f08866c9f5cca3a2a7b7574802cf358f6431c80e7d86
Opcode Fuzzy Hash: e03729c58e3709515f5549ddb7c0183f8ef6cb405eb07f0658a1e4ad9d275969
Instruction Fuzzy Hash: D1516A71A00209AFDB24DF26CC45FEA3BA9FB58320F108518F942E7290DB75AD51EF90

Function 0100966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0100A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0100A84C
Part of subcall function 0100A82C: GetCurrentThreadId.KERNEL32 ref: 0100A853
Part of subcall function 0100A82C: AttachThreadInput.USER32(00000000,?,01009683,?,00000001), ref: 0100A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0100968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010096AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 010096AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 010096B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 010096D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 010096D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 010096E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 010096F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 010096FB

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f25ed9532c2472e76cf5e3ad534f809e5c636738b2d0735d490795ac0d1a1d38
Instruction ID: b995372a1bc97498d3b93c5f3858f889ff7904911336c27588dedfa400ee5aa0
Opcode Fuzzy Hash: f25ed9532c2472e76cf5e3ad534f809e5c636738b2d0735d490795ac0d1a1d38
Instruction Fuzzy Hash: 7D11E1B1A10619BEF6216F70DC89FAA3B2DEB4C794F100415F284AB0D0CAF35C10DBA4

Function 01008921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0100853C,00000B00,?,?), ref: 0100892A
HeapAlloc.KERNEL32(00000000,?,0100853C,00000B00,?,?), ref: 01008931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0100853C,00000B00,?,?), ref: 01008946
GetCurrentProcess.KERNEL32(?,00000000,?,0100853C,00000B00,?,?), ref: 0100894E
DuplicateHandle.KERNEL32(00000000,?,0100853C,00000B00,?,?), ref: 01008951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0100853C,00000B00,?,?), ref: 01008961
GetCurrentProcess.KERNEL32(0100853C,00000000,?,0100853C,00000B00,?,?), ref: 01008969
DuplicateHandle.KERNEL32(00000000,?,0100853C,00000B00,?,?), ref: 0100896C
CreateThread.KERNEL32(00000000,00000000,01008992,00000000,00000000,00000000), ref: 01008986

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 7923abe8a0a4c95ba9c1e53fc0785cd4e730e694f7ea8026b8f0739ed0636934
Instruction ID: a423d95160f634537f74a2e11334135c4fe82302aa5ce963e1d69ec4aa2f8dc3
Opcode Fuzzy Hash: 7923abe8a0a4c95ba9c1e53fc0785cd4e730e694f7ea8026b8f0739ed0636934
Instruction Fuzzy Hash: 5801CDB5640309BFE720AFA5EC4DF6B3BACEB89711F408411FA45DB195CA759C04DB21

Function 01029B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 01029B7B
NULL Pointer assignment, xrefs: 01029BA4, 01029EC8

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f1a18fbaaa8e3764369f9e428acf780b3d74c5747e874a15dcf029550215fb98
Instruction ID: 621cff1e60bfb5c5f3e0e229da3d344507c008f50574d83e5f2b67657e0e34dd
Opcode Fuzzy Hash: f1a18fbaaa8e3764369f9e428acf780b3d74c5747e874a15dcf029550215fb98
Instruction Fuzzy Hash: 17C1C671A0022A9FDF11DF98C984BEEB7F9FF48318F148469E985AB281E7719D44CB50

Function 01029113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01029167
VariantInit.OLEAUT32(?), ref: 01029238
VariantInit.OLEAUT32(?), ref: 01029339
VariantClear.OLEAUT32(?), ref: 01029343
VariantClear.OLEAUT32(?), ref: 010293A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 010291C8, 010292F6, 010293AE
Incorrect Object type in FOR..IN loop, xrefs: 0102931C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 96085178d690a2a72ac915087c4f99935731b752e2d663364d5e1336ec91a9ab
Instruction ID: 5fd6a94cc559d223c45cfe23eb93cbafce80ab5189cd020a82d5c50e8bca7ef1
Opcode Fuzzy Hash: 96085178d690a2a72ac915087c4f99935731b752e2d663364d5e1336ec91a9ab
Instruction Fuzzy Hash: 71918071E00229ABDF24DFA5CC48FAEBBB8EF45718F10815AF555AB281D7709905CFA0

Function 0102975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0100710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01007044,80070057,?,?,?,01007455), ref: 01007127
Part of subcall function 0100710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01007044,80070057,?,?), ref: 01007142
Part of subcall function 0100710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01007044,80070057,?,?), ref: 01007150
Part of subcall function 0100710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01007044,80070057,?), ref: 01007160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 01029806
_memset.LIBCMT ref: 01029813
_memset.LIBCMT ref: 01029956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 01029982
CoTaskMemFree.OLE32(?), ref: 0102998D

Strings

NULL Pointer assignment, xrefs: 010299DB

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 4ae283cfa41416b08fabd82b727dfa3ef53ffc844dae0e7ea909a926e88b70e5
Instruction ID: cbc36c8a7475ed5cc779ad9804ccd5146343f1045f065845f239a5baa65873f3
Opcode Fuzzy Hash: 4ae283cfa41416b08fabd82b727dfa3ef53ffc844dae0e7ea909a926e88b70e5
Instruction Fuzzy Hash: CA914771D00229EBDB10EFA5DC80EDEBBB9BF08354F10415AF559A7281DB759A44CFA0

Function 01036D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01036E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 01036E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01036E52
_wcscat.LIBCMT ref: 01036EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 01036EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 01036EF2

Strings

SysListView32, xrefs: 01036DF6

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 57e5df27751fc309614d9a4b4eca9cb4cf7727d6e9f8d42e2122342c7f078b50
Instruction ID: 841d423b441ae1fdf792263c76f249a2e813c531aa43546fedeab45efc27e519
Opcode Fuzzy Hash: 57e5df27751fc309614d9a4b4eca9cb4cf7727d6e9f8d42e2122342c7f078b50
Instruction Fuzzy Hash: D141A070900349EFEB219F68CC85BEEB7EDEF48350F10056AF584A7291D6769A84CB60

Function 0102E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 01013C55: CreateToolhelp32Snapshot.KERNEL32 ref: 01013C7A
Part of subcall function 01013C55: Process32FirstW.KERNEL32(00000000,?), ref: 01013C88
Part of subcall function 01013C55: CloseHandle.KERNEL32(00000000), ref: 01013D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0102E9A4
GetLastError.KERNEL32 ref: 0102E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0102E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0102EA63
GetLastError.KERNEL32(00000000), ref: 0102EA6E
CloseHandle.KERNEL32(00000000), ref: 0102EAA3

Strings

SeDebugPrivilege, xrefs: 0102E9C2

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: cf5ba060c6606e3751895ab9e3a29a6ea94369286e7f8904e4aa24cde6307587
Instruction ID: 0e5eb69e31dbe29086c711385ea748cad8624911f73b25615164a3f1f7835ffd
Opcode Fuzzy Hash: cf5ba060c6606e3751895ab9e3a29a6ea94369286e7f8904e4aa24cde6307587
Instruction Fuzzy Hash: 9E41AF316442129FDB11EF14CCA5FADB7A5BF51314F04845DFA869B2C2CBB9E804CB92

Function 01012F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 01013033

Strings

stop, xrefs: 01013004
warning, xrefs: 0101301C
blank, xrefs: 01012FB5
info, xrefs: 01012FD4
question, xrefs: 01012FEC

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 115cdef588bae9cbe5cb4ef58b5a8487e0bbdb3bf09fec8a4657b646a8dc2fd0
Instruction ID: 48a3663cb6b9783f959b41a5b40d8acd4c63dba54a685be12c31cc3455c239f2
Opcode Fuzzy Hash: 115cdef588bae9cbe5cb4ef58b5a8487e0bbdb3bf09fec8a4657b646a8dc2fd0
Instruction Fuzzy Hash: 3A113831248346BEE7169A18DC52C6F7BDCAF15330B10006FF980AE286DB695A4046A1

Function 010142F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 01014312
LoadStringW.USER32(00000000), ref: 01014319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0101432F
LoadStringW.USER32(00000000), ref: 01014336
_wprintf.LIBCMT ref: 0101435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0101437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 01014357

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: fa399022fd44a10d4a7e376c49ef844111bdd53d2705b1e81d07a41bcd2ad31f
Instruction ID: eb560bb3e99d9091521972c40ac3ab3d42eabcac5f7d626b674fbe98e7b0994e
Opcode Fuzzy Hash: fa399022fd44a10d4a7e376c49ef844111bdd53d2705b1e81d07a41bcd2ad31f
Instruction Fuzzy Hash: FC0186F2D0020ABFE76197A4DD89EFB776CEB08301F004596B789E6005EB795E854B72

Function 0103D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623

GetSystemMetrics.USER32(0000000F), ref: 0103D47C
GetSystemMetrics.USER32(0000000F), ref: 0103D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0103D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0103D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0103D716
ShowWindow.USER32(00000003,00000000), ref: 0103D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0103D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0103D77D

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: dc1f78277a1cc52f9233577b42bac7388fcfcfefe265ebc8a925be070473f493
Instruction ID: de2833d0f7ed03c00abc331ee6c52c7ab6477f76bbb3cd94de78343e26c2f470
Opcode Fuzzy Hash: dc1f78277a1cc52f9233577b42bac7388fcfcfefe265ebc8a925be070473f493
Instruction Fuzzy Hash: DCB1CD70900215EFDF15CFA8C5847AD7BF5BF88701F4880A9ED989F299E735A940DB90

Function 0102FD11 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

Part of subcall function 01030E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0102FDAD,?,?), ref: 01030E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0102FDEE

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 67e3767adf357b53023d674d820bcc640273fe641daea343ee6e2883f47c27a9
Instruction ID: 45915360ddf97dfe9e7853b50d93c1248b85dd4e55f462a57508297e36dbadf8
Opcode Fuzzy Hash: 67e3767adf357b53023d674d820bcc640273fe641daea343ee6e2883f47c27a9
Instruction Fuzzy Hash: 54A18D712042029FDB11EF18C890FAEBBF5AF85354F04885DF9968B292DB75E945CF82

Function 00FB2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FEC1C7,00000004,00000000,00000000,00000000), ref: 00FB2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00FEC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00FB2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00FEC1C7,00000004,00000000,00000000,00000000), ref: 00FEC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FEC1C7,00000004,00000000,00000000,00000000), ref: 00FEC286

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 02e44878abda4cea40794fc781a13ab27890f06b0c3d3df794c38102a52942d3
Instruction ID: 1e3ea1d150378740639f456a6a9b4f4e364361505e932fc0b4329b2aa26ec00e
Opcode Fuzzy Hash: 02e44878abda4cea40794fc781a13ab27890f06b0c3d3df794c38102a52942d3
Instruction Fuzzy Hash: 3C41FD31E046C09BC7B56B2BCC88BEB7B9AAB85320F24840DF18786555C67DA842FF51

Function 010170C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 010170DD

Part of subcall function 00FD0DB6: std::exception::exception.LIBCMT ref: 00FD0DEC
Part of subcall function 00FD0DB6: __CxxThrowException@8.LIBCMT ref: 00FD0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 01017114
EnterCriticalSection.KERNEL32(?), ref: 01017130
_memmove.LIBCMT ref: 0101717E
_memmove.LIBCMT ref: 0101719B
LeaveCriticalSection.KERNEL32(?), ref: 010171AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 010171BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 010171DE

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: db3760e85f34e3755f14465c9e25e69a80c5a25e47c2462f1f2dc20076fda534
Instruction ID: 784c256e02f329de55d80a0d2c302f38ece6ad49018265f05f705ce22bfc9158
Opcode Fuzzy Hash: db3760e85f34e3755f14465c9e25e69a80c5a25e47c2462f1f2dc20076fda534
Instruction Fuzzy Hash: A231A131900205EBCF10DFA8DC85AAFB7B9EF45310F1440A6F9449B24ADB39DE10DBA1

Function 010361D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 010361EB
GetDC.USER32(00000000), ref: 010361F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010361FE
ReleaseDC.USER32(00000000,00000000), ref: 0103620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01036246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01036257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0103902A,?,?,000000FF,00000000,?,000000FF,?), ref: 01036291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 010362B1

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b60499e042796a57a8448935d323b0db96089d3cb4fad3827ac6e0ef2049a4cf
Instruction ID: 889bed04a6bf3126e389675428cd6dae6ffabee8afb3a22f6eb28a035d2ac374
Opcode Fuzzy Hash: b60499e042796a57a8448935d323b0db96089d3cb4fad3827ac6e0ef2049a4cf
Instruction Fuzzy Hash: 69319F721006107FEB218F64CC8AFEA3FADEF49765F050055FE889A291C7BA9841CB61

Function 0100BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0100BBC4
_memcmp.LIBCMT ref: 0100BBE6
_memcmp.LIBCMT ref: 0100BBFE
_memcmp.LIBCMT ref: 0100BC11
_memcmp.LIBCMT ref: 0100BC2B
_memcmp.LIBCMT ref: 0100BC3E
_memcmp.LIBCMT ref: 0100BC56
_memcmp.LIBCMT ref: 0100BC71

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 87664d6ef5001703de46f571c58c3bb84097a8405270fe61a7eb6fddd8caf358
Instruction ID: c5dc500e3ea81fcf73a92aefa3dcbc6f65e211e1b2c534ec13fae256a7467167
Opcode Fuzzy Hash: 87664d6ef5001703de46f571c58c3bb84097a8405270fe61a7eb6fddd8caf358
Instruction Fuzzy Hash: 5C2129A53016097BF216B716AD82FFF779DAE06348F084035FD849A383FB58DE1081A5

Function 0101EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00FB9837: __itow.LIBCMT ref: 00FB9862
Part of subcall function 00FB9837: __swprintf.LIBCMT ref: 00FB98AC

Part of subcall function 00FCFC86: _wcscpy.LIBCMT ref: 00FCFCA9

_wcstok.LIBCMT ref: 0101EC94
_wcscpy.LIBCMT ref: 0101ED23
_memset.LIBCMT ref: 0101ED56

Strings

X, xrefs: 0101ED93

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 812763d4af30fbe5ce5570f47bbfefeee899942fc74162b733540236fd3c9632
Instruction ID: 83386c4937a836068784d7b215b5a9fb2564af8ad5ab90e2cbbe72df0500adbc
Opcode Fuzzy Hash: 812763d4af30fbe5ce5570f47bbfefeee899942fc74162b733540236fd3c9632
Instruction Fuzzy Hash: BEC18E316083019FC755EF28C881A9EB7E4BF85310F04492DFD999B2A2DB78E945DF82

Function 01026B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 01026C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01026C21
WSAGetLastError.WSOCK32(00000000), ref: 01026C34
htons.WSOCK32(?), ref: 01026CEA
inet_ntoa.WSOCK32(?), ref: 01026CA7

Part of subcall function 0100A7E9: _strlen.LIBCMT ref: 0100A7F3
Part of subcall function 0100A7E9: _memmove.LIBCMT ref: 0100A815

_strlen.LIBCMT ref: 01026D44
_memmove.LIBCMT ref: 01026DAD

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 03735173cefdfe810ca1fffa7c17d6f3b703040de716c896f33eb933e2ab53dc
Instruction ID: 32cc4d2d15931ab14ce4ea24df75312b3c32ebb02325cb9cba1ab4f064716c6b
Opcode Fuzzy Hash: 03735173cefdfe810ca1fffa7c17d6f3b703040de716c896f33eb933e2ab53dc
Instruction Fuzzy Hash: 3B810F71508310ABD711FB29CC81FAEB7E8AF84714F04491DFA859B292DA76ED41CB92

Function 00FB1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed410e309240357843f2159442e5d69c3046f6f93022a2675ed61fc10391d4d1
Instruction ID: 756c024fd6b69e023bf8bb393334bbbd8b560da07d1daa6687b459ea70cd102c
Opcode Fuzzy Hash: ed410e309240357843f2159442e5d69c3046f6f93022a2675ed61fc10391d4d1
Instruction Fuzzy Hash: 0A715B31900109EFCB14CF99CC98AEFBB79FF86320F648149F915AA251C734AA51DFA0

Function 0103B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012CFF50), ref: 0103B3EB
IsWindowEnabled.USER32(012CFF50), ref: 0103B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0103B4DB
SendMessageW.USER32(012CFF50,000000B0,?,?), ref: 0103B512
IsDlgButtonChecked.USER32(?,?), ref: 0103B54F
GetWindowLongW.USER32(012CFF50,000000EC), ref: 0103B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0103B589

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e98d2bbe54bae652ac8bac8e83c278bbaa9108891931f88171bc462844739397
Instruction ID: ca7be8ffe48fa0b93378081408435e10a76924e1d1c9a555a3413f510180f035
Opcode Fuzzy Hash: e98d2bbe54bae652ac8bac8e83c278bbaa9108891931f88171bc462844739397
Instruction Fuzzy Hash: 7E717234A04205AFEB61DF58C894FEABBFDFF89304F144099EAC597291CB36A540DB54

Function 0102F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0102F448
_memset.LIBCMT ref: 0102F511
ShellExecuteExW.SHELL32(?), ref: 0102F556

Part of subcall function 00FB9837: __itow.LIBCMT ref: 00FB9862
Part of subcall function 00FB9837: __swprintf.LIBCMT ref: 00FB98AC

Part of subcall function 00FCFC86: _wcscpy.LIBCMT ref: 00FCFCA9

GetProcessId.KERNEL32(00000000), ref: 0102F5CD
CloseHandle.KERNEL32(00000000), ref: 0102F5FC

Strings

@, xrefs: 0102F525

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 3b3b2dbb576f953b4d16981c584443bb22b716b7ba6d13f031e27beb18930202
Instruction ID: 89558cb5cc7103a75df57893019085d5541ffbb482d58e3ebc01da5d7480674a
Opcode Fuzzy Hash: 3b3b2dbb576f953b4d16981c584443bb22b716b7ba6d13f031e27beb18930202
Instruction Fuzzy Hash: 7061CE70A0062A9FCB14EF69C8819AEBBF5FF49350F148059E995AB351CB74ED41CF80

Function 01010F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 01010F8C
GetKeyboardState.USER32(?), ref: 01010FA1
SetKeyboardState.USER32(?), ref: 01011002
PostMessageW.USER32(?,00000101,00000010,?), ref: 01011030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0101104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 01011095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 010110B8

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e414581b9b7230eaa1d412630d8ad46092d4416026b1fcb74385def8996309f3
Instruction ID: 239312ebc5795a033fdb06d9bd1b461a786a42099d9e351bcef9c7daef603eac
Opcode Fuzzy Hash: e414581b9b7230eaa1d412630d8ad46092d4416026b1fcb74385def8996309f3
Instruction Fuzzy Hash: DC51B2B0A047D639FB3B46388805BBABEE96B06304F0885C9F3D5458DBC2EDA8D4D751

Function 01010D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 01010DA5
GetKeyboardState.USER32(?), ref: 01010DBA
SetKeyboardState.USER32(?), ref: 01010E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01010E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01010E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 01010EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 01010EC9

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 97e5c8b61fdcf43155a4b3a0477ffb45d216882c4c6288bbc6c5cd288acbe55e
Instruction ID: 5b48a8405333785894bf6d8993967f50582a994c03e98c857a04500aef476deb
Opcode Fuzzy Hash: 97e5c8b61fdcf43155a4b3a0477ffb45d216882c4c6288bbc6c5cd288acbe55e
Instruction Fuzzy Hash: 2951E8A05447D67DFB7652398C45BBA7FE96B06300F0884CDF2D4468CAD3A9E8D4D750

Function 010155FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0101560A
_wcsncpy.LIBCMT ref: 0101563F
_wcsncpy.LIBCMT ref: 01015671
_wcsncpy.LIBCMT ref: 010156A4
_wcsncpy.LIBCMT ref: 010156E6
_wcsncpy.LIBCMT ref: 01015720
_wcsncpy.LIBCMT ref: 0101574F

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: d43f2c101e46462805172057c2a6540b60995a3ac832285659755f8d7043f386
Instruction ID: 9dc700c285503a612df8428d1aaeadd103bea046f73bfbcf8e714fc745ae936a
Opcode Fuzzy Hash: d43f2c101e46462805172057c2a6540b60995a3ac832285659755f8d7043f386
Instruction Fuzzy Hash: BB412525C1020476CB01EBB49C4AACFB7B9AF45310F088957E608E3321FB38A345D7E6

Function 01013671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0101466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01013697,?), ref: 0101468B

Part of subcall function 0101466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01013697,?), ref: 010146A4

lstrcmpiW.KERNEL32(?,?), ref: 010136B7
_wcscmp.LIBCMT ref: 010136D3
MoveFileW.KERNEL32(?,?), ref: 010136EB
_wcscat.LIBCMT ref: 01013733
SHFileOperationW.SHELL32(?), ref: 0101379F

Strings

\*.*, xrefs: 0101372D

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: d81492c702c96de8df76b6455ddd6cc2411402ebb954c762f2e2ef459dca9379
Instruction ID: a96613cbe3d66ef85d82fb4e4c07f7751c5143b4a71fb67b643bfbfa551cca85
Opcode Fuzzy Hash: d81492c702c96de8df76b6455ddd6cc2411402ebb954c762f2e2ef459dca9379
Instruction Fuzzy Hash: 2E419D72508345AAD761EF64D8519DFBBECBF88290F440D6EB0C9C7251EA38D289C752

Function 01037291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010372AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01037351
IsMenu.USER32(?), ref: 01037369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010373B1
DrawMenuBar.USER32 ref: 010373C4

Strings

0, xrefs: 0103729E

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 1490f76bccf52b8dfe6998e5ed311588954dcca7f899be69b46d8a07931608f8
Instruction ID: f56d8b74660574f583ec09991d4c29d782c364f515149161e658068df1b730dc
Opcode Fuzzy Hash: 1490f76bccf52b8dfe6998e5ed311588954dcca7f899be69b46d8a07931608f8
Instruction Fuzzy Hash: E44167B1A01209EFDB20CF54D885EDABBF8FB48310F148069FE95A7250C731A900CF50

Function 01030FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 01030FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01030FFE
FreeLibrary.KERNEL32(00000000), ref: 010310B5

Part of subcall function 01030FA5: RegCloseKey.ADVAPI32(?), ref: 0103101B
Part of subcall function 01030FA5: FreeLibrary.KERNEL32(?), ref: 0103106D
Part of subcall function 01030FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01031090

RegDeleteKeyW.ADVAPI32(?,?), ref: 01031058

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 349491aa9f96d0a28262e49ee2c45745e081ccbdee2191c8ae6ff4aade88a652
Instruction ID: 26bf3d2dbf8eba37216fe7818c46ddfdea42ae7ad69d79c9b5d67b23a250ea71
Opcode Fuzzy Hash: 349491aa9f96d0a28262e49ee2c45745e081ccbdee2191c8ae6ff4aade88a652
Instruction Fuzzy Hash: 16310F71E01109BFEB259F94D889EFFBBBCEF48340F0001A9F541A2140DB759A459BA1

Function 010362CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 010362EC
GetWindowLongW.USER32(012CFF50,000000F0), ref: 0103631F
GetWindowLongW.USER32(012CFF50,000000F0), ref: 01036354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01036386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010363B0
GetWindowLongW.USER32(00000000,000000F0), ref: 010363C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 010363DB

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fd6b7168c26dbee4af13f25ff8059be586b0422d1edf6cd9a529e26afca737a3
Instruction ID: 6f01507d287bb0599ccfdab92309837436274e1e8a8826553934c06d508f466e
Opcode Fuzzy Hash: fd6b7168c26dbee4af13f25ff8059be586b0422d1edf6cd9a529e26afca737a3
Instruction Fuzzy Hash: 8C315734A04141AFDB61CF28DC84F583BE8FB8A710F1841A4F580AF2B6CB77A940DB51

Function 0100DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0100DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0100DB54
SysAllocString.OLEAUT32(00000000), ref: 0100DB57
SysAllocString.OLEAUT32(?), ref: 0100DB75
SysFreeString.OLEAUT32(?), ref: 0100DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0100DBA3
SysAllocString.OLEAUT32(?), ref: 0100DBB1

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5620fbb410bd4e8185011be3b3b945cda63e6fef78c5a21938c39c2a261353c0
Instruction ID: d887ae1df65b5122c35490f9e9475b4fa8aa729804e54a2052aee51edad45dfa
Opcode Fuzzy Hash: 5620fbb410bd4e8185011be3b3b945cda63e6fef78c5a21938c39c2a261353c0
Instruction Fuzzy Hash: 4D21A636600619AFEF11DEE8DC44CBB77ECEB09260F048166FA94DB291DB749C458770

Function 01026173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01027D8B: inet_addr.WSOCK32(00000000), ref: 01027DB6

socket.WSOCK32(00000002,00000001,00000006), ref: 010261C6
WSAGetLastError.WSOCK32(00000000), ref: 010261D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0102620E
connect.WSOCK32(00000000,?,00000010), ref: 01026217
WSAGetLastError.WSOCK32 ref: 01026221
closesocket.WSOCK32(00000000), ref: 0102624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01026263

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 4a38c3c43df185cffd10f5ab5d82c0a436bc866ead2d1ba06bebf3fa4d9fa5a4
Instruction ID: b925fa85d93fca6d1ddd53a461d9bbd8d949e42d0669dfa55c01dd40a2dfe45d
Opcode Fuzzy Hash: 4a38c3c43df185cffd10f5ab5d82c0a436bc866ead2d1ba06bebf3fa4d9fa5a4
Instruction Fuzzy Hash: A131A131600129ABEF10AF64CC84FBE7BBDEF45710F044059FD85A7291CB76A9089BA2

Function 0100F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0100F671
__wcsnicmp.LIBCMT ref: 0100F692
__wcsnicmp.LIBCMT ref: 0100F6AC

Strings

#OnAutoItStartRegister, xrefs: 0100F6A6
#notrayicon, xrefs: 0100F669
#requireadmin, xrefs: 0100F68C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 09f4610957b8868b855e94d22d77770acd7f0d47c331b2ecd5a257da837e75c4
Instruction ID: df3d8c0d8ea19c52c732621bc464b64495608294f203e31152127dd42f124994
Opcode Fuzzy Hash: 09f4610957b8868b855e94d22d77770acd7f0d47c331b2ecd5a257da837e75c4
Instruction Fuzzy Hash: E5213A7220451367F332A638AC02FBB73D9EF59340F04402AF5C5C6191EF955946F296

Function 0100DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0100DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0100DC2F
SysAllocString.OLEAUT32(00000000), ref: 0100DC32
SysAllocString.OLEAUT32 ref: 0100DC53
SysFreeString.OLEAUT32 ref: 0100DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0100DC76
SysAllocString.OLEAUT32(?), ref: 0100DC84

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a12fa31861204d2b1058ad41177b6b6db28b37753342e38d8a78023a447ec34e
Instruction ID: 309852f0705b5b6ab534d65d4d62b9b1189ed0d262abab4117dc86cbaae726fe
Opcode Fuzzy Hash: a12fa31861204d2b1058ad41177b6b6db28b37753342e38d8a78023a447ec34e
Instruction Fuzzy Hash: 0D21743560420AAFAB15EFECDC88DAA77ECEB09360F008165F994CB295DA74DC41D774

Function 010375CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FB1D73
Part of subcall function 00FB1D35: GetStockObject.GDI32(00000011), ref: 00FB1D87
Part of subcall function 00FB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01037632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0103763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0103764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01037659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01037665

Strings

Msctls_Progress32, xrefs: 01037603

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 5a498c36db6317c9515626d1c91a47d1a86128e1ce168b061304234f55c5111e
Instruction ID: b15039041ba471c527e4650f477fe6d61fb44b0c087bae3fd949ea47969858dd
Opcode Fuzzy Hash: 5a498c36db6317c9515626d1c91a47d1a86128e1ce168b061304234f55c5111e
Instruction Fuzzy Hash: 1F11B2B2510219BFEF158F65CC85EEBBF6DFF0C798F014114BA44A6090CA729C21DBA4

Function 00FD9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00FD9AE6

Part of subcall function 00FD3187: EncodePointer.KERNEL32(00000000), ref: 00FD318A
Part of subcall function 00FD3187: __initp_misc_winsig.LIBCMT ref: 00FD31A5
Part of subcall function 00FD3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FD9EA0
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00FD9EB4
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00FD9EC7
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00FD9EDA
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00FD9EED
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00FD9F00
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00FD9F13
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00FD9F26
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00FD9F39
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00FD9F4C
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00FD9F5F
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00FD9F72
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00FD9F85
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00FD9F98
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00FD9FAB
Part of subcall function 00FD3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00FD9FBE

__mtinitlocks.LIBCMT ref: 00FD9AEB
__mtterm.LIBCMT ref: 00FD9AF4

Part of subcall function 00FD9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00FD9AF9,00FD7CD0,0106A0B8,00000014), ref: 00FD9C56
Part of subcall function 00FD9B5C: _free.LIBCMT ref: 00FD9C5D
Part of subcall function 00FD9B5C: DeleteCriticalSection.KERNEL32(0106EC00,?,?,00FD9AF9,00FD7CD0,0106A0B8,00000014), ref: 00FD9C7F

__calloc_crt.LIBCMT ref: 00FD9B19
__initptd.LIBCMT ref: 00FD9B3B
GetCurrentThreadId.KERNEL32 ref: 00FD9B42

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 19cc24768f371db71e864201886c2741b233b6ee3125dc77993aabe9545f96b7
Instruction ID: 03e2bdff6206601257d2df78e7591ec36fb61f4200d3209fe20f0c254a7ff882
Opcode Fuzzy Hash: 19cc24768f371db71e864201886c2741b233b6ee3125dc77993aabe9545f96b7
Instruction Fuzzy Hash: AAF0C23290D31219E7747AF4BC0364A36839F02730B290A1BF090853D2FEE985016160

Function 00FD406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FD3F85), ref: 00FD4085
GetProcAddress.KERNEL32(00000000), ref: 00FD408C
EncodePointer.KERNEL32(00000000), ref: 00FD4097
DecodePointer.KERNEL32(00FD3F85), ref: 00FD40B2

Strings

RoUninitialize, xrefs: 00FD4074
combase.dll, xrefs: 00FD4080

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: e61a404c62708cd8deb8295336989978750ecbd3cc0991c78f8e7e4768fedbef
Instruction ID: 18504fb88d493cb048c8d95fb7c893d5982a28b6a51ffb9da70b7d6b76cd2220
Opcode Fuzzy Hash: e61a404c62708cd8deb8295336989978750ecbd3cc0991c78f8e7e4768fedbef
Instruction Fuzzy Hash: 60E092B0E81201ABEB30AF61F94DB053BB9B704743F144029F9C2EA188CBBB5504AB16

Function 010164B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0101660B
_memmove.LIBCMT ref: 01016546

Part of subcall function 00FB9837: __itow.LIBCMT ref: 00FB9862
Part of subcall function 00FB9837: __swprintf.LIBCMT ref: 00FB98AC

_memmove.LIBCMT ref: 010165B9
_memmove.LIBCMT ref: 010166A0
_memmove.LIBCMT ref: 010166B9
_memmove.LIBCMT ref: 010166D5

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
Instruction ID: 1fecd313ba779f11b1c9358e4570528481177029e457c20bcbb96fba72d3b3e1
Opcode Fuzzy Hash: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
Instruction Fuzzy Hash: E161CF3050424A9BCF01EF64CC81EFE3BA5AF49308F484859FD955B296DBBDE905DB50

Function 010301E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

Part of subcall function 01030E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0102FDAD,?,?), ref: 01030E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010302BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010302FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01030320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 01030349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0103038C
RegCloseKey.ADVAPI32(00000000), ref: 01030399

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: cd3d10a716d5d1bd1ec7022dd9e82f1b24d71e0ec2ccd33594cd7607be8cb5c2
Instruction ID: c7c625206ae53019bca483944ff37a90c98d6dcc4f65a32985ee3174b2b88f88
Opcode Fuzzy Hash: cd3d10a716d5d1bd1ec7022dd9e82f1b24d71e0ec2ccd33594cd7607be8cb5c2
Instruction Fuzzy Hash: D0515831208201AFD714EF68C885EAFBBE9FF88314F04891DF585872A5DB36E904DB52

Function 01035799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 010357FB
GetMenuItemCount.USER32(00000000), ref: 01035832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0103585A
GetMenuItemID.USER32(?,?), ref: 010358C9
GetSubMenu.USER32(?,?), ref: 010358D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 01035928

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: b1904ba211b7b0ed32424b04d567e10bdc4a56b14fde0848afd6975099bce345
Instruction ID: 2c0b6ca480d45568ce8b093d5dc50024d120ef9cc2745af1cef74fcef1f3a48e
Opcode Fuzzy Hash: b1904ba211b7b0ed32424b04d567e10bdc4a56b14fde0848afd6975099bce345
Instruction Fuzzy Hash: A1518131E00216AFCF11DF68CC45AEEB7B9EF49310F144095E981BB361CB75AE419B91

Function 0100EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0100EF06
VariantClear.OLEAUT32(00000013), ref: 0100EF78
VariantClear.OLEAUT32(00000000), ref: 0100EFD3
_memmove.LIBCMT ref: 0100EFFD
VariantClear.OLEAUT32(?), ref: 0100F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0100F078

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 0409bcc12610e0e1596263758fb3ef95554b34d304e3ed1a71c2da05824d394b
Instruction ID: 18ea767911d6071523efbbd9129f351bfe53766a5fc1dbc1deb9548089d03331
Opcode Fuzzy Hash: 0409bcc12610e0e1596263758fb3ef95554b34d304e3ed1a71c2da05824d394b
Instruction Fuzzy Hash: 49514CB5A0020A9FDB24CF58C880AAAB7F8FF48314F158559FA99DB345E735E911CB90

Function 0101220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01012258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 010122A3
IsMenu.USER32(00000000), ref: 010122C3
CreatePopupMenu.USER32 ref: 010122F7
GetMenuItemCount.USER32(000000FF), ref: 01012355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01012386

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 14fc9beae39f92987f9d9a7ae8159f47c58a4d8d929db60dbc6e525ede5157d2
Instruction ID: ec9c17c603691ed874b3a5d10848f1f34fd6d4fef978b560271eb833d3f909ed
Opcode Fuzzy Hash: 14fc9beae39f92987f9d9a7ae8159f47c58a4d8d929db60dbc6e525ede5157d2
Instruction Fuzzy Hash: 0651C270A0020AEFDF21CF68D888BADBFF5FF45314F208159E99197298D3799945CB51

Function 00FB1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00FB179A
GetWindowRect.USER32(?,?), ref: 00FB17FE
ScreenToClient.USER32(?,?), ref: 00FB181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FB182C
EndPaint.USER32(?,?), ref: 00FB1876

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 49e451e46edef8502ee67d1fce3229f7ff11cf17479296b4243ee05067bd4ea9
Instruction ID: 50cf71da2acece1c7abc4b547967d04ec5411aed2d6a9b081043a8bfa0eb4fcf
Opcode Fuzzy Hash: 49e451e46edef8502ee67d1fce3229f7ff11cf17479296b4243ee05067bd4ea9
Instruction Fuzzy Hash: F341AE31904301AFD720DF26DC94FEA7BE8FB4A724F140629F9E4972A1C7359845EB62

Function 0103B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(010757B0,00000000,012CFF50,?,?,010757B0,?,0103B5A8,?,?), ref: 0103B712
EnableWindow.USER32(00000000,00000000), ref: 0103B736
ShowWindow.USER32(010757B0,00000000,012CFF50,?,?,010757B0,?,0103B5A8,?,?), ref: 0103B796
ShowWindow.USER32(00000000,00000004,?,0103B5A8,?,?), ref: 0103B7A8
EnableWindow.USER32(00000000,00000001), ref: 0103B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0103B7EF

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b3c7194be6b6a38fd060538940304d103bb9c8fc20438ade12dca838798e9ffc
Instruction ID: 978eda8954985f9061c0dea36b86b39f6f448413c1a51f321500da5eca673495
Opcode Fuzzy Hash: b3c7194be6b6a38fd060538940304d103bb9c8fc20438ade12dca838798e9ffc
Instruction Fuzzy Hash: A8417234600245AFDB63CF28C499B947FE9FF45318F1C41E9EA888F6A2C731A456DB91

Function 0102709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,01024E41,?,?,00000000,00000001), ref: 010270AC

Part of subcall function 010239A0: GetWindowRect.USER32(?,?), ref: 010239B3

GetDesktopWindow.USER32 ref: 010270D6
GetWindowRect.USER32(00000000), ref: 010270DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0102710F

Part of subcall function 01015244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010152BC

GetCursorPos.USER32(?), ref: 0102713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01027199

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: e87aec82c3533b4c79bf6a2060d2dc9053276438200d69a97fd2fde1aa2bb0ba
Instruction ID: d620a125545b2fe5ab17f38c9ef5d3429bea3eac5483a62d02475b16bd811c45
Opcode Fuzzy Hash: e87aec82c3533b4c79bf6a2060d2dc9053276438200d69a97fd2fde1aa2bb0ba
Instruction Fuzzy Hash: C031B072505316ABD720DF18C848F9BBBEAFF99314F100919F9C597181CB75EA09CB92

Function 01008879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010080A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 010080C0
Part of subcall function 010080A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 010080CA
Part of subcall function 010080A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 010080D9
Part of subcall function 010080A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 010080E0
Part of subcall function 010080A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 010080F6

GetLengthSid.ADVAPI32(?,00000000,0100842F), ref: 010088CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 010088D6
HeapAlloc.KERNEL32(00000000), ref: 010088DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 010088F6
GetProcessHeap.KERNEL32(00000000,00000000,0100842F), ref: 0100890A
HeapFree.KERNEL32(00000000), ref: 01008911

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 42afaa532d39892f1138b7d590765b4b5da88fe63a0db8fe2ddefd7dee652da1
Instruction ID: 50a7a70c434ce48b5f46c08be6ceaa2e20a9695eb2744e7dacc2fe8c7b71dc3c
Opcode Fuzzy Hash: 42afaa532d39892f1138b7d590765b4b5da88fe63a0db8fe2ddefd7dee652da1
Instruction Fuzzy Hash: 9011B431901206FFEB61AF98DC09FAE7BACFB45311F14805AF9C597140C7369904DB61

Function 010085B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010085E2
OpenProcessToken.ADVAPI32(00000000), ref: 010085E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 010085F8
CloseHandle.KERNEL32(00000004), ref: 01008603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 01008632
DestroyEnvironmentBlock.USERENV(00000000), ref: 01008646

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a41504f3c6c47a19f4a2b7c5643a5974e62be5e91b35924c6a2dab39139cd0da
Instruction ID: bf329f5830b94d47e3c8259d7041ef9c5211fdcbbb3cbcd5750f545ac26ad86f
Opcode Fuzzy Hash: a41504f3c6c47a19f4a2b7c5643a5974e62be5e91b35924c6a2dab39139cd0da
Instruction Fuzzy Hash: 4C115C7290120EABEF128EA8DD49BDE7BADFF09304F048055FE44A21A0C3768D60DB61

Function 0100B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0100B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0100B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0100B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0100B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0100B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0100B7FE

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 8409eb8bc8247ce530c740a8114fc37f8f97af9cdfe2e18183a83796eea66e02
Instruction ID: 11a55e801e3d0f68da5945475b5f5a07df5f92b7541ac04345fe7623d1d55685
Opcode Fuzzy Hash: 8409eb8bc8247ce530c740a8114fc37f8f97af9cdfe2e18183a83796eea66e02
Instruction Fuzzy Hash: 40018475E00209BBEB119BB69D45E5EBFBCEB48351F044065FA48A7281D6759800CF91

Function 00FD0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FD0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FD019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FD01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FD01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FD01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD01C1

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: efcba155b8a19b6cbe53d40afd89f2e6bacbda3e3aed3ee255b774100e5cbe26
Instruction ID: ea7c4e2322a1f9d0a78ed4bbe6f9f7709495293b4c4aa79e4df4cbf8f70a8db8
Opcode Fuzzy Hash: efcba155b8a19b6cbe53d40afd89f2e6bacbda3e3aed3ee255b774100e5cbe26
Instruction Fuzzy Hash: 770148B090175A7DE3008F6A8C85A52FEA8FF19354F00411BA15847941C7B5A864CBE5

Function 010153E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 010153F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0101540F
GetWindowThreadProcessId.USER32(?,?), ref: 0101541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0101542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01015437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0101543E

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 29d4252d88a5d3af92083f452acef37240a8ee25bf0da557b7feea4027297f9a
Instruction ID: 68b75ac8f1e8d4a1de0269517ba2a8789a913f735de1436f4931e277e63fb3bf
Opcode Fuzzy Hash: 29d4252d88a5d3af92083f452acef37240a8ee25bf0da557b7feea4027297f9a
Instruction Fuzzy Hash: ECF09032A40559BBE3315AA2EC0DEEF7B7CEFCBB11F000159FA44D1041DBAA1A0197B6

Function 01017230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 01017243
EnterCriticalSection.KERNEL32(?,?,00FC0EE4,?,?), ref: 01017254
TerminateThread.KERNEL32(00000000,000001F6,?,00FC0EE4,?,?), ref: 01017261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FC0EE4,?,?), ref: 0101726E

Part of subcall function 01016C35: CloseHandle.KERNEL32(00000000,?,0101727B,?,00FC0EE4,?,?), ref: 01016C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 01017281
LeaveCriticalSection.KERNEL32(?,?,00FC0EE4,?,?), ref: 01017288

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 79a06b2b1bc781826f7c166447d0beb8defe4ce04f9e7cf6d75f6922d3fffa6d
Instruction ID: 1cf2c230f5d03d3213f29b5a04bd763329bd16b19663062d44f3043c4b2b15f4
Opcode Fuzzy Hash: 79a06b2b1bc781826f7c166447d0beb8defe4ce04f9e7cf6d75f6922d3fffa6d
Instruction Fuzzy Hash: 42F05E36940613EBE7612B64ED4CDEA7B6DFF49702B100521F68391099CBBF5405CB52

Function 01008992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0100899D
UnloadUserProfile.USERENV(?,?), ref: 010089A9
CloseHandle.KERNEL32(?), ref: 010089B2
CloseHandle.KERNEL32(?), ref: 010089BA
GetProcessHeap.KERNEL32(00000000,?), ref: 010089C3
HeapFree.KERNEL32(00000000), ref: 010089CA

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9f2029f0fe24c01d6e29052c75aa70eb300beab489baa133cbdf4c3d05e6552e
Instruction ID: 8306b89ae532cb669aa804d0df6781cd671ab3e5abf8dd786ff8f165a4e33fee
Opcode Fuzzy Hash: 9f2029f0fe24c01d6e29052c75aa70eb300beab489baa133cbdf4c3d05e6552e
Instruction Fuzzy Hash: 80E0E536404002BBDB112FE2EC0CD0ABF7DFF8A322B108220F259C1068CB3B9424DB52

Function 010285ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01028613
CharUpperBuffW.USER32(?,?), ref: 01028722
VariantClear.OLEAUT32(?), ref: 0102889A

Part of subcall function 01017562: VariantInit.OLEAUT32(00000000), ref: 010175A2
Part of subcall function 01017562: VariantCopy.OLEAUT32(00000000,?), ref: 010175AB
Part of subcall function 01017562: VariantClear.OLEAUT32(00000000), ref: 010175B7

Strings

Incorrect Parameter format, xrefs: 0102864B, 0102880D
AUTOIT.ERROR, xrefs: 01028728

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 6feb95bd97e1be2c1713248705ecc98f1c81bc37e9e72378df19da2cab7c30a0
Instruction ID: f4d841e546c82b892e7a55b213481f2e041fe61510be76ac9bb21daff9410bc5
Opcode Fuzzy Hash: 6feb95bd97e1be2c1713248705ecc98f1c81bc37e9e72378df19da2cab7c30a0
Instruction Fuzzy Hash: 32919E746083019FC710DF25C88499ABBF4FF89714F04896EF99A8B361DB75E905CB52

Function 01012A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCFC86: _wcscpy.LIBCMT ref: 00FCFCA9

_memset.LIBCMT ref: 01012B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01012BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01012C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 01012C97

Strings

0, xrefs: 01012B73

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: e9ffc56cbd5d6f3857bf28be7e04f264b18dea3c8c877571b4e3a13fe72711b0
Instruction ID: 390e19034380b66cca0f1ffe027b2148e147525be029e7e4ae9808d2dd4a2474
Opcode Fuzzy Hash: e9ffc56cbd5d6f3857bf28be7e04f264b18dea3c8c877571b4e3a13fe72711b0
Instruction Fuzzy Hash: B751F1716083059FE765DE6CC844A6BBBE8EF84310F240A6DFAC4D3295DB78C8049792

Function 0100D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0100D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0100D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0100D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0100D69D

Strings

DllGetClassObject, xrefs: 0100D610

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 31394e1fb1e17fd3de98c0dc59ec2f30b599d98223f37440888eaa1b425b3cdf
Instruction ID: 22a30b8f8dd5e20b75339690ff8dff0685387d15fd8707231de7e7a7b6cfddfc
Opcode Fuzzy Hash: 31394e1fb1e17fd3de98c0dc59ec2f30b599d98223f37440888eaa1b425b3cdf
Instruction Fuzzy Hash: F0418FB1600205EFEB16CFD4CC84A9ABBB9EF48314F0581A9ED499F245D7B1D944CBB0

Function 01012753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010127C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 010127DC
DeleteMenu.USER32(?,00000007,00000000), ref: 01012822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01075890,00000000), ref: 0101286B

Strings

0, xrefs: 010127B5

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: b8b88cdf058683fb0be1a81ab703cf330a348b34f01c173bf596537f6deffbda
Instruction ID: 49d50060ff42baec4217b57ad7bee1fea4368feb4c8c7aa44cdea1b804a86c6b
Opcode Fuzzy Hash: b8b88cdf058683fb0be1a81ab703cf330a348b34f01c173bf596537f6deffbda
Instruction Fuzzy Hash: 6A41CF712053029FDB24EF28C844B6ABBE8EF84314F24496DF9E5972D5D738E405CB52

Function 0102D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0102D7C5

Part of subcall function 00FB784B: _memmove.LIBCMT ref: 00FB7899

Strings

none, xrefs: 0102D8A0
cdecl, xrefs: 0102D81C
winapi, xrefs: 0102D836
stdcall, xrefs: 0102D847

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 6eac6bc575f6ca857e5f9618037c04a32e2a1b5c176bf208c81cde9a3122173b
Instruction ID: 17dee603f83d0557e43b5697e02d385024b73db461eb42ebfc5eea42d442c9b2
Opcode Fuzzy Hash: 6eac6bc575f6ca857e5f9618037c04a32e2a1b5c176bf208c81cde9a3122173b
Instruction Fuzzy Hash: 6F31B070A00225ABCF00EF99CC419EEB3B9FF04324B00865AE8A9976D1DB75ED05CB80

Function 01008E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

Part of subcall function 0100AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0100AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01008F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01008F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 01008F57

Part of subcall function 00FB7BCC: _memmove.LIBCMT ref: 00FB7C06

Strings

ListBox, xrefs: 01008ED3
ComboBox, xrefs: 01008E9E

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: ac6c23b92ae0a4b38b446dbbee660cb4da1bc583692410a39de8bd67f7f1131f
Instruction ID: 5a7c8508756197e48fb1eb37cbac789f922de7382bae49064e7f523905396bb8
Opcode Fuzzy Hash: ac6c23b92ae0a4b38b446dbbee660cb4da1bc583692410a39de8bd67f7f1131f
Instruction Fuzzy Hash: 2E210171E00205BEEB15ABB5CC85DFFBBA9EF45360F04811EF5A1972E0DB3D4809AA10

Function 0102182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0102184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01021872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 010218A2
InternetCloseHandle.WININET(00000000), ref: 010218E9

Part of subcall function 01022483: GetLastError.KERNEL32(?,?,01021817,00000000,00000000,00000001), ref: 01022498
Part of subcall function 01022483: SetEvent.KERNEL32(?,?,01021817,00000000,00000000,00000001), ref: 010224AD

Strings

, xrefs: 01021893

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f7ceaa1ae80a355cd9b049de5982ffe8369641a1b07b4a3e464db61ec7d26d15
Instruction ID: 5d373bb45459e772598eab0c00bf7d17df18076d3cfcd3bc83dda96fa8a6d17a
Opcode Fuzzy Hash: f7ceaa1ae80a355cd9b049de5982ffe8369641a1b07b4a3e464db61ec7d26d15
Instruction Fuzzy Hash: C521BEB1500319BFEB229A64DCC4EBF77EDEB49644F00412AF985E6240EBB59D0497A1

Function 010363E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FB1D73
Part of subcall function 00FB1D35: GetStockObject.GDI32(00000011), ref: 00FB1D87
Part of subcall function 00FB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01036461
LoadLibraryW.KERNEL32(?), ref: 01036468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0103647D
DestroyWindow.USER32(?), ref: 01036485

Strings

SysAnimate32, xrefs: 0103643C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 3d1f7014ab22c07d28da635807de4b3b85b4bf918e04fbdc98a6fa675d0c30cf
Instruction ID: bc13f7eeae4652f2d936c0f3222afb580597584c43f8cace75a61e030a298fe8
Opcode Fuzzy Hash: 3d1f7014ab22c07d28da635807de4b3b85b4bf918e04fbdc98a6fa675d0c30cf
Instruction Fuzzy Hash: C0218E71A00205BFEF114E68EC50EBB77EEEB89364F108629FA9097091DB37D9419760

Function 01016D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 01016DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01016DEF
GetStdHandle.KERNEL32(0000000C), ref: 01016E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 01016E3B

Strings

nul, xrefs: 01016E36

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 74a503d90b60041761a3fbd3fe0b2b024d580d2aa4ee1f37de466c2a2a4ad245
Instruction ID: 0692c7c2308a34d7af63d883de95c6f38d1da30e3cab8cb35d13e42f5ad66aed
Opcode Fuzzy Hash: 74a503d90b60041761a3fbd3fe0b2b024d580d2aa4ee1f37de466c2a2a4ad245
Instruction Fuzzy Hash: E221A17090030AABDB20AF69DC04AAA7BF8FF44720F104A59FDE1D72D8DBB69550CB50

Function 01016E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 01016E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01016EBB
GetStdHandle.KERNEL32(000000F6), ref: 01016ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 01016F06

Strings

nul, xrefs: 01016F01

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 946cc2202a6afef1f527eaa08dacf847a8f70d97070e2aff57bf2e5a8aacece9
Instruction ID: 084f81070106dc7c64788c88615addf7d52ac3cf4667ab8f06a65514ccfbf559
Opcode Fuzzy Hash: 946cc2202a6afef1f527eaa08dacf847a8f70d97070e2aff57bf2e5a8aacece9
Instruction Fuzzy Hash: 1021B3719003069BEB209F6DDC04AAA7BE8EF45724F200B59FDE0D72D8D7B6A450CB51

Function 0101AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0101AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0101ACA8
__swprintf.LIBCMT ref: 0101ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0103F910), ref: 0101ACFF

Strings

%lu, xrefs: 0101ACBB

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 01f0b45ab712f1295584bf9b6bd6ec7ed33ef586817558f868fd35b5dd4b36b7
Instruction ID: 681c41b66f4d58147254db02410a7e241f11800a2aeaf103b2733590bb7167f0
Opcode Fuzzy Hash: 01f0b45ab712f1295584bf9b6bd6ec7ed33ef586817558f868fd35b5dd4b36b7
Instruction Fuzzy Hash: 99217130A0010AAFCB10DF65CD45DEEBBB8FF49714B004069F949DB251DA75EA41DB61

Function 01011AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01011B19

Strings

EXISTS, xrefs: 01011B41
APPEND, xrefs: 01011B52
REMOVE, xrefs: 01011B1F
KEYS, xrefs: 01011B30

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 062deda2e5e3aa3c21343228432fe1e132d737123a2db78f12a64807d62cabb7
Instruction ID: 6ae033a750364f561789b63bd32ea4e10debc1e16bd27c5447372f50ccbc6bbb
Opcode Fuzzy Hash: 062deda2e5e3aa3c21343228432fe1e132d737123a2db78f12a64807d62cabb7
Instruction Fuzzy Hash: 86115E309002098F8F44EF64D8919EEB7B5FF15304F148496D89467296EB3A590ADB50

Function 0102EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0102EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0102EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0102ED6A
CloseHandle.KERNEL32(?), ref: 0102EDEB

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 93277f9f6d243cd27ebbf21c2c08987fa9c89e135ea8e86915395843578f4ad4
Instruction ID: 550a49936a9b09188ad5c9557c93a11b03083c76bf1af455d4e58e3b0e651443
Opcode Fuzzy Hash: 93277f9f6d243cd27ebbf21c2c08987fa9c89e135ea8e86915395843578f4ad4
Instruction Fuzzy Hash: F88190716043119FD760EF29CC86F6AB7E5AF88710F04881DFA999B292DAB5EC01CF51

Function 01030037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

Part of subcall function 01030E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0102FDAD,?,?), ref: 01030E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010300FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0103013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01030183
RegCloseKey.ADVAPI32(?,?), ref: 010301AF
RegCloseKey.ADVAPI32(00000000), ref: 010301BC

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: cb2db3d5fac1ec7fdc5cf8ffc4ce98b79f7677c5906822b84386400d2d6b97cb
Instruction ID: 68aa0ea72570fe5bdce467e5184109304703e40ea1628c63ac3be6554351fcf8
Opcode Fuzzy Hash: cb2db3d5fac1ec7fdc5cf8ffc4ce98b79f7677c5906822b84386400d2d6b97cb
Instruction Fuzzy Hash: 74514671208205AFD714EF68CC81EAABBE9FF84314F44891DF5968B2A5DB35E904CB52

Function 0102D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB9837: __itow.LIBCMT ref: 00FB9862
Part of subcall function 00FB9837: __swprintf.LIBCMT ref: 00FB98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0102D927
GetProcAddress.KERNEL32(00000000,?), ref: 0102D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0102D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0102DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0102DA21

Part of subcall function 00FB5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01017896,?,?,00000000), ref: 00FB5A2C
Part of subcall function 00FB5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01017896,?,?,00000000,?,?), ref: 00FB5A50

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: d35827bd889a83cb7a5fe2115b0c7b5eb8e799f5bed2e9a18dbbb29f4f8375db
Instruction ID: 359eb6fd95469491b996a702514cacbf8ee417ce95806a04269d38a9ea5dc5c8
Opcode Fuzzy Hash: d35827bd889a83cb7a5fe2115b0c7b5eb8e799f5bed2e9a18dbbb29f4f8375db
Instruction Fuzzy Hash: 17512635A04219DFCB40EFA9C8849ADB7F9FF09320B048099E995AB312D739ED45CF91

Function 0101E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0101E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0101E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0101E687

Part of subcall function 00FB9837: __itow.LIBCMT ref: 00FB9862
Part of subcall function 00FB9837: __swprintf.LIBCMT ref: 00FB98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0101E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0101E6B4

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 64fcbf38b7b7d859ca14c0eee67928c398bf3e36d599b129248a9289cc7bc56c
Instruction ID: 03c3e63aa837fe49fb1529b56e4edced7660673ed3aa226155a11a2da41f7f61
Opcode Fuzzy Hash: 64fcbf38b7b7d859ca14c0eee67928c398bf3e36d599b129248a9289cc7bc56c
Instruction Fuzzy Hash: 24514A35A04205DFCB01EF65C981AAEBBF5EF09310F188099E949AB366CB39ED10DF51

Function 0103A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbc7c0ff40d0a492172744a3d43eadc29889d443b70f66d6bae5c03d60e8bcb
Instruction ID: d1003d8ca2a6f815bc6d45751913273aea10f61914953bf70709aecda87a27d4
Opcode Fuzzy Hash: 0dbc7c0ff40d0a492172744a3d43eadc29889d443b70f66d6bae5c03d60e8bcb
Instruction Fuzzy Hash: 0D419035E04104EFE760DA68CC48FAABBACEB89390F140295FAD6E72D1C775A941DB50

Function 00FB2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FB2357
ScreenToClient.USER32(010757B0,?), ref: 00FB2374
GetAsyncKeyState.USER32(00000001), ref: 00FB2399
GetAsyncKeyState.USER32(00000002), ref: 00FB23A7

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 7928a5c06174f0880f04974baca780db0847366a9fd7a0f884de25597c982285
Instruction ID: 76a73c2b061400edf410cb7fe24b68772516c0432a54ac000cf18a02ef0d1b24
Opcode Fuzzy Hash: 7928a5c06174f0880f04974baca780db0847366a9fd7a0f884de25597c982285
Instruction Fuzzy Hash: 8541A135A04106FBCF259F69C844AEDBBB4FB05370F24431AF86992290C7359D90EF91

Function 010063AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 010063E7
TranslateAcceleratorW.USER32(?,?,?), ref: 01006433
TranslateMessage.USER32(?), ref: 0100645C
DispatchMessageW.USER32(?), ref: 01006466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01006475

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: dc66a9cd4fbc71c74e614d85b35977a7d87c68726c36538475a192c4c429d3c8
Instruction ID: 121307f0885f8e6847fb090a62d74c80db4885b5f92772a4a0195c4682987485
Opcode Fuzzy Hash: dc66a9cd4fbc71c74e614d85b35977a7d87c68726c36538475a192c4c429d3c8
Instruction Fuzzy Hash: 2531F631D002069FF7B28E78D844BE67BEEAB01310F0141A5E5E1D21D1EB2B9055C7A1

Function 01008A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01008A30
PostMessageW.USER32(?,00000201,00000001), ref: 01008ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 01008AE2
PostMessageW.USER32(?,00000202,00000000), ref: 01008AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 01008AF8

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: c89ad23c83ae90a76ad246206623a9645788f4bdadaa36ce5d17cebe87b4b59c
Instruction ID: 89b74bfafde21a21a643a7fed6c9cda45b0f450a93fc72c2e9911c2db792c1c7
Opcode Fuzzy Hash: c89ad23c83ae90a76ad246206623a9645788f4bdadaa36ce5d17cebe87b4b59c
Instruction Fuzzy Hash: 3B31217190021AEFEF14CFA8D94CA9E3BB5FB05315F00825AF9A5E71C1C3B09954CB91

Function 0100B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0100B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0100B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0100B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0100B27F
_wcsstr.LIBCMT ref: 0100B289

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: f58e35fd554a029024e058856e21f2cec431268ff60e1177acdddcff2c843bb4
Instruction ID: 3982b27194475d064b967e2e54028d3961b9ffc948f65a684789fc07cede95bd
Opcode Fuzzy Hash: f58e35fd554a029024e058856e21f2cec431268ff60e1177acdddcff2c843bb4
Instruction Fuzzy Hash: 68210436604201BBFB269B799C09E7F7BADDF49760F00416AF844DA191EE69D840A3A1

Function 0103B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623

GetWindowLongW.USER32(?,000000F0), ref: 0103B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0103B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0103B1CF
GetSystemMetrics.USER32(00000004), ref: 0103B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01020E90,00000000), ref: 0103B216

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: b8bb3794496751a4b7988382932193fdcacd83fa8f1cb60966fcd55eeece1c19
Instruction ID: 045282b77015dd3cf443684f838c3fbf539c71085e8416a60a1bf3085228f53a
Opcode Fuzzy Hash: b8bb3794496751a4b7988382932193fdcacd83fa8f1cb60966fcd55eeece1c19
Instruction Fuzzy Hash: FB219F71A10256AFDB609E38DC04B6A7BA8FB45325F114768FAB2D71E0E7319811CB90

Function 01009307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01009320

Part of subcall function 00FB7BCC: _memmove.LIBCMT ref: 00FB7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01009352
__itow.LIBCMT ref: 0100936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01009392
__itow.LIBCMT ref: 010093A3

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 9eb5ddb8bc72908ee18817f9900bc73c968996033cc6841aecdcedc21a182700
Instruction ID: e15c3d86e9c065146a6abd3c322ebae488e7b79c35bfeb86a9e5280f770abc7d
Opcode Fuzzy Hash: 9eb5ddb8bc72908ee18817f9900bc73c968996033cc6841aecdcedc21a182700
Instruction Fuzzy Hash: 53213D307002047BEB11AA659C85EEF3FADEB88714F049029FA889B1C2D67489409B92

Function 01025A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01025A6E
GetForegroundWindow.USER32 ref: 01025A85
GetDC.USER32(00000000), ref: 01025AC1
GetPixel.GDI32(00000000,?,00000003), ref: 01025ACD
ReleaseDC.USER32(00000000,00000003), ref: 01025B08

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4366f4531276f90f10464b609bb5a846270c39fc66114e9c3a6b53b80eba86d2
Instruction ID: 3bad16ac0339d80e806b5ee5d1c88436c43db16672098247be6f3fcbbfd9ecfd
Opcode Fuzzy Hash: 4366f4531276f90f10464b609bb5a846270c39fc66114e9c3a6b53b80eba86d2
Instruction Fuzzy Hash: 1821AE35A00205AFD710EF69DC88AAABBF9FF48310F04C469E989D7351CA78ED00DB91

Function 00FB12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FB134D
SelectObject.GDI32(?,00000000), ref: 00FB135C
BeginPath.GDI32(?), ref: 00FB1373
SelectObject.GDI32(?,00000000), ref: 00FB139C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 442f89f215bdc2c08fb70ca4d0363d5c0a4863b257c30ee1b91e7e65ed32c5a5
Instruction ID: fb9ccc52c2800ff41c101cb91a1ac65e164feb353afdd5bbe90bd6090cc9cbee
Opcode Fuzzy Hash: 442f89f215bdc2c08fb70ca4d0363d5c0a4863b257c30ee1b91e7e65ed32c5a5
Instruction Fuzzy Hash: 4C217431C00209EFDB208F56DD447ED7BE8FB04321F684615F490B6194E77A9991EF51

Function 01014A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 01014ABA
__beginthreadex.LIBCMT ref: 01014AD8
MessageBoxW.USER32(?,?,?,?), ref: 01014AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 01014B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 01014B0A

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: d92db31f68bd750ed2527775458b9eb9f1015878257e5b4fa5663fe399ee26b6
Instruction ID: 637587d27aba862ea74889d8d2c16ed0fd363f5ece4d0220889e38ba287aabff
Opcode Fuzzy Hash: d92db31f68bd750ed2527775458b9eb9f1015878257e5b4fa5663fe399ee26b6
Instruction Fuzzy Hash: BC1108B6D04205BBD7219FACAC48ADB7FACEB46320F144259F994E3254E77A890487A1

Function 01008202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0100821E
GetLastError.KERNEL32(?,01007CE2,?,?,?), ref: 01008228
GetProcessHeap.KERNEL32(00000008,?,?,01007CE2,?,?,?), ref: 01008237
HeapAlloc.KERNEL32(00000000,?,01007CE2,?,?,?), ref: 0100823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 01008255

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 78f46cb5a438e2d15d2a02800591c306b42f00b9ff0c271c0730df3284db0913
Instruction ID: e329bf04c69d34cc3cb04aba63fad02265a253d93a78556cfa3074e94cc0a5fe
Opcode Fuzzy Hash: 78f46cb5a438e2d15d2a02800591c306b42f00b9ff0c271c0730df3284db0913
Instruction Fuzzy Hash: 64016271A00605FFEB215FAADC48D677FACFF8A654B504469F989C2150DA328C10DB61

Function 0100710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01007044,80070057,?,?,?,01007455), ref: 01007127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01007044,80070057,?,?), ref: 01007142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01007044,80070057,?,?), ref: 01007150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01007044,80070057,?), ref: 01007160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01007044,80070057,?,?), ref: 0100716C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 774026793fbeb166c5ed920158fd9c9c008db66356c0388ede961f64a367fedc
Instruction ID: 8185ff3ca559376370f29d1aba76bdb9679020216f92abdc61fcca7a62a670a2
Opcode Fuzzy Hash: 774026793fbeb166c5ed920158fd9c9c008db66356c0388ede961f64a367fedc
Instruction Fuzzy Hash: 7601B17AA00215BBEB264F28DC44AAA7FFEEB44651F100055FEC4D2294D73AE900C7A0

Function 01015244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01015260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0101526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 01015276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01015280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010152BC

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0e5d12f76c0151fd9f5f03bdae61e6d82f97dbbe5bbed9841e52b5e75805f3bb
Instruction ID: 7b7bdd93b77b246205aea3edd254be4a424600bf5a52ff03d9d658c1f020a61d
Opcode Fuzzy Hash: 0e5d12f76c0151fd9f5f03bdae61e6d82f97dbbe5bbed9841e52b5e75805f3bb
Instruction Fuzzy Hash: 9C015732D0161ADBCF10EFE4EC499EDBB78BB4B311F400046E985B6148DB39555487A2

Function 010080A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 010080C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 010080CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 010080D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 010080E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 010080F6

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e9ace506ba9372b176e1e0facb80ff7e8fb0032c12bfa5551f73d27d468ceec6
Instruction ID: 7291d8707ab272d54fe58487b6f7d7632ab75250b578928d1fbb97d79a7a26e8
Opcode Fuzzy Hash: e9ace506ba9372b176e1e0facb80ff7e8fb0032c12bfa5551f73d27d468ceec6
Instruction Fuzzy Hash: C5F06231640205AFFB221FA9EC8DEA73FACFF4A655F004056F985C6290CBA6D845DF61

Function 0100C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0100C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0100C20E
MessageBeep.USER32(00000000), ref: 0100C226
KillTimer.USER32(?,0000040A), ref: 0100C242
EndDialog.USER32(?,00000001), ref: 0100C25C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a767c68a94a9e4e1643e444839738473fe6fefb6c42868c9d6cc5c928bc01d56
Instruction ID: 93bcdb577460c913db7e4c320c8458e1a229f0f5bb35e00a572b0c80425a05d7
Opcode Fuzzy Hash: a767c68a94a9e4e1643e444839738473fe6fefb6c42868c9d6cc5c928bc01d56
Instruction Fuzzy Hash: E601A730804705A7FB315B64DE4EB967BBCBB04705F000299A6C6918E1DBE965449B51

Function 00FB13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00FB13BF
StrokeAndFillPath.GDI32(?,?,00FEB888,00000000,?), ref: 00FB13DB
SelectObject.GDI32(?,00000000), ref: 00FB13EE
DeleteObject.GDI32 ref: 00FB1401
StrokePath.GDI32(?), ref: 00FB141C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 5c2a0c2660eb6e3779bc8e484c7a8d0b8c5feb74dae0aa883a097c0cd52580ea
Instruction ID: 178e47a231169022dffde8542b1393911b975ef66b6b43fee70398589607c2fd
Opcode Fuzzy Hash: 5c2a0c2660eb6e3779bc8e484c7a8d0b8c5feb74dae0aa883a097c0cd52580ea
Instruction Fuzzy Hash: FDF01D31800209DBDB715F5AED4C7983FA8F701326F488214F4A9680F9C73A45A5DF11

Function 00FC2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00FD0DB6: std::exception::exception.LIBCMT ref: 00FD0DEC
Part of subcall function 00FD0DB6: __CxxThrowException@8.LIBCMT ref: 00FD0E01

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

Part of subcall function 00FB7A51: _memmove.LIBCMT ref: 00FB7AAB

__swprintf.LIBCMT ref: 00FC2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FC2D66

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 7615210269d4252d976b2a5961145450a46efdd1d1467a6b3b1ab7022e554288
Instruction ID: dec51b77eca63d260d0358162a2c2efd11590b61de98113173df41c3fbe0f99d
Opcode Fuzzy Hash: 7615210269d4252d976b2a5961145450a46efdd1d1467a6b3b1ab7022e554288
Instruction Fuzzy Hash: A7917B715083069FC714EF24CD86EAEB7B9EF85710F04481DF5859B2A1EE28ED44EB52

Function 0101B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB4743,?,?,00FB37AE,?), ref: 00FB4770

CoInitialize.OLE32(00000000), ref: 0101B9BB
CoCreateInstance.OLE32(01042D6C,00000000,00000001,01042BDC,?), ref: 0101B9D4
CoUninitialize.OLE32 ref: 0101B9F1

Part of subcall function 00FB9837: __itow.LIBCMT ref: 00FB9862
Part of subcall function 00FB9837: __swprintf.LIBCMT ref: 00FB98AC

Strings

.lnk, xrefs: 0101B99D, 0101B9AB

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 369e3ae100aeffa3b5ec6f41c64649ec78bfc232a5bd0479ad0cc6d18b50f36b
Instruction ID: 2f729e7984f2f4113984e8842165acde7940a929e4e0fba261c8d0377b59d1ee
Opcode Fuzzy Hash: 369e3ae100aeffa3b5ec6f41c64649ec78bfc232a5bd0479ad0cc6d18b50f36b
Instruction Fuzzy Hash: 2DA133756083019FCB10DF19C884D6ABBF5FF89314F048988F9999B262CB75EC46CB92

Function 00FD501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FD50AD

Part of subcall function 00FE00F0: __87except.LIBCMT ref: 00FE012B

Strings

pow, xrefs: 00FD5085, 00FD50A2

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 73c62b55adbda2179ce51f0f3927435d061d405f3120a7f74c869ae194302d95
Instruction ID: 053cbe104ef0c57fc2e20e78c7522843992be9e01df3be1813c08b1b0e59c59a
Opcode Fuzzy Hash: 73c62b55adbda2179ce51f0f3927435d061d405f3120a7f74c869ae194302d95
Instruction Fuzzy Hash: 1851AA71D0864387DB217625CD4536E3BD29B00B20F288D5AE0C18A39DDF7D8DC4BB86

Function 00FC6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC6248
_memmove.LIBCMT ref: 00FC62E4
_memset.LIBCMT ref: 00FC6308

Strings

ERCP, xrefs: 00FC61B3

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 0f3d7c4231d7bef18eb9fc5344c5434b1c369a86be3b89c48b0730763f0736ea
Instruction ID: 7365094f8507b565cdd5d7a75ca23205d5c9ec0fb668ea986615ebe0535d1cc1
Opcode Fuzzy Hash: 0f3d7c4231d7bef18eb9fc5344c5434b1c369a86be3b89c48b0730763f0736ea
Instruction Fuzzy Hash: 8A51B171904306DFDB24DF55CA42BEABBE5EF04354F20856EE58AC7281E734EA44DB50

Function 010097F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 010114BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,01009296,?,?,00000034,00000800,?,00000034), ref: 010114E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0100983F

Part of subcall function 01011487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010092C5,?,?,00000800,?,00001073,00000000,?,?), ref: 010114B1

Part of subcall function 010113DE: GetWindowThreadProcessId.USER32(?,?), ref: 01011409
Part of subcall function 010113DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0100925A,00000034,?,?,00001004,00000000,00000000), ref: 01011419
Part of subcall function 010113DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0100925A,00000034,?,?,00001004,00000000,00000000), ref: 0101142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010098AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010098F9

Strings

@, xrefs: 01009911

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 7f3b5eea2a1489eb3aba5257b049bc59b3629779949ba6e08a504c5acfb349ee
Instruction ID: 2b8ebf7ef9e2aeabe805994dd9f21ec26816b5e160e075d94b2b193f15b62d1e
Opcode Fuzzy Hash: 7f3b5eea2a1489eb3aba5257b049bc59b3629779949ba6e08a504c5acfb349ee
Instruction Fuzzy Hash: B2419F7290021DBFDB11DFA8CD81EDEBBB8EB19700F004099FA85B7184DA756E45CBA0

Function 01037946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0103F910,00000000,?,?,?,?), ref: 010379DF
GetWindowLongW.USER32 ref: 010379FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01037A0C

Strings

SysTreeView32, xrefs: 010379B1

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 70f3cb568b4ddeb1a27a52cc87797c393fbec8b67255fadd8dd27eca30f07bec
Instruction ID: 5ef572131d53ff9d991229fa005e1c754a0051393c211b2067617b0cc70de50e
Opcode Fuzzy Hash: 70f3cb568b4ddeb1a27a52cc87797c393fbec8b67255fadd8dd27eca30f07bec
Instruction Fuzzy Hash: E2310171600606AFEB518E38CC41BEA7BACFB89324F244715F9B5A32E1D735E8519B50

Function 010373D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01037461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01037475
SendMessageW.USER32(?,00001002,00000000,?), ref: 01037499

Strings

SysMonthCal32, xrefs: 0103742C

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: df53288e3178cf86c50318e15c282538462cf7ec49403d9d9f2875e0a2e2caae
Instruction ID: bd42d0d54bdae94b0a2424023812d5dd07e15e5997749683cdd987651edefcb2
Opcode Fuzzy Hash: df53288e3178cf86c50318e15c282538462cf7ec49403d9d9f2875e0a2e2caae
Instruction Fuzzy Hash: 6E21D172500219AFDF228E64CC42FEA3BA9FF88724F110254FE956B1D0DB75B850DBA0

Function 01037B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01037C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01037C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01037C5F

Strings

msctls_updown32, xrefs: 01037BC4

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1b37cab3118660d617f6376f56278888bd35ad41f06edc4ff9ce77e19ad04fb7
Instruction ID: 8dc9bd95880125b7deaa36b0db6e098fbcd8673955a99b1259e3467597ecba66
Opcode Fuzzy Hash: 1b37cab3118660d617f6376f56278888bd35ad41f06edc4ff9ce77e19ad04fb7
Instruction Fuzzy Hash: 1E215EB5600209AFDB51DF28DCC1DA737EDEF8A364B140059FA51AB391CB36EC119B60

Function 01036CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01036D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01036D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01036D70

Strings

Listbox, xrefs: 01036D08

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 02b8f9bcc41073b7bdd2141f4d84f69cb3139a628de40d2c2c77a8d5139e4a79
Instruction ID: 3c419a4d8848345088b1b496c98eb5b83205c1c5cff4dea8bccebd59e12dc9c1
Opcode Fuzzy Hash: 02b8f9bcc41073b7bdd2141f4d84f69cb3139a628de40d2c2c77a8d5139e4a79
Instruction Fuzzy Hash: D521B332A10118BFDF129F58DC44EFB3BAEEF89750F018128F9859B191C6729C5187A0

Function 0103770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 01037772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01037787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01037794

Strings

msctls_trackbar32, xrefs: 01037749

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 839d0cbff1886af2d374b9edcfba255041845683432e7b971e2125b2a649b893
Instruction ID: 1b80dc8cfaabf4bd1aa9d44c73b2f6e22a159f441a2a97ddf9c4c90c7363ca7e
Opcode Fuzzy Hash: 839d0cbff1886af2d374b9edcfba255041845683432e7b971e2125b2a649b893
Instruction Fuzzy Hash: 2011E3B2640209BEEF215E65CC05FEB7BADFFC9B54F014118FA81A6190C672E411DB20

Function 00FB4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FB4B83,?), ref: 00FB4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FB4C56

Strings

kernel32.dll, xrefs: 00FB4C3F
Wow64RevertWow64FsRedirection, xrefs: 00FB4C50

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 3af7acf974d257a7a37bfcd4d176bddb14f5c460a212f29e59f462fa5539b1a4
Instruction ID: ff4822d2f27281db98d89fea2f9b7a914933def4219c6f65cd7e421d5a23875d
Opcode Fuzzy Hash: 3af7acf974d257a7a37bfcd4d176bddb14f5c460a212f29e59f462fa5539b1a4
Instruction Fuzzy Hash: 4CD01270D11713CFD7245F32D91964677D8AF06751B11882E98E5DA125E774D880CB51

Function 01030DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,01031039), ref: 01030DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01030E07

Strings

RegDeleteKeyExW, xrefs: 01030E01
advapi32.dll, xrefs: 01030DF0

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: f5199f232d8a1147da346cfa0ee324ca2bc15d1dff6454ae7df65ad8b7ce4f2c
Instruction ID: 769d9e1168df14927a5bdff5bb9b5c3262b1a49b51cad9ff48fbaad731212d24
Opcode Fuzzy Hash: f5199f232d8a1147da346cfa0ee324ca2bc15d1dff6454ae7df65ad8b7ce4f2c
Instruction Fuzzy Hash: 7AD0C730A00323CFD7208F7AD80828376ECAF02242F008C2EA4C2C6508E7B5D090CB62

Function 00FB4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FB4BD0,?,00FB4DEF,?,010752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FB4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FB4C23

Strings

kernel32.dll, xrefs: 00FB4C0C
Wow64DisableWow64FsRedirection, xrefs: 00FB4C1D

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 92ad4daede5ad09048f25beb8688d59b85c3348175dfdf36bed01a01b9bfb4c4
Instruction ID: 3dce5cd6779fce3b94643fb4abf1d30b8e444271f2ab40f8f9b16a238d0bd214
Opcode Fuzzy Hash: 92ad4daede5ad09048f25beb8688d59b85c3348175dfdf36bed01a01b9bfb4c4
Instruction Fuzzy Hash: 88D01270D11713CFD7206F72D918647BAD9EF0A651B118C2E94C5D6211E7B4D880CB51

Function 010290E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,01028CF4,?,0103F910), ref: 010290EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01029100

Strings

kernel32.dll, xrefs: 010290E9
GetModuleHandleExW, xrefs: 010290FA

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 5f9b2c64887cd6f9da06f9be11124374c3a6d1c540dd367bb34fa4c77942c53a
Instruction ID: 8e4e3706d10d5e591574bf708132e3d6e69078e8b11e2ab3133ed9d821900218
Opcode Fuzzy Hash: 5f9b2c64887cd6f9da06f9be11124374c3a6d1c540dd367bb34fa4c77942c53a
Instruction Fuzzy Hash: 53D0C730910323CFDB208F36E82860276E8AF02241F22C82ED8C2CA104E7B4C4C0CB91

Function 00FF1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FF1718
__swprintf.LIBCMT ref: 00FF1749

Strings

%.3d, xrefs: 00FF1723
WIN_XPe, xrefs: 00FF1788

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 6d9a02c25d5a595e9998e4292998adeb2f5c2f1e2ef93db456af11ff1ba55564
Instruction ID: 31a4b605cfeba2bc8c125784e89f792288a5e9ee5e0a436c082384cb64254523
Opcode Fuzzy Hash: 6d9a02c25d5a595e9998e4292998adeb2f5c2f1e2ef93db456af11ff1ba55564
Instruction Fuzzy Hash: 28D0127380410CEAC710A6919888EF9777CBF19311F240456FA0AD2050E2369794FA21

Function 0100717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04d7eedd4a1560146ecad642ef615050f4085ce0a85eeb1d45256b918774477
Instruction ID: 63806570c2e047dab7709b143adc4654bd81b59d42986f326fd2f7148613c566
Opcode Fuzzy Hash: d04d7eedd4a1560146ecad642ef615050f4085ce0a85eeb1d45256b918774477
Instruction Fuzzy Hash: D7C16F74A00206EFEB16CF98C8849AEBBF5FF48314F158598E985DB291D735ED81CB90

Function 0102E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0102E0BE
CharLowerBuffW.USER32(?,?), ref: 0102E101

Part of subcall function 0102D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0102D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0102E301
_memmove.LIBCMT ref: 0102E314

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 31016cd6438f7f747490eac644195b0052bdfb82728ccd430036e7de7b95c282
Instruction ID: c623fb63f95218ac603a69ae71e9130505786d1a92d286b87e706a1bcf3fd35d
Opcode Fuzzy Hash: 31016cd6438f7f747490eac644195b0052bdfb82728ccd430036e7de7b95c282
Instruction Fuzzy Hash: F1C18A716083118FC744DF28C480AAABBE4FF89714F14896EF99A9B351D735E946CF82

Function 01028093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 010280C3
CoUninitialize.OLE32 ref: 010280CE

Part of subcall function 0100D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0100D5D4

VariantInit.OLEAUT32(?), ref: 010280D9
VariantClear.OLEAUT32(?), ref: 010283AA

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 85704a4173c8cd2735bf90362025f7dda4d5bdabea9baf1a30e9ca24c17e8414
Instruction ID: 9b2e2f1bc0adbeaf2aebd4c03b96185728c4b299ff15f57627f07fc19392da55
Opcode Fuzzy Hash: 85704a4173c8cd2735bf90362025f7dda4d5bdabea9baf1a30e9ca24c17e8414
Instruction Fuzzy Hash: FDA17A396087119FDB50DF65C880B6AB7E4BF89314F44844DFA969B3A1CB74ED04CB82

Function 01007530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01042C7C,?), ref: 010076EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01042C7C,?), ref: 01007702
CLSIDFromProgID.OLE32(?,?,00000000,0103FB80,000000FF,?,00000000,00000800,00000000,?,01042C7C,?), ref: 01007727
_memcmp.LIBCMT ref: 01007748

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8425537236a477cfb357eeeb1df6319434840dd58ff9a8a11db03a99756da1c4
Instruction ID: b6ba682bcae5e20dfb1de05ce10b8386e70ea1f8291b2c966ed487ccd12502f3
Opcode Fuzzy Hash: 8425537236a477cfb357eeeb1df6319434840dd58ff9a8a11db03a99756da1c4
Instruction Fuzzy Hash: FE815D75A00109EFDB05DFA8C984EEEB7B9FF89315F104098F546AB250DB75AE06CB60

Function 0100687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0100688E
SysAllocString.OLEAUT32(00000000), ref: 01006937
VariantCopy.OLEAUT32 ref: 01006966
VariantClear.OLEAUT32(?), ref: 0100698D

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: efee1357968b0e66b4e7b4d1695476d4fe6b801462d160afb826fe7354004acb
Instruction ID: 05ecf39b8d13254a4b94074f3bf0f25c67dbd481bd28e898795ea67d8f9eeea5
Opcode Fuzzy Hash: efee1357968b0e66b4e7b4d1695476d4fe6b801462d160afb826fe7354004acb
Instruction Fuzzy Hash: 7B51C5746047029AEB21BF6AD89066DB7EAAF45310F10C81FE6C6CB2D1DF76D890CB01

Function 010397F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(012CEE28,?), ref: 01039863
ScreenToClient.USER32(00000002,00000002), ref: 01039896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 01039903

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c0625ffb1d1e16cfb01e8c88814d48b9d6e5a1742da677edd7b74e65391b999e
Instruction ID: ef1c257641dd9d13ce9a6b0becdb1b31972c6c9a8875ca661fa5672c8c3eddda
Opcode Fuzzy Hash: c0625ffb1d1e16cfb01e8c88814d48b9d6e5a1742da677edd7b74e65391b999e
Instruction Fuzzy Hash: 21517234A00209EFDF61CF68C880AAE7BF9FF85364F148199F895AB291D771AD41CB50

Function 01009A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 01009AD2
__itow.LIBCMT ref: 01009B03

Part of subcall function 01009D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 01009DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 01009B6C
__itow.LIBCMT ref: 01009BC3

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: b14b1d1272359cc2045d4dd2fa40091007ffe52a2684a5675c672afb87d93d31
Instruction ID: a73f4e6bf3f23daeaf75e8a8f720cd08b644ded7776ee51d95efc68cf5ee68aa
Opcode Fuzzy Hash: b14b1d1272359cc2045d4dd2fa40091007ffe52a2684a5675c672afb87d93d31
Instruction Fuzzy Hash: 6E418F70A00309ABEF12EF55CC45BEE7FB9EF84764F000059F949A7292DB749A44CBA1

Function 010269AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 010269D1
WSAGetLastError.WSOCK32(00000000), ref: 010269E1

Part of subcall function 00FB9837: __itow.LIBCMT ref: 00FB9862
Part of subcall function 00FB9837: __swprintf.LIBCMT ref: 00FB98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01026A45
WSAGetLastError.WSOCK32(00000000), ref: 01026A51

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: e76e8033222a512d01f19074c96bb21cbe46063ceafcd850e92376314de80d4a
Instruction ID: c6c7f56e8d169c82a0db3b091fdabe0be096bf736d034f57557fcc8b0d8077cf
Opcode Fuzzy Hash: e76e8033222a512d01f19074c96bb21cbe46063ceafcd850e92376314de80d4a
Instruction Fuzzy Hash: FA41E3347002006FEB61AF25CC86FBA77E8AF45B10F44845CFA599F2C2CAB98D019B91

Function 0102641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0103F910), ref: 010264A7
_strlen.LIBCMT ref: 010264D9

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: c084df6b94062aff4633c0b85c20fe8cd84c599f9277bd91dc0d23ad2a430267
Instruction ID: e96883532e862e3f7198a3b060d8c9ed21eebdee1e6543cd59fc73116aa88143
Opcode Fuzzy Hash: c084df6b94062aff4633c0b85c20fe8cd84c599f9277bd91dc0d23ad2a430267
Instruction Fuzzy Hash: 22410631A04125ABCB14EBA9DC85FEEB7B9AF44310F048159FD5A97292DB39ED04CB50

Function 0101B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0101B89E
GetLastError.KERNEL32(?,00000000), ref: 0101B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0101B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0101B915

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c8b9fe96abaa0e98d162f91fa053e178046c950ba95adcfe4620aca20a6ebac7
Instruction ID: 712119ee55a07c4ee470fe3bc855be937d3987036e70020988fe3d153e2398d0
Opcode Fuzzy Hash: c8b9fe96abaa0e98d162f91fa053e178046c950ba95adcfe4620aca20a6ebac7
Instruction Fuzzy Hash: D3411935604511DFCB11DF15C484A99BBF1AF4A710F498088ED8A9B766CB78FD02DF91

Function 01038851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010388DE

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 09fbdf03d5057af7c0baefe28e41212c738b0cbee1359afca02736cbb94e9e45
Instruction ID: 2cf248c89294111ca171f2f1d4e27ad074723874af15c0695a633ad6481abbb5
Opcode Fuzzy Hash: 09fbdf03d5057af7c0baefe28e41212c738b0cbee1359afca02736cbb94e9e45
Instruction Fuzzy Hash: D831F674A00109BFEB719A28DC44FAC7BACEB8A310F5882C3F6D5E61A1C631D5408752

Function 0103AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0103AB60
GetWindowRect.USER32(?,?), ref: 0103ABD6
PtInRect.USER32(?,?,0103C014), ref: 0103ABE6
MessageBeep.USER32(00000000), ref: 0103AC57

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5e39b8c29cbb54844b0e43e839390b688e377466e572aacc8dece4a40ea1c632
Instruction ID: 644bf271036269954b4ac33043ea359047d44eac51e36e43ae3db332f94c6267
Opcode Fuzzy Hash: 5e39b8c29cbb54844b0e43e839390b688e377466e572aacc8dece4a40ea1c632
Instruction Fuzzy Hash: 0C417B30B1010DDFDB66DF58C884BA97BF9FB89300F1884A9E9D4EB256D731A841CB90

Function 01010AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01010B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 01010B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 01010BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 01010BFB

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ff6cda3f6a61c7b6447490bc8b823ab39c3b60bb726aee1eab73af6caccbb221
Instruction ID: 6def4fdb444c2dfcfc9f54c03b418bb9dc31397a87246357080b70603ab24dbb
Opcode Fuzzy Hash: ff6cda3f6a61c7b6447490bc8b823ab39c3b60bb726aee1eab73af6caccbb221
Instruction Fuzzy Hash: 09314870E40308AEFB318E298845BFEBBE9BB45318F04429AF6C1521DDC37D85C09751

Function 01010C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 01010C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 01010C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 01010CE1
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 01010D33

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a9372479da1e6ea101f4989bfdaf7c3b461736611a70be3800bdd74ac4f01315
Instruction ID: fb937c832d8bf2355666284c5e62551e01266df0e221275a8c76f6e9420a2331
Opcode Fuzzy Hash: a9372479da1e6ea101f4989bfdaf7c3b461736611a70be3800bdd74ac4f01315
Instruction Fuzzy Hash: 9031247090030CAEFB318B688804BFEBBAAAB49310F44429AF5C0521DDC33D95958B92

Function 00FE61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FE61FB
__isleadbyte_l.LIBCMT ref: 00FE6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FE6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FE628D

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4bf2bae4a4a2403d8c55ee34f9625780393a586f44149fc612fe54b8fdd6549b
Instruction ID: 53fb6a1df81f498a20d2d0ff29f287929e2908ca9695134dfce13b9193a539dd
Opcode Fuzzy Hash: 4bf2bae4a4a2403d8c55ee34f9625780393a586f44149fc612fe54b8fdd6549b
Instruction Fuzzy Hash: 6931D231A0428AAFDF228F76CC44BAA7FA9FF523A0F154029F964C7191D731E950E790

Function 01034EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 01034F02

Part of subcall function 01013641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0101365B
Part of subcall function 01013641: GetCurrentThreadId.KERNEL32 ref: 01013662
Part of subcall function 01013641: AttachThreadInput.USER32(00000000,?,01015005), ref: 01013669

GetCaretPos.USER32(?), ref: 01034F13
ClientToScreen.USER32(00000000,?), ref: 01034F4E
GetForegroundWindow.USER32 ref: 01034F54

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9241a42f3c1fe9da37efa3f6e63d3229b25daaf3a46340d9c11c012a926d61a5
Instruction ID: 9dc1f72851ecb2b69de22216090d595e90c43156dbf05b269e07fb5258c8e86a
Opcode Fuzzy Hash: 9241a42f3c1fe9da37efa3f6e63d3229b25daaf3a46340d9c11c012a926d61a5
Instruction Fuzzy Hash: 57312A72E00109AFDB10EFA6C8859EFB7FDEF99300F00446AE555E7241DA75AE058FA1

Function 0103C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623

GetCursorPos.USER32(?), ref: 0103C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FEB9AB,?,?,?,?,?), ref: 0103C4E7
GetCursorPos.USER32(?), ref: 0103C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FEB9AB,?,?,?), ref: 0103C56E

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 1789f463b2680188054c8d1d9f62d7544a077a1ef7f8a9392d761af9ed0092a0
Instruction ID: 43c6602c144975358fe01717f749037b60af3e559169941caa8c866c04bdac1d
Opcode Fuzzy Hash: 1789f463b2680188054c8d1d9f62d7544a077a1ef7f8a9392d761af9ed0092a0
Instruction Fuzzy Hash: 3331D735A00018AFEB65CF58C854EEA7FF9FB49310F04409AFA85E7291C7355950DF94

Function 01008656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0100810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01008121
Part of subcall function 0100810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0100812B
Part of subcall function 0100810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0100813A
Part of subcall function 0100810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01008141
Part of subcall function 0100810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01008157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010086A3
_memcmp.LIBCMT ref: 010086C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 010086FC
HeapFree.KERNEL32(00000000), ref: 01008703

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 8040a3ad852bca10d4087949530ad2fac08f9fcefb4c3cbd288565d40be709ac
Instruction ID: 07cd30e23b733794041608e597af92be363d6d21f7a73096970effe571ebcc13
Opcode Fuzzy Hash: 8040a3ad852bca10d4087949530ad2fac08f9fcefb4c3cbd288565d40be709ac
Instruction Fuzzy Hash: 0C218D31E00109EBEB11DF98DD48BEEBBF8FF45314F05809AE585A7281D731AA05CB51

Function 00FD098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00FD09AE

Part of subcall function 00FB5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01017896,?,?,00000000), ref: 00FB5A2C
Part of subcall function 00FB5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01017896,?,?,00000000,?,?), ref: 00FB5A50

_fprintf.LIBCMT ref: 00FD09E5
OutputDebugStringW.KERNEL32(?), ref: 01005DBB

Part of subcall function 00FD4AAA: _flsall.LIBCMT ref: 00FD4AC3

__setmode.LIBCMT ref: 00FD0A1A

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 9099ff072536d0f7fce028bdb73a85e342a47036cbf8a3455fe91c0bb46baa45
Instruction ID: 2fe41aec494de1ef61cee56104cf6a1c7e975ed8b86a9ef45848e426d30fdc29
Opcode Fuzzy Hash: 9099ff072536d0f7fce028bdb73a85e342a47036cbf8a3455fe91c0bb46baa45
Instruction Fuzzy Hash: FF115B329081046FD704B3B49C46AFD77AA9F41320F1C005BF20567282EE3DA8427BA1

Function 01021767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 010217A3

Part of subcall function 0102182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0102184C
Part of subcall function 0102182D: InternetCloseHandle.WININET(00000000), ref: 010218E9

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 42e7305639344b398a957e2ee6b5c2a76304314ffef163da08b082d7d2b75317
Instruction ID: 843cfb94141c01a8ff7dc9c92f340d7d2a21bcae0b5f9f30cbd1437488e04d9c
Opcode Fuzzy Hash: 42e7305639344b398a957e2ee6b5c2a76304314ffef163da08b082d7d2b75317
Instruction Fuzzy Hash: 8421A131600616BFEB229F64DC40FBABBEDFF88710F10402AFA95D6650DBB2941197A1

Function 01013A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0103FAC0), ref: 01013A64
GetLastError.KERNEL32 ref: 01013A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 01013A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0103FAC0), ref: 01013ADF

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f67f43462516ff06d28d10165eb4cfcff6036dc9e563fe7a3994ad82a00d3171
Instruction ID: 3dbe65cd6babba94d51c9336d91d2a3f0b26f70bb68997e85d2127e7792fa95f
Opcode Fuzzy Hash: f67f43462516ff06d28d10165eb4cfcff6036dc9e563fe7a3994ad82a00d3171
Instruction Fuzzy Hash: 462196759082029FC310EF29C8818AF7BE8BF45274F544A5DF4D9CB291D735D949CB82

Function 01035D11 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 01035D80
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01035D9A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01035DA8
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01035DB6

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 5be0265f3bc552426de8f80354bf3f1f27a4438a7e5c3355d99ccc459f659a90
Instruction ID: 7fe1c1c006cbbb02d6940b56c86b3b66ec536152f784d5f16af7e28a90cea462
Opcode Fuzzy Hash: 5be0265f3bc552426de8f80354bf3f1f27a4438a7e5c3355d99ccc459f659a90
Instruction Fuzzy Hash: 3A11B131205101AFDB24AB25DC18FAA77ADEF86320F044218F956CB2E1CBA9AD01CB95

Function 00FE50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FE5101

Part of subcall function 00FD571C: __FF_MSGBANNER.LIBCMT ref: 00FD5733
Part of subcall function 00FD571C: __NMSG_WRITE.LIBCMT ref: 00FD573A
Part of subcall function 00FD571C: RtlAllocateHeap.NTDLL(012B0000,00000000,00000001,00000000,?,?,?,00FD0DD3,?), ref: 00FD575F

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: f25b0f6acbdfc52d16c3e8e735caeb71db042117bee89d5868be11f69f325fb7
Instruction ID: e86e3db6afd3985d4856edfb39fef3af7b8833860fdf961ff2a44b4a24170af2
Opcode Fuzzy Hash: f25b0f6acbdfc52d16c3e8e735caeb71db042117bee89d5868be11f69f325fb7
Instruction Fuzzy Hash: A6110272D04A52AECF313F72AC05B9E379AAF40BB5F24452BF9449A250DE3DC841B790

Function 01026369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01017896,?,?,00000000), ref: 00FB5A2C
Part of subcall function 00FB5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01017896,?,?,00000000,?,?), ref: 00FB5A50

gethostbyname.WSOCK32(?), ref: 01026399
WSAGetLastError.WSOCK32(00000000), ref: 010263A4
_memmove.LIBCMT ref: 010263D1
inet_ntoa.WSOCK32(?), ref: 010263DC

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: b38cda8b163b1e985dae0aab74102c3a0eeef35322fc9080170f735fd68a8aa6
Instruction ID: b06767f86123bb3c012d96eeb0ab620ffa361897f03ff4a86750c4b131978ed4
Opcode Fuzzy Hash: b38cda8b163b1e985dae0aab74102c3a0eeef35322fc9080170f735fd68a8aa6
Instruction Fuzzy Hash: FA115E3190010AAFCB04FBA5DD46DEEB7BDAF18310B144065F945A7261DB39EE14DB61

Function 01008B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01008B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01008B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01008B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01008BA4

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4c438d7165c4e6843603e0c443dcba9892a0c325cd8c387ff4f997ac5b394580
Instruction ID: 94a183e92f61198571b262f88aecbbd544942054a5d3413245731dc787454943
Opcode Fuzzy Hash: 4c438d7165c4e6843603e0c443dcba9892a0c325cd8c387ff4f997ac5b394580
Instruction Fuzzy Hash: BE114879D00218FFEB11DFA9C884FADBBB8FB48310F204096EA40B7290D6716E10DB94

Function 00FB1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00FB2612: GetWindowLongW.USER32(?,000000EB), ref: 00FB2623

DefDlgProcW.USER32(?,00000020,?), ref: 00FB12D8
GetClientRect.USER32(?,?), ref: 00FEB5FB
GetCursorPos.USER32(?), ref: 00FEB605
ScreenToClient.USER32(?,?), ref: 00FEB610

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 64861afea8f4deab167e5f500a1f8dd76fac9271dbb60b4d43406e8864a81e5d
Instruction ID: 9a41d0448544168f9daee94855a77bc92df497bebf269789a3b65b20b3530009
Opcode Fuzzy Hash: 64861afea8f4deab167e5f500a1f8dd76fac9271dbb60b4d43406e8864a81e5d
Instruction Fuzzy Hash: 09113A36A0001AEFCB14EFA9D895DEE77B8FB05301F900456FA41E7140C735BA51AFA5

Function 01011142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0100FCED,?,01010D40,?,00008000), ref: 0101115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0100FCED,?,01010D40,?,00008000), ref: 01011184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0100FCED,?,01010D40,?,00008000), ref: 0101118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0100FCED,?,01010D40,?,00008000), ref: 010111C1

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 50945ea1b55a39b76b65a3d2180058dd4cb674554e6af465928d0078cb9da942
Instruction ID: 28095d63ac922d49baf61f9f7bf293afdab4991a6db0bbed94f983e2ba09b842
Opcode Fuzzy Hash: 50945ea1b55a39b76b65a3d2180058dd4cb674554e6af465928d0078cb9da942
Instruction Fuzzy Hash: 70111831D40519DBCF149FA5E848BEEFBB8FB0A711F044045EA81B2249CB7995508BD6

Function 0100D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0100D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0100D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0100D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0100D897

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: cee682f8e3f56c0fd9ea73235bc8e690169636037675c5839394b4b48029ff54
Instruction ID: ad79f7959cf2628805d3396e16f96c708b8455b15136026d4cc01f7650e83810
Opcode Fuzzy Hash: cee682f8e3f56c0fd9ea73235bc8e690169636037675c5839394b4b48029ff54
Instruction Fuzzy Hash: 83116575A05305DBF7218FD0DD08F96BBBCEB00710F008559A699D6080D7B5E645DBB1

Function 00FE6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00FE6FDB

Part of subcall function 00FE76C2: __fltout2.LIBCMT ref: 00FE76EB

__cftog_l.LIBCMT ref: 00FE7001
__cftoe_l.LIBCMT ref: 00FE7033

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 1b575abe3a15f25a165fd53454d26ffb3286a296f08d396fec78fb1d9ed074e0
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 2E014B7244828ABBCF166F85CC01CEE3F62BB283A5B588415FE1858031D336D9B1BB81

Function 0103B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0103B2E4
ScreenToClient.USER32(?,?), ref: 0103B2FC
ScreenToClient.USER32(?,?), ref: 0103B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0103B33B

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: fb3a6fd11e2e92e5a7b7f7b979a8ccf0d8191da149bb5e6610615d2a905c4400
Instruction ID: 41ef21b8f943d4cd94f180513308c6282c94c592dec779eb7dbee32df3a7f9fd
Opcode Fuzzy Hash: fb3a6fd11e2e92e5a7b7f7b979a8ccf0d8191da149bb5e6610615d2a905c4400
Instruction Fuzzy Hash: 7C1174B9D0020AEFDB51DFA9C4849EEBBF9FF08210F108156E954E3210D735AA559F51

Function 0103B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0103B644
_memset.LIBCMT ref: 0103B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01076F20,01076F64), ref: 0103B682
CloseHandle.KERNEL32 ref: 0103B694

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 91d30ef5e40761bfcae221ae2414c40e04c7f24d4eed15e51543db1b5afe75dd
Instruction ID: 995efe1c1f2824e2882fb237e7f05d77b1db2f53fc9f2616d7fd470743687c07
Opcode Fuzzy Hash: 91d30ef5e40761bfcae221ae2414c40e04c7f24d4eed15e51543db1b5afe75dd
Instruction Fuzzy Hash: 1FF089B19407007FF2203765AC06F7B3E9DEB09355F404011FA8AE6186D77B4C1097A9

Function 01016BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 01016BE6

Part of subcall function 010176C4: _memset.LIBCMT ref: 010176F9

_memmove.LIBCMT ref: 01016C09
_memset.LIBCMT ref: 01016C16
LeaveCriticalSection.KERNEL32(?), ref: 01016C26

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: ce8fa78508074accb8130855610f2bfed39439312226c06d8bc36c684a62f995
Instruction ID: dd34a1c0b7e27d2e1742cd964a9045f1cb316f62865e90be5dc105554ecccc8d
Opcode Fuzzy Hash: ce8fa78508074accb8130855610f2bfed39439312226c06d8bc36c684a62f995
Instruction Fuzzy Hash: CFF0543A100100ABCF016F55DC84E8ABB2AEF55320F08C051FE489E21AC776E911DBB5

Function 0103BD1C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FB12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FB134D
Part of subcall function 00FB12F3: SelectObject.GDI32(?,00000000), ref: 00FB135C
Part of subcall function 00FB12F3: BeginPath.GDI32(?), ref: 00FB1373
Part of subcall function 00FB12F3: SelectObject.GDI32(?,00000000), ref: 00FB139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0103BD40
LineTo.GDI32(00000000,?,?), ref: 0103BD4D
EndPath.GDI32(00000000), ref: 0103BD5D
StrokePath.GDI32(00000000), ref: 0103BD6B

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4b890d326ca279daeacaadfe2ec1fbb3a88006fd3d19d1347313c5f5f58487e7
Instruction ID: 64b0795984e8ad7aed0f3b711f43bf35c874b98f8f9985f570605ca7a41afad2
Opcode Fuzzy Hash: 4b890d326ca279daeacaadfe2ec1fbb3a88006fd3d19d1347313c5f5f58487e7
Instruction Fuzzy Hash: D1F05E3140125ABBDB226F59AC0EFCE3F9DAF06311F044040FA91650D5C77A5661DF96

Function 00FB2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FB2231
SetTextColor.GDI32(?,000000FF), ref: 00FB223B
SetBkMode.GDI32(?,00000001), ref: 00FB2250
GetStockObject.GDI32(00000005), ref: 00FB2258
GetWindowDC.USER32(?,00000000), ref: 00FEBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FEBE90
GetPixel.GDI32(00000000,?,00000000), ref: 00FEBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00FEBEC2
GetPixel.GDI32(00000000,?,?), ref: 00FEBEE2
ReleaseDC.USER32(?,00000000), ref: 00FEBEED

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 5a7e05b35902ad549138d5a01c2bac537084e8093981c208a5e4fc79a2b25abb
Instruction ID: 1b0d07f18cc1fbe3cbb1e8845c99ad1a7bde956e7d3c87267f010315f15ae482
Opcode Fuzzy Hash: 5a7e05b35902ad549138d5a01c2bac537084e8093981c208a5e4fc79a2b25abb
Instruction Fuzzy Hash: 9CE03031904185AADF215F65F80D7D83B15EB06332F008366FAA9480E5C7764580EB12

Function 01008712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0100871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,010082E6), ref: 01008722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010082E6), ref: 0100872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,010082E6), ref: 01008736

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: ef5ba4e536cb1677d084fe6156a572708e88bf74776301de30543ff64cd1e229
Instruction ID: 89dc84ad3c052d80c9ae29f51c251762484c15262bbac48962911bcf9aa391e7
Opcode Fuzzy Hash: ef5ba4e536cb1677d084fe6156a572708e88bf74776301de30543ff64cd1e229
Instruction Fuzzy Hash: 70E08636E112129BE7705FB45D0CB567BACFF41791F048859B2C9C9089D739C051C751

Function 0100B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0100B4BE

Strings

Container, xrefs: 0100B43B
AutoIt3GUI, xrefs: 0100B436

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 0a263804862e79c1692d2b506b759a3b8f71bfb3912a5c363b75633a6051d3ef
Instruction ID: d304e692fe653b79de06d74e7b9439176fa2a38fd6ce6d9a02b7ae2be09746f8
Opcode Fuzzy Hash: 0a263804862e79c1692d2b506b759a3b8f71bfb3912a5c363b75633a6051d3ef
Instruction Fuzzy Hash: AE916B746006019FEB55DF68C884B6ABBF9FF48711F1084AEE986CB291DB71E941CB50

Function 0101AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCFC86: _wcscpy.LIBCMT ref: 00FCFCA9

Part of subcall function 00FB9837: __itow.LIBCMT ref: 00FB9862
Part of subcall function 00FB9837: __swprintf.LIBCMT ref: 00FB98AC

__wcsnicmp.LIBCMT ref: 0101B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0101B0F6

Strings

LPT, xrefs: 0101B027

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 904543bcbb2600a2315c192e44b8a44d1bf77b07c7b3e36a09c65c58263f440c
Instruction ID: d10195d05db6afbe5da119324b69d265468fe854d50d8e1342301655c40c2b04
Opcode Fuzzy Hash: 904543bcbb2600a2315c192e44b8a44d1bf77b07c7b3e36a09c65c58263f440c
Instruction Fuzzy Hash: 5761C171A00215AFCB15DF98C891EEEB7F5EF08310F454099F956AB361D778AE40CB50

Function 00FC2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FC2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FC2981

Strings

@, xrefs: 00FC2975

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3056c5524d0d6c7d277165504abd987835ee114c27e5e4ea58bffa3b99cfd294
Instruction ID: 1575f5272ce5997e3908c24e2c96a85622308a40a94cc08ad10fbbfe3f407817
Opcode Fuzzy Hash: 3056c5524d0d6c7d277165504abd987835ee114c27e5e4ea58bffa3b99cfd294
Instruction Fuzzy Hash: 0A5163724087449BD320AF11DC86BEFBBF8FB85340F81884CF2D881095EBB59569DB66

Function 01019734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00FB4F0B: __fread_nolock.LIBCMT ref: 00FB4F29

_wcscmp.LIBCMT ref: 01019824
_wcscmp.LIBCMT ref: 01019837

Strings

FILE, xrefs: 01019770

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 7182ea36b9d3dcc82b912f4845eba1b4d04c5a24cc174eedc3f2aa23864ca2fa
Instruction ID: 4263dfd0b41153c0c7434f1ab0c52b3117b3b7be74c1049da0cfc460f2125f00
Opcode Fuzzy Hash: 7182ea36b9d3dcc82b912f4845eba1b4d04c5a24cc174eedc3f2aa23864ca2fa
Instruction Fuzzy Hash: 5541D971A00209BADF219FA5CC55FEFBBFEDF85714F00006AF904A7285D675A9049B61

Function 0102258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0102259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010225D4

Strings

|, xrefs: 010225A5

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 437a9e4c49f0d28178dbaecc18958b6b66fa2395347aa56c28547a708dbfef5b
Instruction ID: 738612db2475ab98d4d4d09dd947422781fcfc75dfc36ce542772c171179b765
Opcode Fuzzy Hash: 437a9e4c49f0d28178dbaecc18958b6b66fa2395347aa56c28547a708dbfef5b
Instruction Fuzzy Hash: 2D313971800219ABDF11EFA5CC89EEEBFB9FF08340F100059E954A6162EA355956EF60

Function 01037A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 01037B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01037B76

Strings

', xrefs: 01037ACA

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4e3e3a8b64c0adba1d723eae7485c96bf30e2ab639e8b38fe341aa5baa78b546
Instruction ID: 68c72b1cabdef8ad5726ed3dfb1974c86faf249cc228b5677b36e16880455be2
Opcode Fuzzy Hash: 4e3e3a8b64c0adba1d723eae7485c96bf30e2ab639e8b38fe341aa5baa78b546
Instruction Fuzzy Hash: 9641FDB4A0160A9FDB54CF69C981BDABBF9FF49300F14016AEA44AB341D771A951CF90

Function 01036A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01036B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01036B53

Strings

static, xrefs: 01036AB3

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 32eea607ce9ef17f211c3ebb112a13d17060063304208df1bbb2974be715c16c
Instruction ID: f688ccb9fcb56f52d7cb8ff92abfeacd1ae132735dee7c98e5f04180966084f1
Opcode Fuzzy Hash: 32eea607ce9ef17f211c3ebb112a13d17060063304208df1bbb2974be715c16c
Instruction Fuzzy Hash: 1E31BE71200604AEEB119F69CC80BFB77ECFF89760F108619F9E597190DA36A891DB60

Function 010128A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01012911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0101294C

Strings

0, xrefs: 0101290A

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: e6933ba193d80e813560b36136bdaaba87f519e0c4adc1445e805b6f0e9dabea
Instruction ID: f66e860bda1cd2a0c6c3d387d5d224bb73ba3db788152daf9598d3498549f782
Opcode Fuzzy Hash: e6933ba193d80e813560b36136bdaaba87f519e0c4adc1445e805b6f0e9dabea
Instruction Fuzzy Hash: 8D31C331A003059BEB64CE5CCC45BAEBFFAEF45390F280059EAC5A71A4D7789540CB51

Function 010239E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 01023A66

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 01023A58
, $, xrefs: 01023AA6

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: ce6dd803738aa38be1d90d04ddf116d8aebd7a1476472ce93ca3d25566f12d14
Instruction ID: 65795519bf17a43d3ad0bd666779b8b23d758af7789d576732b1419d5b31c951
Opcode Fuzzy Hash: ce6dd803738aa38be1d90d04ddf116d8aebd7a1476472ce93ca3d25566f12d14
Instruction Fuzzy Hash: AB219170A00219ABCF10EF65CC81EEE7BB9BF88700F4444A9E545AF141DB38E945DF61

Function 010366D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 01036761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0103676C

Strings

Combobox, xrefs: 0103672E

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a4dee7288a3e61aa1f470267367e7beb832608c044eec2998ce992d168a61f0b
Instruction ID: af0274b3757058774d171863a0633f3817e56ab16c3b1c64977642c00b69393a
Opcode Fuzzy Hash: a4dee7288a3e61aa1f470267367e7beb832608c044eec2998ce992d168a61f0b
Instruction Fuzzy Hash: A111E9712001087FEF128F18CC81EFB37AEFB89354F500119F59497291E6369D5087A0

Function 01036C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00FB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FB1D73
Part of subcall function 00FB1D35: GetStockObject.GDI32(00000011), ref: 00FB1D87
Part of subcall function 00FB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB1D91

GetWindowRect.USER32(00000000,?), ref: 01036C71
GetSysColor.USER32(00000012), ref: 01036C8B

Strings

static, xrefs: 01036C4E

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c662682df4c942da61fa85bcc381965e8e3fc765bcec377832ec9e10b2843e44
Instruction ID: 62aaf0d7c10b1129f18f4d94dc0308e9d42a286d555b8bbe77990e85ecc84cf9
Opcode Fuzzy Hash: c662682df4c942da61fa85bcc381965e8e3fc765bcec377832ec9e10b2843e44
Instruction Fuzzy Hash: 8A21177292020AAFDB14DFA8C845AFABBA8FB48314F004619F995D2240D636E850DB60

Function 01036920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010369A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010369B1

Strings

edit, xrefs: 01036986

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 570e58c68c40d0034fc303891e1ec747f3cce1744d6b1a274e7285b7c40fabb1
Instruction ID: a723aa6093cf426e8c85acf7a55af0842be67057e80ec8fecbf3b96f8cdacefd
Opcode Fuzzy Hash: 570e58c68c40d0034fc303891e1ec747f3cce1744d6b1a274e7285b7c40fabb1
Instruction Fuzzy Hash: AE11BC71500209BBEB518E78DC40AEB3BADEB853B8F504719FAE1971D0C636DC51AB60

Function 010129AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01012A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 01012A41

Strings

0, xrefs: 01012A18

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 0d804649cb529bf57f2b27ecc95073c4d83acdcad6df619b4c311caa73979c39
Instruction ID: 155ed95c2a0a416046bff40ca4bbd9517804983aa787cfa8ba08676fe40d7298
Opcode Fuzzy Hash: 0d804649cb529bf57f2b27ecc95073c4d83acdcad6df619b4c311caa73979c39
Instruction Fuzzy Hash: DF11E633D01214ABEB70DB9CDC44BEE7BF9AB45200F644061EAD5F7294D778A906C791

Function 010221D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0102222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01022255

Strings

<local>, xrefs: 0102221D

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 530ba139d4038c117cdcc392592a36c9efb5770b2eb9db7915228fef09df897c
Instruction ID: bcb035599a1d7026db469b845d90a940a7f30c3ce81df6ec52de00d3574f948a
Opcode Fuzzy Hash: 530ba139d4038c117cdcc392592a36c9efb5770b2eb9db7915228fef09df897c
Instruction Fuzzy Hash: 2511C670541235FADB258F958C89EBBFFACFF07651F00825AF99586400D2725558C6F1

Function 01027D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01027FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,01027DB3,?,00000000,?,?), ref: 0102800D

inet_addr.WSOCK32(00000000), ref: 01027DB6
htons.WSOCK32(00000000), ref: 01027DF3

Strings

255.255.255.255, xrefs: 01027DCE

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: f34ca1dda8fffa659de12d7b41bd5a391774b1845875a0e07d45f4a361c5922f
Instruction ID: c62c42e9be45888d072eef19aac106f849f746588094af3a4c67dab40a4097da
Opcode Fuzzy Hash: f34ca1dda8fffa659de12d7b41bd5a391774b1845875a0e07d45f4a361c5922f
Instruction Fuzzy Hash: BE11A535500216ABDB21AF64CC85FFEB775FF24320F104556E9559B2D1DB72AC1087A1

Function 01008E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

Part of subcall function 0100AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0100AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01008E73

Strings

ListBox, xrefs: 01008E3D
ComboBox, xrefs: 01008E12

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 1114c938dcdcfd439ee6c9999b1a849e8797ce36a1f78261a8e17477f5b718e9
Instruction ID: 5dfbb85349abaa68b401545c0c7edb04b024ce6a10ecf801bb874296dd0fbed7
Opcode Fuzzy Hash: 1114c938dcdcfd439ee6c9999b1a849e8797ce36a1f78261a8e17477f5b718e9
Instruction Fuzzy Hash: 67014171A01219EBAF16FBA5CC418FE3768BF06360F040A0AF8A1572D1EE394C08DA50

Function 01008CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

Part of subcall function 0100AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0100AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 01008D6B

Strings

ListBox, xrefs: 01008D35
ComboBox, xrefs: 01008D0A

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 486780aef75f7e736af46d01187605d425fc3d397a1eea77a104699af9dc334a
Instruction ID: cad13cf573d1e4300fc64c855065569e68304e3b071bcdcf55fd8fba48de36e4
Opcode Fuzzy Hash: 486780aef75f7e736af46d01187605d425fc3d397a1eea77a104699af9dc334a
Instruction Fuzzy Hash: 0701F771B41209ABEF16FBA1CD51EFF77ACDF15340F04011AB881672D1EA195E0C9671

Function 01008D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB7DE1: _memmove.LIBCMT ref: 00FB7E22

Part of subcall function 0100AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0100AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 01008DEE

Strings

ListBox, xrefs: 01008DBA
ComboBox, xrefs: 01008D8F

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cd14824b6b3d0bfdb0915c33ab6ed337a9dba39ff4b175ef62408db0e53fa2ad
Instruction ID: f8a68f0db037a2383f76597a7dd7ec8244c462cfa071a2dea3c5d449fe976e6f
Opcode Fuzzy Hash: cd14824b6b3d0bfdb0915c33ab6ed337a9dba39ff4b175ef62408db0e53fa2ad
Instruction Fuzzy Hash: 7801F771B41209ABEF12F7A5CD41AFF77AC9F25340F04411BB882672D1DA198E08A671

Function 01014F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 01014F46
_wcscmp.LIBCMT ref: 01014F58

Strings

#32770, xrefs: 01014F52

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 1a7096514158a805ca33c42f0bb7284fea95f690994c58c9dd10ed413ddc035a
Instruction ID: 4d30c5d23cf48c4de45b505511bdf831ef19a0b6fe036029d1b6edbbd5ebbab6
Opcode Fuzzy Hash: 1a7096514158a805ca33c42f0bb7284fea95f690994c58c9dd10ed413ddc035a
Instruction Fuzzy Hash: DBE0D832A0032D2BE7309A9AAC49FA7F7ECEB45B70F01005BFD44D7145E6659A4587E1

Function 00FEB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FEB314: _memset.LIBCMT ref: 00FEB321

Part of subcall function 00FD0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FEB2F0,?,?,?,00FB100A), ref: 00FD0945

IsDebuggerPresent.KERNEL32(?,?,?,00FB100A), ref: 00FEB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FB100A), ref: 00FEB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FEB2FE

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 34589ce51ffb75f4ce9be366b7d6e20f27871cbfbac435578029763b3bdcc990
Instruction ID: 38dc2a6c7dbd932eaca56365ce6e6d28690a8caf8a7caaea5c9069a74177675d
Opcode Fuzzy Hash: 34589ce51ffb75f4ce9be366b7d6e20f27871cbfbac435578029763b3bdcc990
Instruction Fuzzy Hash: 4DE06D74600341CFD7709F2AD5053877AE8AF00314F00892EE8C6C7741EBB9D404DBA2

Function 00FF1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00FF1775

Part of subcall function 0102BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00FF195E,?), ref: 0102BFFE
Part of subcall function 0102BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0102C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00FF196D

Strings

WIN_XPe, xrefs: 00FF1788

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: b2d875118a2b628c6602fa6ccdbc9f9c1ed87edff0a2b390c1eee7e8fbd1aec2
Instruction ID: 1511bf6e70da660517f5fc2ab9833d96b9505b3273c1fb4b3c2fe0d1de0f31ba
Opcode Fuzzy Hash: b2d875118a2b628c6602fa6ccdbc9f9c1ed87edff0a2b390c1eee7e8fbd1aec2
Instruction Fuzzy Hash: 42F0A572C0010EDFDB25EB95C594BFDBBB8BF18311F640085E246A20A4DB764E88EF61

Function 01035964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0103596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01035981

Part of subcall function 01015244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010152BC

Strings

Shell_TrayWnd, xrefs: 01035967

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ab0b140a72d8561464d1b0f3150d90964bbdeb52f8f9f55e8c8f7fc7714593e9
Instruction ID: 0575cb27e27cd786b71f25ae2ef25977521ad57ce970b3bf703983fd3287597a
Opcode Fuzzy Hash: ab0b140a72d8561464d1b0f3150d90964bbdeb52f8f9f55e8c8f7fc7714593e9
Instruction Fuzzy Hash: CBD0C932784312B6E674AA709C0EFD77A18AB55B50F000829B3C9AE1D8C9E99800C754

Function 01035998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010359AE
PostMessageW.USER32(00000000), ref: 010359B5

Part of subcall function 01015244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010152BC

Strings

Shell_TrayWnd, xrefs: 010359A7

Memory Dump Source

Source File: 00000000.00000002.1531537875.0000000000FB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.1531475421.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.000000000103F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1531897332.0000000001064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532216258.000000000106E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1532245667.0000000001077000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_oEQp0EklDb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ccfbd0023d86203456bb038a54b3fb109dd6205fedf1b7a80cf5dad814d63690
Instruction ID: 0d4a02350d20503e1cc244389c2e18bf1cf3f3e4460ad0f6b8c6dcf92c11f1cc
Opcode Fuzzy Hash: ccfbd0023d86203456bb038a54b3fb109dd6205fedf1b7a80cf5dad814d63690
Instruction Fuzzy Hash: 68D0C9327803127AE674AA709C0EFD77618AB55B50F000829B3C5EE1D8C9E9A800C755

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report oEQp0EklDb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut17A.tmp

C:\Users\user\AppData\Local\Temp\totten

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
oEQp0EklDb.exe

Function 00FB3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00FB49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00FB4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 01019155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00FB301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00FB3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00FB708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00FB3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00FB3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00FB3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 013011B8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00FB39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01300F68 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Function 00FB407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00FD541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre